[Samba] How do you configure a NIS group?

[Marc Muehlfeld]

Am 12.10.2014 um 13:26 schrieb Rowland Penny:
> OK, firstly you **never** modify the 'memberOf' attribute directly, AD
> will do it for you when you add/modify a users 'member' attribute.

I guess, you mean the _groups_ 'member' attribute.

Haven't tried that before. But you're right, that AD manages the
backlinks internal automatically. You can't do changes in the 'memberOf'
attribute in a user DN. You have to do the changes in the 'member'
attribute of the group DN.




> Secondly, what is wrong with using this ldif with ldbmodify:
> 
> dn: <users DN>
> changetype: modify
> add: member
> member: <group DN>

There's not really something wrong in general, but the LDIF way provides
more space for doing it wrong and having trouble. :-)


Lets have a look at your example. If I try to import it, it would fail:

# cat example.ldif
dn: CN=demo01,CN=Users,DC=samdom,DC=example,DC=com
changetype: modify
add: member
member: CN=demoGroup,CN=Users,DC=samdom,DC=example,DC=com


# ldbmodify -H ldap://DC1 -U administrator example.ldif
Password for [SAMDOM\administrator]:
ERR: (Object class violation) "LDAP error 65 LDAP_OBJECT_CLASS_VIOLATION
-  <00002014: objectclass_attrs: attribute 'member' on entry
'CN=demo01,CN=Users,DC=samdom,DC=example,DC=com' does not exist in the
specified objectclasses!> <>" on DN
CN=demo01,CN=Users,DC=samdom,DC=example,DC=com at block before line 4
Modify failed after processing 0 records



1. The group membership in a user DN is stored in the attribute
'memberOf' not 'member'.
2. You can't add the memberOf attribute to a user DN. You have to add
the user DN to the 'member' attribute of the group.



# samba-tool group addmembers demoGroup demo01
This simple and short command adds the user to the group. Much less
work. No need to know all the member/memberOf, backlink, whatever
background stuff of Samba/AD. Why not doing it the simple way? :-)



Regards,
Marc