[Samba] LDAP Group mapping

Michael Cassaniti m.cassaniti at gmail.com
Tue Jun 13 10:17:55 GMT 2006

I noticed that after I moved from tdbsam to ldapsam for my passdb
backend, the group mappings had disappeared. After reading the docs, I
found that this information is stored in LDAP (makes sense).
The problem is the HOWTO Collection only says that it is the
administrators responsibility to store this information in LDAP, but
says nothing about how. A search on the internet found that you must
have posixGroup or sambaIdMapEntry objects in LDAP for your group
mapping (done) and they must contain these attributes:
displayName (this is the nt group name)
Must also have objectClass sambaGroupMapping

First off, why doesn't this work with the net rpc commands? When I did
the following:
net rpc groupmap add ntgroup="Domain Admins" unixgroup="root" rid=512
it failed. Is this an implementation problem, or is this true in all
cases for samba?

Also, I noticed that samba went looking for the name of the domain in
LDAP. One of the types is SID_NAME_DOMAIN which I assume corresponds
to the Domain Name. Where do I store this attribute and how?

If I have got any of this information wrong, or if I have written that
something is a must when it is optional, then please say so.

Also, if I am storing all my posix account information in LDAP, do I
have any use for winbind? I am using nss_ldap and authentication is
done using krb5 (not smaba integrated)
According to the docs, if you don't use winbind, then only local
mapping is available, which is exactly what I want to use from what I
can gather.

Sorry if I posted to the wrong list.

More information about the samba mailing list