[Samba] Re: Authenticateing DC's on an ldap backend... nobody knows how?

Igor Belyi sambauser at katehok.ac93.org
Thu Sep 30 04:16:53 GMT 2004

Jim C. wrote:
> Mine:
>> [root at enigma 0 root]$ smbldap-groupshow 'Domain Controllers'
>> dn: cn=Domain Controllers,ou=Group,dc=j9starr,dc=net
>> objectClass: posixGroup,sambaGroupMapping
>> cn: Domain Controllers
>> sambaGroupType: 2
>> sambaSID: S-1-5-21-2147030705-2499090161-3119200592-516
>> gidNumber: 516
>> displayName: Domain Controllers
>> memberUid: cn=enigma,ou=Hosts,dc=j9starr,dc=net
> His:
>> dn: cn=Domain
>> Controllers,ou=Group,dc=ranger,dc=dnsalias,dc=com
>> objectClass: groupOfNames
>> objectClass: top
>> cn: Domain Controllers
>> member:
>> cn=kiowa.ranger.dnsalias.com,ou=Hosts,dc=ranger,dc=dnsalias,dc=com
>> member:
>> cn=comanche.ranger.dnsalias.com,ou=Hosts,dc=ranger,dc=dnsalias,dc=com
> Now I don't know how slapd deals with groups but if it specifically 
> needs groupOfNames, then I may have a problem. I'll see if I can 
> manipulate the structure to include groupOfNames.  Who knows, I might be 
> able to do it without redunancy.

No, slapd doesn't know (by default) how to work with posixGroups. Note 
that memberUid of the posixGroup usually contain uids of the 
posixAccount objects. To let slapd work with just 'group=' it should be 
either groupOfNames or groupOfUniqueNames object.

You can however trick slapd into working with posixGroup (I don't know 
if this the right move though)... There's additional parameters to the 
_who_ part of the access statement. Try something like that (just for 
fun of it):

access to dn.subtree="dc=j9starr,dc=net"
     by group/posixGroup/memberUid="cn=Domain 
     by * read

Good luck,

More information about the samba mailing list