[Samba] Re: Authenticateing DC's on an ldap backend... nobody knows
how?
Igor Belyi
sambauser at katehok.ac93.org
Thu Sep 30 04:16:53 GMT 2004
Jim C. wrote:
> Mine:
>
>> [root at enigma 0 root]$ smbldap-groupshow 'Domain Controllers'
>> dn: cn=Domain Controllers,ou=Group,dc=j9starr,dc=net
>> objectClass: posixGroup,sambaGroupMapping
>> cn: Domain Controllers
>> sambaGroupType: 2
>> sambaSID: S-1-5-21-2147030705-2499090161-3119200592-516
>> gidNumber: 516
>> displayName: Domain Controllers
>> memberUid: cn=enigma,ou=Hosts,dc=j9starr,dc=net
>
> His:
>
>> dn: cn=Domain
>> Controllers,ou=Group,dc=ranger,dc=dnsalias,dc=com
>> objectClass: groupOfNames
>> objectClass: top
>> cn: Domain Controllers
>> member:
>> cn=kiowa.ranger.dnsalias.com,ou=Hosts,dc=ranger,dc=dnsalias,dc=com
>> member:
>> cn=comanche.ranger.dnsalias.com,ou=Hosts,dc=ranger,dc=dnsalias,dc=com
>
> Now I don't know how slapd deals with groups but if it specifically
> needs groupOfNames, then I may have a problem. I'll see if I can
> manipulate the structure to include groupOfNames. Who knows, I might be
> able to do it without redunancy.
No, slapd doesn't know (by default) how to work with posixGroups. Note
that memberUid of the posixGroup usually contain uids of the
posixAccount objects. To let slapd work with just 'group=' it should be
either groupOfNames or groupOfUniqueNames object.
You can however trick slapd into working with posixGroup (I don't know
if this the right move though)... There's additional parameters to the
_who_ part of the access statement. Try something like that (just for
fun of it):
access to dn.subtree="dc=j9starr,dc=net"
by group/posixGroup/memberUid="cn=Domain
Controllers,ou=Group,dc=j9starr,dc=net"
by * read
Good luck,
Igor
More information about the samba
mailing list