[Samba] Samba 4 posixGroup mapping

steve steve at steve-ss.com
Mon Feb 6 01:29:06 MST 2012

On 02/06/2012 07:19 AM, Gémes Géza wrote:
> 2012-02-06 01:27 keltezéssel, steve írta:
>> Hi
>> I've created a Samba 4 group called suseusers and mixed in posixGroup
>> and gidNumber using samba-tool group add as a basis.
>> It works, e.g. when I added an existing user to the group:
>> getent group suseusers
>> suseusers:*:2000:
>> and
>> getent passwd steve4
>> steve4:x:3000019:2000:steve4:/home/CACTUS/steve4:/bin/bash
>> and
>> id
>> uid=3000019(steve4) gid=2000(suseusers) groups=2000(suseusers)
>> but there seems to be something wrong with getent group. A local group
>> gives this:
>> getent group users
>> users:x:100:machine
>> x not  *
>> This happens both on the Samba 4 machine and a client with his /home
>> directory on nfs4. The uid:gid mappings and permissions are perfect at
>> both ends:) But what is the difference between the group info coming
>> from Samba 4 and the group info coming from /etc/group? I'm sure that
>> this is an error on my part, but I can't force it into failing no
>> matter what I throw at it.
>> Thanks,
>> Steve
> For an answer we would need some configuration details, first of all
> nsswitch.conf, then depending on that maybe other files
> Regards
> Geza

passwd:         files ldap
group:          files ldap
shadow:         files ldap
hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files dns
services:       files
protocols:      files
rpc:            files
ethers:         files
netmasks:       files

Ah,  maybe this has something to do with it. For the user ldapmodify I 

dn: cn=steve4,cn=Users,dc=hh3,dc=site
changetype: modify
add: objectclass
objectclass: posixaccount
add: objectclass
objectclass: shadowaccount
add: uidnumber
uidnumber: 3000021
add: gidnumber
gidnumber: 2000
unixhomedirectory: /home/CACTUS/steve2
add: loginshell
loginshell: /bin/bash

and for the group I have:

dn: cn=suseusers,cn=Users,dc=hh3,dc=site
changetype: modify
add: objectclass
objectclass: posixGroup
add: gidnumber
gidnumber: 2000

uid nslcd-user
gid nslcd-user
uri ldap://
base dc=hh3,dc=site
map    passwd uid              sAMAccountName
map    passwd homeDirectory    unixHomeDirectory
map    shadow uid              sAMAccountName
#map    passwd gidNumber        gidNumber
sasl_mech GSSAPI
sasl_realm HH3.SITE
krb5_ccname /tmp/krb5cc_0

samba-tool group addmembers suseusers steve4

getent group suseusers
Comes out with the *

But steve4 comes out correctly, as a local user would:
getent passwd steve4

The only difference I see is that steve4 has a shadowaccount object which can't be mapped for the group (because it doesn't have one). Is there anything else here? Any other files needed?

In fact, I don't think I need shadowaccount mappings at all do I? Isn't that where the unix passwords are stored? But that's probably another thread.


More information about the samba mailing list