[Samba] Description of LDAP-attribute sambaSIDList
tonye at billy.demon.nl
Fri Apr 22 19:33:35 GMT 2005
Daniel Wilson wrote:
> So does this mean that everyone for example in GroupA could then also be
> a member of GroupB if you added GroupA's SID into GroupB's
> sambaSIDList...if so this would help us out soooo much as then we dont
> need to keep adding people into multiple groups!
Yes, it does mean that. But this has also (always) been possible with
Posix groups (a group can be a member of another group), for Unix/Linux
groups. In this case, Hallvor Engen is saying that for Windows groups it
can be done with group SIDs. I do it for OpenLDAP with Posix groups and
MemberUid instead for Samba and that works just as well - where there's
already a Posix group..
> could you give me the syntax so i can update my schema file (were using
> Sun Directory Server 5.2 as our LDAP backend...)
I'm not sure what you mean by "syntax". A group-mapping for the Posix
group domadm might look like:
description: Local Unix group
displayName: Domain Admins
where the value for the multi-value attribute sambaSIDList (there can be
more than one attribute with different values) might be the SID for the
Windows group "Administrative Staff". That might be a pure Windows group
and not be present as a Posix group.
This ldif (in the form above) would most probably not be possible to
generate on sites using the idealx scrips; I don't. And everybody would
be far better off if they got and compiled GQ and played around with it,
then they'd see this for themselves ;).
mail: tonye at billy.demon.nl
They love us, don't they, They feed us, won't they ...
More information about the samba