ldap woes

Manuel Bessler manuel at varxec.de
Fri Nov 24 01:48:22 GMT 2000

On Thu, Nov 23, 2000 at 05:13:06PM +0100, robert.gehr at web2cad.de wrote:
> Hello
> I just set up a LDAP server for user and group management. From the OS
> level this works fine and all group permissions etc. are working just the
> way they ought to.
> The idea was (and still is) to use the LDAP server as a repository for each
> Samba server. I set up the /etc/nsswitch.conf file on each Samba server
> accordingly and when I connect from a Win$ box I can log into a samba share
> and the existence of the Unix account is checked against LDAP.

I have a very similar setup (testing phase right now, hopefully going 
live next week :)

> I tried the following.
> User:               Member of Group:
> john           sales, marketing, all
> jack           sales, all
> fred           all
> the default (primary) group for all users is group "all"
> I defined a share "testing" on Samba saying "valid users = +sales" and
> behold only john and jack are able to connect.
> I redifined the share to "valid users = +all" and john,jack,and fred can
> connect.
> I created a directory under testing named "budget" and did a "chown
> fred:sales and a chmod 770 for that thing"
> As root I do a "su john" changed into budget and created a file without a
> hitch.

what were the usr/group and  access rights of this file when you created it
on Unix ?

correct me if i am wrong, but if a user creates a file, the group is always
the users primary group.

> >From Windows I tried to create a directory as user john under budget and
> get "no permission"
> I define a "force group = sales" for that share and it works.

i use force group on most of my shares (thats the reason why the 
"force group" parameter exists)

> Now this isn't of much use, of no use at all to be true so I put all the

whats the problem with "force groups" ?

> information from the Ldap server into /etc/passwd /etc/group
> adjusted /etc/nsswitch turned the Ldap server off and everything worked as
> expected.
> Why is the LDAP server in conjunction with samba always comming along with
> the default group ID not checking whether the user belongs to any other
> groups that would permit the requested action as it is on the OS level or
> when using the /etc files ???
> Strangely enough it must be checking for additional groups in the first
> place for when I connect to the share being defined as "valid users =
> +sales" the connect succeeds and I can mount the thing.
> If I could get this solved that would make it ready to go.

     .-.                        | Manuel Bessler
     /v\    L   I   N   U   X   | <manuel at varxec.de>, <m.bessler at gmx.net>
    // \\  >Phear the Penguin<  | 
   /(   )\                      | Debian/GNU Linux user
GPG Fingerprint: 278D 2DC2 8A3E 9AEE 98F1  71D2 B224 68D1 1240 28BC

More information about the samba mailing list