[samba] users in multiple groups?

Daniel Wilson daniel.wilson at sunderland.ac.uk
Mon Nov 1 16:35:03 GMT 2004

Firstly thanks for your response.

I have already done what you have suggested, however its not working.....

....my account in LDAP (ws0dwi) has a gidNumber of (901) and the 
sambaPrimaryGroupSID = the SID of the group in LDAP called (itacs). I 
also want to be a member of domain admins, so i add another memberUid = 
ws0dwi in the domain admin group in LDAP, my nsswitch.conf file has:

passwd files ldap
shadow files ldap
groups files ldap

when i do:

quigon1:~ # groups ws0dwi
ws0dwi : itacs

quigon1:~ # id ws0dwi
uid=186712(ws0dwi) gid=901(itacs) groups=901(itacs)

As you can see it doesnt show im a member of the domain admins(512) group?


Daniel Wilson

Paul Gienger wrote:

>> every user is added to the group, but i cant seem to find a way for a 
>> user to be part of multiple groups, sambaPrimaryGroupSID isnt 
>> multi-valued, neither is gidNumber. Is there any way around this, has 
>> anybody have sugesstions?
> Bone up on your UNIX group membership theory.  Every user has a 
> primary group that is specified in their user account.  Secondary 
> groups are applied 'backwards' to that setup.  That means that users 
> are added to the group's entry in wherever that group is defined 
> (/etc/group, ou=Groups in a 'standard' LDAP DIT.  You can have many 
> many user entries in each group (up to like 1024 characters long for 
> the list I believe) and the user can be both specified in the group 
> object and have their primary group as that group without causing issues.
> There are a couple of commands that come in handy once you start 
> setting up secondary group memberships, and they work differently on 
> different os's.  groups <username> and id <username> give interesting 
> output:
> [root at mail log]# id pgienger
> uid=2266(pgienger) gid=2028(itserv) 
> groups=2028(itserv),3000(applied),2027(itadmin),2081(office),2082(projects),512(Domain 
> Admins)
> [root at mail log]# groups pgienger
> pgienger : itserv applied itadmin office projects Domain Admins

Daniel Wilson
Systems Administrator

IT & Communications Service
University of Sunderland
Unit1 Technology Park
Chester Road

Tel: 0191 515 2695

This e-mail contains information which is confidential and may be privileged and is for the exclusive use of the recipient. 
It is the responsibility of the recipient to ensure that this message and its attachments are virus free. 
Any views or opinions presented are solely those of the author and do not necessarily represent those of the University, unless otherwise specifically

More information about the samba mailing list