[Samba] Samba 4 posixGroup mapping

steve steve at steve-ss.com
Mon Feb 6 15:58:58 MST 2012

On 02/06/2012 08:10 PM, Gémes Géza wrote:
> 2012-02-06 09:29 keltezéssel, steve írta:
>> On 02/06/2012 07:19 AM, Gémes Géza wrote:
>>> 2012-02-06 01:27 keltezéssel, steve írta:
>>>> Hi
>>>> I've created a Samba 4 group called suseusers and mixed in posixGroup
>>>> and gidNumber using samba-tool group add as a basis.
>>>> It works, e.g. when I added an existing user to the group:
>>>> getent group suseusers
>>>> suseusers:*:2000:
>>>> and
>>>> getent passwd steve4
>>>> steve4:x:3000019:2000:steve4:/home/CACTUS/steve4:/bin/bash
>>>> and
>>>> id
>>>> uid=3000019(steve4) gid=2000(suseusers) groups=2000(suseusers)
>>>> but there seems to be something wrong with getent group. A local group
>>>> gives this:
>>>> getent group users
>>>> users:x:100:machine
>>>> x not  *
>>>> This happens both on the Samba 4 machine and a client with his /home
>>>> directory on nfs4. The uid:gid mappings and permissions are perfect at
>>>> both ends:) But what is the difference between the group info coming
>>>> from Samba 4 and the group info coming from /etc/group? I'm sure that
>>>> this is an error on my part, but I can't force it into failing no
>>>> matter what I throw at it.
>>>> Thanks,
>>>> Steve
>>> For an answer we would need some configuration details, first of all
>>> nsswitch.conf, then depending on that maybe other files
>>> Regards
>>> Geza
>> Hi
>> /etc/nsswitch.conf
>> passwd:         files ldap
>> group:          files ldap
>> shadow:         files ldap
>> hosts:          files mdns4_minimal [NOTFOUND=return] dns
>> networks:       files dns
>> services:       files
>> protocols:      files
>> rpc:            files
>> ethers:         files
>> netmasks:       files
>> Ah,  maybe this has something to do with it. For the user ldapmodify I
>> have:
>> dn: cn=steve4,cn=Users,dc=hh3,dc=site
>> changetype: modify
>> add: objectclass
>> objectclass: posixaccount
>> -
>> add: objectclass
>> objectclass: shadowaccount
>> -
>> add: uidnumber
>> uidnumber: 3000021
>> -
>> add: gidnumber
>> gidnumber: 2000
>> -
>> add:unixhomedirectory
>> unixhomedirectory: /home/CACTUS/steve2
>> -
>> add: loginshell
>> loginshell: /bin/bash
>> and for the group I have:
>> dn: cn=suseusers,cn=Users,dc=hh3,dc=site
>> changetype: modify
>> add: objectclass
>> objectclass: posixGroup
>> -
>> add: gidnumber
>> gidnumber: 2000
>> /etc/nslcd.conf:
>> uid nslcd-user
>> gid nslcd-user
>> uri ldap://
>> base dc=hh3,dc=site
>> map    passwd uid              sAMAccountName
>> map    passwd homeDirectory    unixHomeDirectory
>> map    shadow uid              sAMAccountName
>> #map    passwd gidNumber        gidNumber
>> sasl_mech GSSAPI
>> sasl_realm HH3.SITE
>> krb5_ccname /tmp/krb5cc_0
>> Then:
>> samba-tool group addmembers suseusers steve4
>> getent group suseusers
>> suseusers:*:2000:
>> Comes out with the *
>> But steve4 comes out correctly, as a local user would:
>> getent passwd steve4
>> steve4:x:3000019:2000:steve4:/home/CACTUS/steve4:/bin/bash
>> The only difference I see is that steve4 has a shadowaccount object
>> which can't be mapped for the group (because it doesn't have one). Is
>> there anything else here? Any other files needed?
>> In fact, I don't think I need shadowaccount mappings at all do I?
>> Isn't that where the unix passwords are stored? But that's probably
>> another thread.
>> Thanks,
>> Steve
> I'm ot sure but maybe you should change how nslcd.conf maps group
> memberships (by default it looks at membership expecting stock
> posixaccount and posixgroup objectclasses, while AD uses member and
> memberoff which are close but not the same).
> You can safely ignore anything shadowaccont related, because you would
> be better authenticating via kerberos anyway.
> Regards
> Geza
Hi Geza, hi everyone

This looks like good news.

I asked the nslcd author directly:

My question is, how do I extract the gid from the ldap? I've tried:
map group gid gidnumber

You shouldn't need to map the gidNumber attribute because nslcd already
uses that attribute by default. In any case if you're trying to find the
primary group of a user you should do:

   map passwd gidNumber XXX

(where XXX is the attribute in your LDAP server) The passwd map is what
defines the output of getent passwd, the group map defines the
information on groups.

That seems true. The posixGroup I defined is mapped without me doing anything in nslcd and
map passwd gidNumber gidNumber
would seem pointless as it's already got the gidNumber.

You are right about the shadowaccount. This also solves the x and *. I removed the objectclass shadowaccount from ldap and the map shadow uid from nslcd and hey:
getent passwd steve4

I interpret that as 'it's an x if there's a shadow entry, a * if there isn't'

This is getting to the stage where it's not worth waiting for a working winbind. i.e. leave the windows side as it is and go with nfs4 and rpc.idmapd for the the Linux side.

How difficult do you think it would be to script the adding of the user posix attributes after creating the s4 user? I envisage something like:
samba-tool user add steve --posix --defaultgroup=somegroup
Also, a startup script for samba4 and nslcd which I think should just be a 2 liner.


More information about the samba mailing list