[Samba] LDAP Supplementary Groups not recognised

Malcolm Gibbs malcolm.gibbs at sun.com
Sat Apr 5 08:21:18 GMT 2003

Thanks for the response,

Bas Goes wrote:
> Hi,
> What does id <username> tell you and wat da's the ldapsearch on a group
> say?
> it works just like the groups file only now usernames are stored as
> attributes to a group ldap entry

I can access the group protected directory fine when logged in as the 
same user in a Solaris shell.

'id -a' shows the supplementary group correctly, as does ldaplist and 

> 2 things you need to check are"
> 1 is the group in ldap and is the user a part in this ldapgroup ldif?
> ldapsearch -x -D <adminldapacc> -W -b <ldap groupsbase>
> "uid=<groupname>"
> i myself use ldapexplorer to browse the ldapdatabase

Unfortunately I do not have access to the LDAP directory at the moment. 
However ldapsearch's do show the group in question and the user being a 
memberUid attribute. I also have confirmed this with a GUI browser.

> 2 check if nss looks in the (right) ldapbase
> if 1 isn't the case and id doesn't work this is probably the problem
> in debian it is in nsswitch.conf in /etc/ if it uses ldap
> /etc/libnss-ldap.conf if ldap is configured correctly
> /etc/ldap/slapd.conf if nss has rights to browse these ldap directories

Yes what is fustrating is that supplementary LDAP groups are working 
fine from the Solaris shell, it is only SAMBA that appears to be 
ignoring them.

Do posixGroup entries have to have any additional attributes or be in a 
particular base to be recognised by SAMBA, Solaris 9 by default puts 
them in ou=group,dc=xx,dc=com.

> Good luck
> regards
> Bas

Malcolm Gibbs

More information about the samba mailing list