[Samba] How does group mapping function ?
Ganael LAPLANCHE
ganael.laplanche at edfgdf.fr
Tue Aug 5 08:40:45 GMT 2003
Hi all, this is a re-post, maybe the Samba Team can help ?
I'm testing group mapping, wondering how It works exactly...
I thought Samba was storing a mapping table allowing to retreive infos on
Unix/Windows groups in a DYNAMIC way. Unfortunately, group mapping seems to
be static, here is what I did :
[I'm using Samba b3v3 + LDAP, WITHOUT nss-ldap/pam-ldap/winbind ->
everything is stored in my /etc/passwd and /etc/group + in LDAP for Samba
accounts]
1) Created Unix group (let's say domusers) : groupadd domusers
2) Created LDAP group, with ldapadd, and a file containing :
dn: cn=domusers,ou=Users,dc=domain,dc=org
objectClass: posixGroup
gidNumber: 1001
cn: domusers
memberUid: foo
3) Created Unix user (foo, primary group domusers) : useradd -g domusers
foo
4) Created Group mapping : net groupmap add sid=<mySID>-513
unixgroup=domusers ntgroup="Domain Users" type=domain (then "net groupmap
list", OK)
5) Finally, created LDAP (samba) user : smbpasswd -a foo
Ok, no problem, foo gets the domain local sid + the domain users rid as
SambaPrimaryGroupSid, he IS a Win Domain User.
Here is what I don't understand : If I delete the groupmapping or modify
it, the SambaPrimaryGroupSid of foo isn't modified ! Foo remains a Domain
User...
Another example : if I create first the user, then the mapping : the user
doens't get the new SambaPrimaryGroupSid and doesn't become a Domain
User...
Am I missing something ? Is the mapping only used while creating users ? I
thought the table was used in a more dynamic way... Is there a technical
limit in implementing this function this way ? Please help me...
Regards,
Ganaël.
More information about the samba
mailing list