[samba] users in multiple groups?

Daniel Wilson daniel.wilson at sunderland.ac.uk
Tue Nov 2 16:05:06 GMT 2004

Ok i have removed all of my groups from LDAP, downloaded smbldap-tools-0.8.5

used smbldap-populate to create my groups again.

however when i add a user to a group the users still seem not to be 
"registered" in the group.

This is how i created and added a user to a group.

quigon1:~ #./smbldap-useradd -a test123
quigon1:~#./smbldap-passwd test123
quigon1:~#./smbldap-groupmod -m test123 "Domain Admins"

In theory the user should now be a member of both "Domain Users" and 
"Domain Admins", however....

quigon1:/opt/smbldap-tools-0.8.5 # groups test123
test123 : users

quigon1:/opt/smbldap-tools-0.8.5 # id test123
uid=21690(test123) gid=100(users) groups=100(users)

it doesnt show the user in the domain admin groups, also says the gid 
=100 when its set to 513 in LDAP???...

if i do a lookup on the group.....it says the user is in the group.

quigon1:~ # getent group "Domain Users"
Domain Users:x:513:test123

quigon1:~ # getent group "Domain Admins"
Domain Admins:x:512:Administrator,test123

on a different note how do you go about creating a new group?

The way i think is

1) Create a new PosixGroup in LDAP
2) quigon1:~# net groupmap add unixgroup=<group> ntgroup=<group> type=domain

is this the way?



Paul Gienger wrote:

>> quigon1:~ # getent groups
>> Unknown database: groups
> Oh yeah, duh... you know, I thought I made a mistake once, but then 
> when I reexamined the situation, it turned out that I didn't... AAAANYWAY
> the populate script made this for me:
> [fgoserv:tmp]# getent group "Domain Admins"
> Domain Admins::512:Administrator,pgienger,smoorhou,rklose,speterso
> but I see you have a ntadmin and nothing like the "Domain Users" so I 
> wonder if you used an old version of the script package.   I would 
> suggest getting the newest version of the tool package and re-running 
> the populate script.
>> quigon1:~ # groups ws0dwi
>> id: cannot find name for group ID 901
>> quigon1:~ # id ws0dwi
>> uid=186712(ws0dwi) gid=901 groups=901
> This leads me to ask where group 901 is/should be coming from.  Did 
> you start making samba groups in LDAP without creating them as posix 
> groups first?  The procedure should be to make the group in unix, 
> presumably you should do this in ldap with whatever tool you like (gq, 
> phpldapadmin, bare metal LDIF file input) and then do a groupmapping 
> with a "net groupmap add" command.
>> yes my groups were created using smbldap-populate.pl, but i cant see 
>> it being mapped to any UNIX group, which group should it be mapped to 
>> and how is the done?
> Again, this should all be taken care of for you.  You should end up 
> with this: (among some others perhaps)
> [fgoserv:tmp]# /opt/samba/bin/net groupmap list
> Domain Admins (S-1-5-21-112718084-1284083569-2990761952-512) -> Domain 
> Admins
> Domain Users (S-1-5-21-112718084-1284083569-2990761952-513) -> Domain 
> Users
> Domain Guests (S-1-5-21-112718084-1284083569-2990761952-514) -> Domain 
> Guests
> Print Operators (S-1-5-32-550) -> Print Operators
> Backup Operators (S-1-5-32-551) -> Backup Operators
> Replicators (S-1-5-32-552) -> Replicators
> Domain Computers (S-1-5-21-112718084-1284083569-2990761952-515) -> 
> Domain Computers
> Administrators (S-1-5-32-544) -> Administrators
> Power Users (S-1-5-32-547) -> Power Users

Daniel Wilson
Systems Administrator

IT & Communications Service
University of Sunderland
Unit1 Technology Park
Chester Road

Tel: 0191 515 2695

This e-mail contains information which is confidential and may be privileged and is for the exclusive use of the recipient. 
It is the responsibility of the recipient to ensure that this message and its attachments are virus free. 
Any views or opinions presented are solely those of the author and do not necessarily represent those of the University, unless otherwise specifically

More information about the samba mailing list