[Samba] HowTo Chapter12 Group Mapping and LDAP

John H Terpstra jht at samba.org
Mon Nov 3 22:43:42 GMT 2003 

Matt,

You must map NT Groups to UNIX groups. In particular, only Domain groups
(not local groups in the Domain) that have been mapped to a UNIX group (no
matter where it is stored - LDAPsam or tdbsam) will be available for
domain client use.

If you want to map the NT Domain Group called "Domain Users" to the UNIX
"users" group, you will need to run:

	net groupmap modify ntgroup="Domain Users" unixgroup=users

if the NT Group does not exist in your LDAPsam, yo uwill need to run:

	net groupmap add ntgroup="Domain Users" unixgroup=users rid=51x

Where 51x is the well known RID for the Domain Users group. You can obtain
this from the latest Samba-HOWTO-Collection.pdf available from:

http://samba.org/~jht/HOWTO

I hope this helps to clarify the issue for you.

- John T.


On Mon, 3 Nov 2003, Matt Pusateri wrote:

> Hello,
>
> I have a question about the documentation of the Samba Howto's.
> Specifically, I am not able to understand how group mapping ties into
> LDAP.  I believe I understand the concept of unix to windows group
> mapping as laid out in chapter 12 as it relates a tdbsam, but get
> confused when dealing with a ldapsam back-end.  There is a note listed "
> When the passdb back-end uses LDAP (ldapsam) it is the administrators'
> responsibility to create the essential Domain Groups, and assign each
> its default RID."  I am not sure what this note is to infer? Does "net
> groupmap" handle things or do I manually have to configure via LDIF
> entries?
>
> I have read chapters 1-12, 21, 25 of the howtos as well as Samba PDC
> LDAP howto by Ignacio Coupeau.  Is there another document I am missing
> or am I just not getting it?  I have not posted config files or system
> specifics because I feel this is more a problem understanding the
> concepts not configuring the system. If someone could either point me in
> the right direction or explain what I am missing I would be very much
> appreciate it(yes I realize that was an extremely open-ended plea for
> help).  It seems to me that the documentation regarding Samba & LDAP was
> very verbose up to this point, but then trails off a little bit in
> chapter 12 regarding configuring LDAP(maybe it's just me?)  Anyhow
> thanks go out to all those on the documentation project.
>
>
>
> Matt Pusateri
> Systems Administrator
> Interactive Medical Systems, Inc.
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>

-- 
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list