[Samba] Description of LDAP-attribute sambaSIDList
Tony Earnshaw
tonye at billy.demon.nl
Fri Apr 22 19:33:35 GMT 2005
Daniel Wilson wrote:
> So does this mean that everyone for example in GroupA could then also be
> a member of GroupB if you added GroupA's SID into GroupB's
> sambaSIDList...if so this would help us out soooo much as then we dont
> need to keep adding people into multiple groups!
Yes, it does mean that. But this has also (always) been possible with
Posix groups (a group can be a member of another group), for Unix/Linux
groups. In this case, Hallvor Engen is saying that for Windows groups it
can be done with group SIDs. I do it for OpenLDAP with Posix groups and
MemberUid instead for Samba and that works just as well - where there's
already a Posix group..
> could you give me the syntax so i can update my schema file (were using
> Sun Directory Server 5.2 as our LDAP backend...)
I'm not sure what you mean by "syntax". A group-mapping for the Posix
group domadm might look like:
dn: cn=domadm,ou=groups,ou=smb,dc=billy,dc=demon,dc=nl
memberUid: Administrator
memberUid: root
memberUid: billy
memberUid: tonni
description: Local Unix group
objectClass: top
objectClass: posixGroup
objectClass: uidObject
objectClass: sambaGroupMapping
uid: domadm
cn: domadm
sambaGroupType: 2
sambaSID: S-1-5-21-18666911-1472750480-3707222013-512
gidNumber: 5004
displayName: Domain Admins
sambaSIDList: S-1-5-21-18666911-1472750480-3707222013-3001
where the value for the multi-value attribute sambaSIDList (there can be
more than one attribute with different values) might be the SID for the
Windows group "Administrative Staff". That might be a pure Windows group
and not be present as a Posix group.
This ldif (in the form above) would most probably not be possible to
generate on sites using the idealx scrips; I don't. And everybody would
be far better off if they got and compiled GQ and played around with it,
then they'd see this for themselves ;).
--Tonni
--
mail: tonye at billy.demon.nl
http://www.billy.demon.nl
They love us, don't they, They feed us, won't they ...
More information about the samba
mailing list