[Samba] Using LDAP and Unix Group Group Mappings

Adam Tauno Williams adamtaunowilliams at gmail.com
Wed Jul 18 20:38:05 GMT 2007 

On Wed, 2007-07-18 at 09:10 -0700, Randall Svancara wrote:
> On Wed, 2007-07-18 at 11:48 -0400, Adam Tauno Williams wrote:
> > > I could not find anything in the discussion groups or documentation
> > > about using LDAP and Unix group mappings.  
> > > The documentation states that in order to map unix groups to samba
> > > groups, you need to use the net group add command.  However, I have an
> > > ldap backend and all my groups, that I care about are in LDAP.
> > It makes no difference;  groups from LDAP presented via NSS are "unix
> > groups"
> > > So I have a group called mainwdev. 
> > > dn: cn=test,ou=Group,dc=somewhere,dc=com
> > > objectClass: posixGroup
> > > objectClass: sambaGroupMapping
> > > sambaSID: S-1-5-21-582185903-2148186938-2210701745-801
> > > sambaGroupType: 2
...
> #getent group test
>  test::801:user1,user2,user3,user4,user5,user6
> 
> user1 clearly is being recognized by ldap, otherwise it would not show
> up in getent. 
> > > Do I still have to run "net group map" command to establish a
> > > relationship between unix and samba groups?
> > Looks like you already did.
> Actually, I did not run the net group add command.  
> In SID, you will notice that the group id (GID) 801 appended to the end
> of the SID.  Is Samba smart enough to automatically recognize the
> relationship between the Unix groups and Samba groups via ldap.

No, SIDs do not work that way.

> Here is the stanza from the smb.conf I am trying to access:

> [Data]
>   comment               = "Data files"
>   path                  = /path/somewhere
>   browseable            = yes
>   read only             = no
>   guest ok              = no
>   force create mode     = 0660
>   force directory mode  = 0770
>   force group           = test 
>   valid users           = @test
> Will this even work?

Sure, we've got dozens of shares set up this way.

(a) Do things properly, use the tools (like the "net" command).  You
have to honor the mechanics of Windows networking;  you can't just
make-up SIDs.

(b) Check your versions;  how Winbind and smb.conf treat groups changed
somewhat in recent versions. > 3.0.23 (?)  Might be worth trying "valid
users = +test"


-- 
Adam Tauno Williams, Network & Systems Administrator
Consultant - http://www.whitemiceconsulting.com
Developer - http://www.opengroupware.org

More information about the samba mailing list