[Samba] How do you configure a NIS group?

Rowland Penny rowlandpenny at googlemail.com
Sun Oct 12 06:29:40 MDT 2014 

On 12/10/14 13:20, Marc Muehlfeld wrote:
> Am 12.10.2014 um 13:26 schrieb Rowland Penny:
>> OK, firstly you **never** modify the 'memberOf' attribute directly, AD
>> will do it for you when you add/modify a users 'member' attribute.
> I guess, you mean the _groups_ 'member' attribute.

OOPS, yes you are correct, I did mean 'group'

>
> Haven't tried that before. But you're right, that AD manages the
> backlinks internal automatically. You can't do changes in the 'memberOf'
> attribute in a user DN. You have to do the changes in the 'member'
> attribute of the group DN.
>
>
>
>
>> Secondly, what is wrong with using this ldif with ldbmodify:
>>
>> dn: <users DN>
>> changetype: modify
>> add: member
>> member: <group DN>
> There's not really something wrong in general, but the LDIF way provides
> more space for doing it wrong and having trouble. :-)
>

You mean like I did with mixing up <users DN> with <group DN> :-[
Must engage brain when typing

Other than that, there is nothing wrong with using ldbmodify and in 
fact, to do some things with samba4 is the only way.

Rowland
> Lets have a look at your example. If I try to import it, it would fail:
>
> # cat example.ldif
> dn: CN=demo01,CN=Users,DC=samdom,DC=example,DC=com
> changetype: modify
> add: member
> member: CN=demoGroup,CN=Users,DC=samdom,DC=example,DC=com
>
>
> # ldbmodify -H ldap://DC1 -U administrator example.ldif
> Password for [SAMDOM\administrator]:
> ERR: (Object class violation) "LDAP error 65 LDAP_OBJECT_CLASS_VIOLATION
> -  <00002014: objectclass_attrs: attribute 'member' on entry
> 'CN=demo01,CN=Users,DC=samdom,DC=example,DC=com' does not exist in the
> specified objectclasses!> <>" on DN
> CN=demo01,CN=Users,DC=samdom,DC=example,DC=com at block before line 4
> Modify failed after processing 0 records
>
>
>
> 1. The group membership in a user DN is stored in the attribute
> 'memberOf' not 'member'.
> 2. You can't add the memberOf attribute to a user DN. You have to add
> the user DN to the 'member' attribute of the group.
>
>
>
> # samba-tool group addmembers demoGroup demo01
> This simple and short command adds the user to the group. Much less
> work. No need to know all the member/memberOf, backlink, whatever
> background stuff of Samba/AD. Why not doing it the simple way? :-)
>
>
>
> Regards,
> Marc

More information about the samba mailing list