[Samba] LDAP Supplementary Groups not recognised
Malcolm Gibbs
malcolm.gibbs at sun.com
Sat Apr 5 08:21:18 GMT 2003
Thanks for the response,
Bas Goes wrote:
> Hi,
>
> What does id <username> tell you and wat da's the ldapsearch on a group
> say?
> it works just like the groups file only now usernames are stored as
> attributes to a group ldap entry
I can access the group protected directory fine when logged in as the
same user in a Solaris shell.
'id -a' shows the supplementary group correctly, as does ldaplist and
ldapsearch.
>
> 2 things you need to check are"
>
> 1 is the group in ldap and is the user a part in this ldapgroup ldif?
> ldapsearch -x -D <adminldapacc> -W -b <ldap groupsbase>
> "uid=<groupname>"
> i myself use ldapexplorer to browse the ldapdatabase
Unfortunately I do not have access to the LDAP directory at the moment.
However ldapsearch's do show the group in question and the user being a
memberUid attribute. I also have confirmed this with a GUI browser.
>
> 2 check if nss looks in the (right) ldapbase
> if 1 isn't the case and id doesn't work this is probably the problem
>
> in debian it is in nsswitch.conf in /etc/ if it uses ldap
> /etc/libnss-ldap.conf if ldap is configured correctly
> /etc/ldap/slapd.conf if nss has rights to browse these ldap directories
Yes what is fustrating is that supplementary LDAP groups are working
fine from the Solaris shell, it is only SAMBA that appears to be
ignoring them.
Do posixGroup entries have to have any additional attributes or be in a
particular base to be recognised by SAMBA, Solaris 9 by default puts
them in ou=group,dc=xx,dc=com.
>
> Good luck
>
> regards
> Bas
>
Thanks
Malcolm Gibbs
More information about the samba
mailing list