[Samba] How to add a group to samba + ldap

Wim Bakker koreander at planet.nl
Sun Apr 11 14:52:41 GMT 2004 

On Sunday 11 April 2004 14:25, you wrote:
> Wim Bakker írta:
> > Hello,
> >
> > I try to add a domain group to samba + ldap with the following command:
> >
> > slapadd -v -l g.ldif
> > content of g.ldif:
> > --
> > dn: cn=Domain Admins,dc=ahm,dc=nl
> > cn: Domain Admins
> > objectClass: sambaGroupMapping
> > sambaSID: S-1-5-21-4269728302-1655870493-3894479995-512
> > sambaGroupType: Domain
> > --
> > and slapadd returns with:
> > could not parse entry (line=6)
> >
> > what is wrong here?
> > The reference guide states only that it is the responsibility
> > of the administrator to add the essential Domain Groups (page 154)
> > but fails to mention how to (rather funny for an official how-to book).
> > As this book allso fails to explain the meaning/values of sambaGroupType
> > and how they relate I am a bit at a loss here.
> >
> > TIA
> > Wim Bakker
>
> As a sidenote you need to ad the posixAccount objectclass and related
> attributes as well, and all the objectclasses upon which posixAccount
> relies.
>
Yes, so it seems , I used smbldap-groupadd -a -g 512 -o -r 512 -s 
S-1-5-21-4269728302-1655870493-3894479995-512 -t builtin  "Domain Admins"
and now it is nicely added, slapcat:
---------------
dn: cn=Domain Admins,ou=Groups,dc=ahm,dc=nl
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: Domain Admins
gidNumber: 512
structuralObjectClass: posixGroup
entryUUID: da450b08-2002-1028-9366-cd900415d4ac
creatorsName: cn=Manager,dc=ahm,dc=nl
createTimestamp: 20040411125236Z
sambaSID: S-1-5-21-4269728302-1655870493-3894479995-512
sambaGroupType: 5
entryCSN: 2004041112:52:36Z#0x0002#0#0000
modifiersName: cn=Manager,dc=ahm,dc=nl
modifyTimestamp: 20040411125236Z
---------------
still don't know what sambaGroupType is though.
From the samba-howto on http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html:

SID_NAME_USE_NONE = 0,/* NOTUSED */
SID_NAME_USER    = 1, /* user */
SID_NAME_DOM_GRP = 2, /* domain group */
SID_NAME_DOMAIN  = 3, /* domain: don't know what this is */
SID_NAME_ALIAS   = 4, /* local group */
SID_NAME_WKN_GRP = 5, /* well-known group */
SID_NAME_DELETED = 6, /* deleted account: needed for c2 rating */
SID_NAME_INVALID = 7, /* invalid account */
SID_NAME_UNKNOWN = 8  /* oops. */

is the number 5 for the sambaGroupType the SID_NAME_WKN_GRP?
so translates the samba type "builtin" to "SID_NAME_WKN_GRP"?

deleted the group and added again with:
smbldap-groupadd -a -g 512 -o -r 512 -s 
S-1-5-21-4269728302-1655870493-3894479995-512 -t domain "Domain Admins"

slapcat:
dn: cn=Domain Admins,ou=Groups,dc=ahm,dc=nl
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: Domain Admins
gidNumber: 512
structuralObjectClass: posixGroup
entryUUID: ec233b38-2007-1028-936b-cd900415d4ac
creatorsName: cn=Manager,dc=ahm,dc=nl
createTimestamp: 20040411132854Z
sambaSID: S-1-5-21-4269728302-1655870493-3894479995-512
sambaGroupType: 2
entryCSN: 2004041113:28:54Z#0x0002#0#0000
modifiersName: cn=Manager,dc=ahm,dc=nl
modifyTimestamp: 20040411132854Z

looks like it. But from  that same site I see:
ntSid: S-1-5-21-298858960-1863792627-3661451959-512
ntGroupType: 2

is ntSid the same as sambaSID and ntGroup the same as sambaGroupType?
Next , it is impossible to add users to this group:

#smbldap-groupmod.pl -m gerrit "Domain Admins"
#/usr/local/bin/smbldap-groupmod.pl: group Domain Admins not found!

but :
# smbldap-groupshow.pl "Domain Admins"
dn: cn=Domain Admins,ou=Groups,dc=ahm,dc=nl
objectClass: posixGroup,sambaGroupMapping
cn: Domain Admins
gidNumber: 512
sambaSID: S-1-5-21-4269728302-1655870493-3894479995-512
sambaGroupType: 2

returns the group info, how's that?

and if I add the group wheel to ldap:
#smbldap-groupadd.pl -a -g 512 -o -t local  "wheel"
and
#smbldap-groupmod.pl -m gerrit wheel
slapcat:
dn: cn=wheel,ou=Groups,dc=ahm,dc=nl
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: wheel
gidNumber: 512
structuralObjectClass: posixGroup
entryUUID: 2ad34a12-2003-1028-9367-cd900415d4ac
creatorsName: cn=Manager,dc=ahm,dc=nl
createTimestamp: 20040411125451Z
sambaSID: S-1-5-21-4269728302-1655870493-3894479995-2025
sambaGroupType: 4
memberUid: gerrit
entryCSN: 2004041112:56:21Z#0x0001#0#0000
modifiersName: cn=Manager,dc=ahm,dc=nl
modifyTimestamp: 20040411125621Z

The user gerrit has been added , now why wheel yes, but "Domain Admins" no?
Allso "net groupmap list" doesn't show anything. Is the net command anywhere
usable with a samba + ldap setup? If I want a groupmapping from
ntgroup "Domain Admins" to unixgroup wheel , how do I do that than.
I gave the group "Domain Admins" the gid 512, get's that translated to the
unixgroup 512 , being wheel? Do I have to add the group wheel at all to ldap, 
as wheel allready exists as a local group? Yes I do because the user gerrit 
exists only in ldap. Is the type "local" from the various samba types 
referring to a "local unix group" or to a "local windows group on a machine"? 
Apparently not because the type local gets sambaGroupType 4 , and I assume 
that means SID_NAME_ALIAS, being a local group on a windows ws. So where 
happens the groupmapping?

TIA

Wim Bakker

More information about the samba mailing list