[Samba] Samba PDC with groups in LDAP

Duncan Brannen dbb at st-andrews.ac.uk
Thu Aug 21 12:03:29 GMT 2008 

Hi All,
          I'm wondering if anyone can shed some light on a problem I'm 
having.

I have a samba PDC with an LDAP backend, keeping the smb.conf file constant,

When I have /etc/nsswitch.conf configured with

groups: files ldap

Then

/usr/local/samba/bin/net rpc user info dbb

only returns my primary group.

If I have /etc/nsswitch.conf configured with

groups: files nis

Then all my groups are shown when running the same net rpc command.

In both cases,

groups dbb
and
id -a dbb

show all the groups I am a member of,

getent group groupName shows the members of the group and

/usr/local/samba/bin/net groupmap list provides a list of groups (from 
LDAP) eg

Domain Users (S-1-5-21-440367617-1876916578-3462541782-513) -> Domain Users
Domain Guests (S-1-5-21-440367617-1876916578-3462541782-514) -> Domain 
Guests
Domain Computers (S-1-5-21-440367617-1876916578-3462541782-553) -> 
Domain Computers
Domain Vagrants (S-1-5-21-440367617-1876916578-3462541782-554) -> Domain 
Vagrants
Domain Sidekicks (S-1-5-21-440367617-1876916578-3462541782-590) -> 
Domain Sidekicks
Domain Admins (S-1-5-21-440367617-1876916578-3462541782-512) -> domadm

The group objects in LDAP look like

dn: cn=<groupName>,ou=Groups,dc=st-andrews,dc=ac,dc=uk
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: <Number>
cn: <groupName>
memberUid: user1
memberUid: user2
memberUid: ...
description: Some Descriptive Term Here
sambaSID: S-1-5-21-xxx-yyy-zzz-<gidNumber>
sambaGroupType: 2
displayName: Whatever

where S-1-5-21-xxx-yyy-zzz is our domain SID

Watching the ldap logs, when I run net/rpc usr info dbb,

samba looks up all the groups root is in 
(&objectClass=sambaGroupMapping)(gidNumber=...)),
for sambaSID=s-1-5-32-544 and 545, then for a whole bunch of 
sambaSIDLists (I have none setup)
or sambaGroupMapping,sambaGroupType=4

It then looks up my account, searches for my primary group both by its 
gidNumber, then by its
sambaSID, and then it stops.

Is there extra configuration need for looking up groups in ldap? It 
feels like an OS issue but the
OS commands seem to return the correct output.

OS is Solaris 10 sparc.  Samba versions are 3.0.23c and 3.2.1


Thanks,
             Duncan

-- 
The University of St Andrews is a charity registered in Scotland : No SC013532

More information about the samba mailing list