[Samba] User Multiple Groups in Standalone Mode with LDAP Backend

Nelson Vale nf-vale at critical-links.com
Mon Dec 3 19:23:35 GMT 2007


I have samba 3.0.24 installed and running on my linux (debian alike) system as 
a (PDC) Standalone Server with an LDAP backend.
The problem that I'm facing is that I want to have users belonging to multiple 
(LDAP) groups.

My LDAP user ldif is like:

# user1, People, local.loc 
dn: uid=user1,ou=xxxxx,dc=xxxxx
objectClass: top 
objectClass: inetOrgPerson 
objectClass: posixAccount 
objectClass: shadowAccount 
objectClass: sambaSamAccount 
uidNumber: 1501 
gidNumber: 1000 
cn: user1
uid: user1 
homeDirectory: /home/users/user1 
loginShell: /bin/bash 
sn: user1
sambaSID: S-1-5-21-399272150-696482500-2462376985-1501 
sambaPrimaryGroupSID: S-1-5-21-399272150-696482500-2462376985-1000 
sambaLogonTime: 0 
sambaLogoffTime: 2147483647 
sambaKickoffTime: 2147483647 
sambaPwdCanChange: 1  
sambaAcctFlags: [U] 

and my groups ldif is like (I'm using rfc2307bis schema for this with 
compatible nss-ldap):

dn: cn=group1,ou=Groups,dc=xxxx,dc=xxxx 
objectClass: posixGroup 
objectClass: groupOfNames 
objectClass: top 
cn: group1 
gidNumber: 1000
member: uid=userx,ou=xxxxx,dc=xxxx,dc=xxxx 
member: uid=usery,ou=xxxxx,dc=xxxx,dc=xxxx 
memberUid: userx
memberUid: usery

dn: cn=group2,ou=Groups,dc=xxxx,dc=xxxx 
objectClass: posixGroup 
objectClass: groupOfNames 
objectClass: top 
cn: group2 
gidNumber: 1001
member: uid=userx,ou=xxxxx,dc=xxxx,dc=xxxx 
memberUid: userx

The samba configuration file is like:
	ldap user suffix = ou=xxxxx
        idmap gid = 10000-20000 
        ldap password sync = yes 
        logon drive = z: 
        domain master = yes 
        passdb backend = ldapsam:ldap://
        wins proxy = no 
        wins support = yes 
        ldap delete dn = Yes 
        ldap machine suffix = ou=Computers 
        ldap group suffix = ou=Groups 
        idmap uid = 10000-20000 
        ldap suffix = dc=xxxx,dc=xxxx
        local master = yes 
        workgroup = SAMBASERVER
        ldap admin dn = cn=xxxxxxxxxxxx,ou=xxxxx,dc=xxxx,dc=xxxx 
        security = user 
        preferred master = yes 
        ldap idmap suffix = ou=Idmap

This is all working well and if I do "id userx" I get all the groups the user 
belongs to.

My problem is that samba is not getting all groups that a user belong. In fact 
I'm only getting the group that is defined in the sambaPrimaryGroupSID, so 
I'm wondering that I'm missing something, I just don't now what.

What can I do to make samba get all groups that a user belongs to?

More information about the samba mailing list