[Samba] Groups and LDAP
Robert Rati
Robert.Rati at motorola.com
Thu Nov 20 22:44:54 GMT 2003
I think I understand. So, if I want a user (in LDAP) to be a part of
your ntadmins group, I'd set his gidNumber to 1000, correct? Would I
also need to add a memberUid field in the ntadmins group for this user?
IE for user bob:
dn: cn=ntadmins,ou=Groups,dc=firerun,dc=net
cn: ntadmins
objectClass: top
objectClass: posixGroup
gidNumber: 1000
memberUid: root
memberUid: patrick
memberUid: bob
Can an LDAP user have a gidNumber of 0 and be a root user on a Unix machine?
Rob
Patrick wrote:
> Rob,
>
> Maybe I can shed some light on this for you. I have just setup a Samba
> PDC + LDAP machine here. For the group assignments to work you will
> still need to have a unix group on the machine. So you use the normal
> method to add a unix group in the ldap directory. You can then add any
> users you want to that group. So for example I setup the following unix
> group in ldap:
>
> # ntadmins, Groups, firerun, net
> dn: cn=ntadmins,ou=Groups,dc=firerun,dc=net
> cn: ntadmins
> objectClass: top
> objectClass: posixGroup
> gidNumber: 1000
> memberUid: root
> memberUid: patrick
>
> Then you will need to use the net tool to do a group mapping. first you
> will need to lookup the SID of the domain. So you will use "net
> getlocalsid SID" once you have the Domain SID you will use the following
> command to map the unix group to a domain group:
>
> net groupmap add sid=<domain sid>-512 ntgroup="Domain Admins"
> unixgroup=ntadmins type=domain
>
> That command will add the samba group mapping attributes and the
> ntadmins group will now be the Domain Admins group on Windows clients.
> Any users that are added to the ntadmins unix group will be members of
> the Domain Admins group. To confirm the mapping just use "net groupmap
> list."
>
> Patrick
>
> Robert Rati wrote:
>
>> I'm a little weak on how the groups assignments work with Samba and
>> LDAP. The Samba HOWTO collection says to map each Domain Group to a
>> UNIX system group, but if all authentication is done via LDAP (Unix
>> and Windows) then do the groups still have to exist on the Samba Unix
>> machine? Where do the RIDs fit into all this? I don't see a schema
>> in LDAP for sambaGroup. Do I create the domain groups with the
>> posixGroup schema and set their gid to a RID that will exist on the
>> Windows machine (like 512 for Domain Admins)? Or do I just bypass the
>> group mapping altogether and set a Domain Admins sambaPrimaryGroupSID
>> to <SID>-512? Any help on this would be very helpful, as I think I'm
>> confusing myself.
>>
>> Rob
>>
>
More information about the samba
mailing list