[Samba] Samba PDC with groups in LDAP

Duncan Brannen dbb at st-andrews.ac.uk
Wed Aug 27 16:12:15 GMT 2008 

To answer my own question, I had to use Padls' nss_ldap to make this work.

I'd thought with Solaris 9 and later I could get away with using the Sun 
libraries
but obviously not.

Hope to help someone else

Cheers
          Duncan


Duncan Brannen wrote:
>
> Hi All,
>          I'm wondering if anyone can shed some light on a problem I'm 
> having.
>
> I have a samba PDC with an LDAP backend, keeping the smb.conf file 
> constant,
>
> When I have /etc/nsswitch.conf configured with
>
> groups: files ldap
>
> Then
>
> /usr/local/samba/bin/net rpc user info dbb
>
> only returns my primary group.
>
> If I have /etc/nsswitch.conf configured with
>
> groups: files nis
>
> Then all my groups are shown when running the same net rpc command.
>
> In both cases,
>
> groups dbb
> and
> id -a dbb
>
> show all the groups I am a member of,
>
> getent group groupName shows the members of the group and
>
> /usr/local/samba/bin/net groupmap list provides a list of groups (from 
> LDAP) eg
>
> Domain Users (S-1-5-21-440367617-1876916578-3462541782-513) -> Domain 
> Users
> Domain Guests (S-1-5-21-440367617-1876916578-3462541782-514) -> Domain 
> Guests
> Domain Computers (S-1-5-21-440367617-1876916578-3462541782-553) -> 
> Domain Computers
> Domain Vagrants (S-1-5-21-440367617-1876916578-3462541782-554) -> 
> Domain Vagrants
> Domain Sidekicks (S-1-5-21-440367617-1876916578-3462541782-590) -> 
> Domain Sidekicks
> Domain Admins (S-1-5-21-440367617-1876916578-3462541782-512) -> domadm
>
> The group objects in LDAP look like
>
> dn: cn=<groupName>,ou=Groups,dc=st-andrews,dc=ac,dc=uk
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: <Number>
> cn: <groupName>
> memberUid: user1
> memberUid: user2
> memberUid: ...
> description: Some Descriptive Term Here
> sambaSID: S-1-5-21-xxx-yyy-zzz-<gidNumber>
> sambaGroupType: 2
> displayName: Whatever
>
> where S-1-5-21-xxx-yyy-zzz is our domain SID
>
> Watching the ldap logs, when I run net/rpc usr info dbb,
>
> samba looks up all the groups root is in 
> (&objectClass=sambaGroupMapping)(gidNumber=...)),
> for sambaSID=s-1-5-32-544 and 545, then for a whole bunch of 
> sambaSIDLists (I have none setup)
> or sambaGroupMapping,sambaGroupType=4
>
> It then looks up my account, searches for my primary group both by its 
> gidNumber, then by its
> sambaSID, and then it stops.
>
> Is there extra configuration need for looking up groups in ldap? It 
> feels like an OS issue but the
> OS commands seem to return the correct output.
>
> OS is Solaris 10 sparc.  Samba versions are 3.0.23c and 3.2.1
>
>
> Thanks,
>             Duncan
>


-- 
The University of St Andrews is a charity registered in Scotland : No SC013532

More information about the samba mailing list