[Samba] gidNumber's and ldap backed samba PDC

Derek Werthmuller dwerthmu at ctg.albany.edu
Tue Mar 24 18:31:54 GMT 2009 

Ok I see it appears that the ldap entries that samba needs in the directory
are under a different O. ou=groups,o=smb,dc=unav,dc=es for example.
dn: cn=Domain Admins,ou=groups,o=smb,dc=unav,dc=es
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: Domain Admins 

Where my user/file system groups would be under traditional ldap entries
like:
dn: cn=usrgrp,ou=Group,dc=ct,dc=unav,dc=es
objectClass: posixGroup
objectClass: top
cn: usrgrp
userPassword:: e2NyexB0fX9g=
gidNumber: 512
creatorsName: cn=Manager, dc=ct,dc=unav,dc=es
createTimestamp: 20021007160601Z
modifiersName: cn=Manager,dc=ct,dc=unav,dc=es
modifyTimestamp: 20081205192619Z

This right?

Thanks
	Derek

-----Original Message-----
From: samba-bounces+dwerthmu=ctg.albany.edu at lists.samba.org
[mailto:samba-bounces+dwerthmu=ctg.albany.edu at lists.samba.org] On Behalf Of
Adam Tauno Williams
Sent: Tuesday, March 24, 2009 1:38 PM
To: 'samba at lists.samba.org'
Subject: Re: [Samba] gidNumber's and ldap backed samba PDC

On Tue, 2009-03-24 at 12:10 -0500, Derek Werthmuller wrote:
> In the planning process for migrating from NT4 PDC, and external ldap 
> directory to samba 3.2.8 PDC. The external existing openldap directory 
> is used currently to support the local uid mapping for the Linux 
> logins and samba file servers that are members of the current NT4 PDC.
> While looking at the existing openldap UIDs and GIDs in use and what 
> the samba PDC wants to use I see some uid/gid collisions.  For example 
> I see that the Domain Admins uses gid 512, just so happens to be the 
> same as a file system group(in the ldap directory).

No, it doesn't.  RID != GID.  A RID is a component of the SID and SIDs are
mapped to UIDs & GIDs.

> Is it better to change the users group gid and leave the samba domain 
> admins and such the way they are?

Not necessary.

> I suspect a small shell script can crawl the file system and replace 
> one gid for another if I were to change the users GID.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list