[Samba] How do you configure a NIS group?

Rowland Penny rowlandpenny at googlemail.com
Sun Oct 12 02:10:31 MDT 2014


On 12/10/14 08:52, Marc Muehlfeld wrote:
> Hello John,
>
> Am 12.10.2014 um 00:41 schrieb John Lewis:
>> That doesn't do anything for me because I don't have a Windows machine
>> on my network. I need the name of the attribute so I can ldapmodify it.
> You shouldn't use ldapmodify for doing changes. Use samba-tool!
Hi Marc, sorry but I cannot agree with you, samba-tool is ok as far as 
it goes, but it fails woefully when it comes to Unix attributes. If you 
create a user with samba-tool it is a basic AD user, yes you can add 
basic Unix attributes, but **YOU** have to maintain the range of 
uidNumber's & gidNumber's. If you add a user via ADUC, again you first 
get a basic AD user, but then you can add the Unix attributes and when 
you do, you get these:

uid
msSFU30Name
msSFU30NisDomain
uidNumber
gidNumber
loginShell
unixHomeDirectory
unixUserPassword

And the uidNumber's & gidNumber's are stored in AD using the attributes 
microsoft designed.

Rowland

>
> AD uses backlinks for storing group memberships. See
> http://www.frickelsoft.net/blog/?p=130
> for details about AD backlinks.
>
> If you use 'samba-tool', you are sure, that everything is done right in
> your database and nothing gets corrupted by missing something or wrong
> usage.
>
>
>
>
>> I think I need these attributes defined memberUid memberNisNetgroup
>> defined, but I haven't figured out where on the directory tree yet.
> In the group DN, the following two attributes have to be added once, to
> enable it for the usage like mentioned in the Wiki nslcd documentation
> if you don't use ADUC:
>     msSFU30NisDomain: samdom
>     gidNumber: 12345
> Use 'ldbedit' for adding them.
>
>
> If you follow the documentation in the Wiki, then the group membership
> is taken from the AD groups, so you don't have to maintain the
> membership on two places (AD groups and Unix attributes group members).
>
> In the group DN, the 'member' attribute points to the user account:
> member: CN=demo01,CN=Users,DC=samdom,DC=example,DC=com
>
> In the user DN, the 'memberOf' attribute points to the group:
> memberOf: CN=Domain Admins,CN=Users,DC=samdom,DC=example,DC=com
>
>
>
> Regards,
> Marc



More information about the samba mailing list