[Samba] Using LDAP and Unix Group Group Mappings
Edmundo Valle Neto
edmundo.valle at terra.com.br
Wed Jul 18 21:33:27 GMT 2007
Svancara, Randall escreveu:
> Hello all,
> I could not find anything in the discussion groups or documentation
> about using LDAP and Unix group mappings.
> The documentation states that in order to map unix groups to samba
> groups, you need to use the net group add command. However, I have an
> ldap backend and all my groups, that I care about are in LDAP.
Yes, it states that, but in all examples a tdbsam backend is used not ldap.
> So I have a group called mainwdev.
> dn: cn=test,ou=Group,dc=somewhere,dc=com
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> sambaSID: S-1-5-21-582185903-2148186938-2210701745-801
> sambaGroupType: 2
> objectClass: top
> cn: test
> gidNumber: 801
> memberUid: user1
> memberUid: user2
> memberUid: user3
> memberUid: user4
> memberUid: user5
> memberUid: user6
> Now, if I run "net groupmap list", I can see the group mapping as
> test (S-1-5-21-582185903-2148186938-2210701745-801) -> test
> But when I attempt to log onto a share that only allows anyone that
> belongs to the group test (say user1), i get permission denied errors.
It should be another problem not related to group mapping.
> Do I still have to run "net group map" command to establish a
> relationship between unix and samba groups?
No. When using ldap, the objectClass sambaGroupMapping represents the
relationship of the UNIX and NT groups (that in ldap are stored normally
in the same dn, and almost all tools creates the accounts that way by
You can use "net groupmap" with ldap when you have UNIX and NT groups in
different places (lest suppose that you have a container for UNIX groups
and another to NT groups), and it works, but normally nobody creates
groups that way unless have a good reason.
Edmundo Valle Neto
More information about the samba