[Samba] Samba+LDAP Group mapping

Maros Kollar maros at zsi.at
Mon Dec 10 10:31:34 GMT 2007

I'm running into weird problems after switching from tdbsam to ldapsam
user backend. I have transferred all local unix and samba groups with the
sambaldap-tools scripts. The 'net groupmap list' command prints all
group mappings correctly, and I also can use all the groups present in
LDAP for setting local file ownerships.

However these groups don't appear in the windows security setting
dialogues (e.g. for setting file permissions or matching local groups
with domain groups). All I get is a list of users. Even the built-in
groups like 'Domain Administrators', 'Replicator Operators', ... are

I'm running the current Debian stable samba and open ldap.


LDIF from ldap (just one group as an example):
dn: cn=Domain Admins, ou=Groups, dc=hui, dc=net
sambaSID: S-1-5-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxx-512
gidNumber: 512
memberUid: administrator
displayName: Domain Admins
sambaGroupType: 2
description: Netbios Domain Administrators
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: Domain Admins

The relevant parts of the smb.conf:
        workgroup = HUINET
        domain logons = Yes
        obey pam restrictions = Yes
        null passwords = no
        passwd program = /usr/sbin/smbldap-passwd "%u"
        passwd chat = "...."
        ldap password sync = yes
        passdb backend = ldapsam:ldap://
        ldap admin dn = cn=samba,ou=DSA,dc=hui,dc=net
        ldap suffix = dc=hui,dc=net
        ldap group suffix = ou=Groups
        ldap user suffix = ou=Users
        ldap idmap suffix = ou=Idmap
        ldap machine suffix = ou=Computers
        add machine script = /usr/sbin/smbldap-useradd -w "%u"
        add user script = /usr/sbin/smbldap-useradd -m "%u"
        ldap delete dn = no
        delete user script = /usr/sbin/smbldap-userdel "%u"
        delete user script = /usr/sbin/smbldap-groupdel "%g"
        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
        delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u" "%g"
        set primary group script = /usr/sbin/smbldap-usermod -g "%g "%u"

More information about the samba mailing list