[Samba] Using LDAP and Unix Group Group Mappings

Randall Svancara rsvancara at wsu.edu
Wed Jul 18 16:10:20 GMT 2007 

On Wed, 2007-07-18 at 11:48 -0400, Adam Tauno Williams wrote:
> > I could not find anything in the discussion groups or documentation
> > about using LDAP and Unix group mappings.  
> > The documentation states that in order to map unix groups to samba
> > groups, you need to use the net group add command.  However, I have an
> > ldap backend and all my groups, that I care about are in LDAP.
> 
> It makes no difference;  groups from LDAP presented via NSS are "unix
> groups" 
> 
> > So I have a group called mainwdev. 
> > dn: cn=test,ou=Group,dc=somewhere,dc=com
> > objectClass: posixGroup
> > objectClass: sambaGroupMapping
> > sambaSID: S-1-5-21-582185903-2148186938-2210701745-801
> > sambaGroupType: 2
> > objectClass: top
> > cn: test
> > gidNumber: 801
> > memberUid: user1
> > memberUid: user2
> > memberUid: user3
> > memberUid: user4
> > memberUid: user5
> > memberUid: user6
> > Now, if I run "net groupmap list", I can see the group mapping as
> > follows.
> > test (S-1-5-21-582185903-2148186938-2210701745-801) -> test
> > But when I attempt to log onto a share that only allows anyone that
> > belongs to the group test (say user1), i get permission denied errors.
> 
> Are you running nscd?  Did you restart/stop it and do your test?  Always
> test with nscd disabled.  Does "id user1" show him/her in group "test"?

I have had these groups configured for a long time.  So they should be
cached by nscd already.  Never the less, I ran getent with the following
output.

#getent group test
 test::801:user1,user2,user3,user4,user5,user6

user1 clearly is being recognized by ldap, otherwise it would not show
up in getent.  

> 
> > Do I still have to run "net group map" command to establish a
> > relationship between unix and samba groups?
> 
> Looks like you already did.

Actually, I did not run the net group add command.  

In SID, you will notice that the group id (GID) 801 appended to the end
of the SID.  Is Samba smart enough to automatically recognize the
relationship between the Unix groups and Samba groups via ldap.

Here is the stanza from the smb.conf I am trying to access:

[Data]
  comment               = "Data files"
  path                  = /path/somewhere
  browseable            = yes
  read only             = no
  guest ok              = no
  force create mode     = 0660
  force directory mode  = 0770
  force group           = test 
  valid users           = @test

Will this even work?




> 
> -- 
> Adam Tauno Williams, Network & Systems Administrator
> Consultant - http://www.whitemiceconsulting.com
> Developer - http://www.opengroupware.org
>

More information about the samba mailing list