[Samba] Using LDAP and Unix Group Group Mappings

Edmundo Valle Neto edmundo.valle at terra.com.br
Wed Jul 18 21:33:27 GMT 2007

Svancara, Randall escreveu:
> Hello all,
> I could not find anything in the discussion groups or documentation
> about using LDAP and Unix group mappings.  
> The documentation states that in order to map unix groups to samba
> groups, you need to use the net group add command.  However, I have an
> ldap backend and all my groups, that I care about are in LDAP.

Yes, it states that, but in all examples a tdbsam backend is used not ldap.

> So I have a group called mainwdev. 
> dn: cn=test,ou=Group,dc=somewhere,dc=com
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> sambaSID: S-1-5-21-582185903-2148186938-2210701745-801
> sambaGroupType: 2
> objectClass: top
> cn: test
> gidNumber: 801
> memberUid: user1
> memberUid: user2
> memberUid: user3
> memberUid: user4
> memberUid: user5
> memberUid: user6
> Now, if I run "net groupmap list", I can see the group mapping as
> follows.
> test (S-1-5-21-582185903-2148186938-2210701745-801) -> test
> But when I attempt to log onto a share that only allows anyone that
> belongs to the group test (say user1), i get permission denied errors.

It should be another problem not related to group mapping.

> Do I still have to run "net group map" command to establish a
> relationship between unix and samba groups?

No. When using ldap, the objectClass sambaGroupMapping represents the 
relationship of the UNIX and NT groups (that in ldap are stored normally 
in the same dn, and almost all tools creates the accounts that way by 

You can use "net groupmap" with ldap when you have UNIX and NT groups in 
different places (lest suppose that you have a container for UNIX groups 
and another to NT groups), and it works, but normally nobody creates 
groups that way unless have a good reason.

> Randall


Edmundo Valle Neto

More information about the samba mailing list