[Samba] RE: ldap secondary/auxillary groups not available

Montenegro, Michael H (Michael) mhm4 at alcatel-lucent.com
Wed Aug 13 14:44:05 GMT 2008

I believe there is a bug report on this issue.




From: Montenegro, Michael H (Michael) 
Sent: Tuesday, August 12, 2008 11:30 AM
To: 'samba at lists.samba.org'
Subject: ldap secondary/auxillary groups not available 



I have a samba 3.0.20 installation that authenticates users using ntlm
to a MS DC. The samba installation was correctly able authenticate users
and map them to their unix uids and gids without an issue.  The solaris
box that samba was running on was also using NIS for its naming


I have recently migrated this machine that was using NIS for its naming
services to LDAP which is running on a separate server and running SUN
DSEE 6.2 ldap software. I did not modify any lines in the smb.conf and
all is working fine except that only the uid and primary gid are
available to the samba server.  Users can no longer rely on their
secondary unix assigned groups to access any shares that are restricted
to secondary groups via their unix group permissions. I expected the
samba software to be able to identify all of a user's groups since the
groups command accurately returns the correct listing of groups for a
user. I would like to maintain my authentication using ntlm to my MS DC
but have samba correctly identify all the groups a user belongs to. Is
there a sample smb.conf available for this?


I saw the post

It advised to make sure the nsswtich.conf uses ldap for groups and I
made sure mine is correct:



group:      files ldap









More information about the samba mailing list