[Samba] Fwd: Follow Up - Problem with groups & joining domain.- LDAP

Tony Earnshaw tonye at billy.demon.nl
Thu May 5 20:58:44 GMT 2005

tor, 05.05.2005 kl. 21.34 skrev Flatfender:

> If I created local groups and users in /etc/passwd &
> /etc/groups I get farther along.
> For instance, if I have a Samba PDC with LDAP basically like I listed
> in my post.  If I browse from a w2k pro box to the samba server
> without the workstation having joined the domain, I can authenticate
> to the samba server with a user who is not in /etc/passwd but is in
> LDAP.  So samba is able to do the lookup via ldap.
> Now, if I create a posix group in ldap but not in /etc/group, I can
> not use "net groupmap modify" to modify the ntgroup to unix group
> mapping.  But if I create the group in /etc/groups then the group
> mapping works.  This leads me to believe either that the
> nsswitch/nss_ldap stuff in FreeBSD is either insufficient or not
> configured.  Since their is so little to configure, I tend to lean
> towards NSSwitch not being fully implemented.

FWIW (and it's probably not going to help you) I read your post and
tried 'net groupmap modify' on my RHAS3/OpenLDAP 2.2.24 test rig. All my
Samba 3.0.14a stuff is in LDAP.

'net groupmap modify ntgroup="Domain Admins" unixgroup=katter' (i.e.
"cats", it was domadm) and it *added* a new NT groupmapping, for Domain
Admins beside the old groupmapping and changed the "katter" group RID
from 3009 to 512 as well as changing displayName from "Domain Katter" to
"Domain Admins". Then I wanted to change it back again from the command
line, but no no. It couldn't find "Domain Admins" in the database, it
said. Thank God I use GQ to manage LDAP, so I could see what was going
on. Changing the RID and displayName in GQ got it back to the original

> Also If I try to join the domain with from a workstation that neither
> has a /etc/passwd account or an ldap account then, joining the domain
> fails, but smbldap-tools creates a workstation account in ldap with
> posix only attributes and no samba attributes.
> If I create the workstation account in /etc/passwd and then join the
> domain, then I can sucessfully join the domain, and smbldap tools
> creates an account in ldap, but this time with only samba attributes
> and no posix attributes.

I don't use those scripts. I use LDAP for far too many other things
besides Samba and my DIT is completely different from what Idealx would
like for me. If you use the Idealx adduser script to make a posixAccount
entry, try smbpasswd or pdbedit after that to make the sambaSamAccount
modifications. The only trouble is, that you can't make LDAP records on
the fly, that way.

Actually, the Samba tools are brilliant and *they* can cope with my
non-Idealx DIT more than well enough. I use smbpasswd on my rigs, called
out of shell scripts, for adding users and machines.

What you describe /would/ point to the nss libraries on your FreeBSD
rig. Maybe others with the same OS could comment, and someone like
Padl's Luke Howard on the Padl nssldap at padl.com mailing list would
surely know, since it's mainly he who writes the nss_ldap software.

> I have not tested any other group/user scenarios yet.

Well I have. I have Samba 3.0.11 with LDAP (RHAS3 again) on a
zero-maintenance production rig running at a reasonably large high
school site in Amsterdam. It's taken over from an NT4 PDC that
continually clapped out.


Nothing sucksseeds like a pigeon without a beak ...

mail: tonye at billy.demon.nl
They'll love us, won't they? They feed us, don't they? ...

More information about the samba mailing list