[Samba] Groups and LDAP

Robert Rati Robert.Rati at motorola.com
Thu Nov 20 22:44:54 GMT 2003


I think I understand.  So, if I want a user (in LDAP) to be a part of 
your ntadmins group, I'd set his gidNumber to 1000, correct?  Would I 
also need to add a memberUid field in the ntadmins group for this user? 
  IE for user bob:

dn: cn=ntadmins,ou=Groups,dc=firerun,dc=net
cn: ntadmins
objectClass: top
objectClass: posixGroup
gidNumber: 1000
memberUid: root
memberUid: patrick
memberUid: bob

Can an LDAP user have a gidNumber of 0 and be a root user on a Unix machine?

Rob

Patrick wrote:
> Rob,
> 
> Maybe I can shed some light on this for you.  I have just setup a Samba 
> PDC + LDAP machine here.  For the group assignments to work you will 
> still need to have a unix group on the machine.  So you use the normal 
> method to add a unix group in the ldap directory.  You can then add any 
> users you want to that group.  So for example I setup the following unix 
> group in ldap:
> 
> # ntadmins, Groups, firerun, net
> dn: cn=ntadmins,ou=Groups,dc=firerun,dc=net
> cn: ntadmins
> objectClass: top
> objectClass: posixGroup
> gidNumber: 1000
> memberUid: root
> memberUid: patrick
> 
> Then you will need to use the net tool to do a group mapping.  first you 
> will need to lookup the SID of the domain.  So you will use "net 
> getlocalsid SID" once you have the Domain SID you will use the following 
> command to map the unix group to a domain group:
> 
> net groupmap add sid=<domain sid>-512 ntgroup="Domain Admins" 
> unixgroup=ntadmins type=domain
> 
> That command will add the samba group mapping attributes and the 
> ntadmins group will now be the Domain Admins group on Windows clients. 
> Any users that are added to the ntadmins unix group will be members of 
> the Domain Admins group.  To confirm the mapping just use "net groupmap 
> list."
> 
> Patrick
> 
> Robert Rati wrote:
> 
>> I'm a little weak on how the groups assignments work with Samba and 
>> LDAP.  The Samba HOWTO collection says to map each Domain Group to a 
>> UNIX system group, but if all authentication is done via LDAP (Unix 
>> and Windows) then do the groups still have to exist on the Samba Unix 
>> machine?  Where do the RIDs fit into all this?  I don't see a schema 
>> in LDAP for sambaGroup.  Do I create the domain groups with the 
>> posixGroup schema and set their gid to a RID that will exist on the 
>> Windows machine (like 512 for Domain Admins)?  Or do I just bypass the 
>> group mapping altogether and set a Domain Admins sambaPrimaryGroupSID 
>> to <SID>-512? Any help on this would be very helpful, as I think I'm 
>> confusing myself.
>>
>> Rob
>>
> 




More information about the samba mailing list