[Samba] LDAP + Samba4(AD) + SSH

Guilherme Boing kolt+samba at frag.com.br
Mon Aug 24 14:09:58 UTC 2015 

Hey,

By "through LDAP" I meant that our linux servers would look for the users
using pam_ldap.

Anyway, I was able to "fix" this by mapping gidNumber to gidNumber instead
of primaryGroupID on nslcd.conf.

$ id
uid=10000(Guilherme) gid=10001(it) grupos=10001(it)


On Fri, Aug 21, 2015 at 4:28 PM, Rowland Penny <rowlandpenny241155 at gmail.com
> wrote:

> On 21/08/15 20:08, Guilherme Boing wrote:
>
>> Hello,
>>
>> I want my domain users to be able to connect to our linux servers using
>> their AD username through LDAP.
>>
>
> What do you mean 'through LDAP' ?
>
>
>> I am using nslcd and pam_ldap to do so, but I am having some hard time
>> trying to figure out why the GID is not working properly.
>>
>> # getent passwd Guilherme
>> Guilherme:*:10000:*513*:Guilherme:/home/Guilherme:/bin/bash
>>
>> # getent group|grep 513
>>
>> # id Guilherme
>> uid=10000(Guilherme) gid=513 grupos=513,10001(it),10000(Domain Users)
>>
>> /etc/nslcd.conf: (bind not included)
>> filter  passwd  (objectClass=user)
>> filter  group   (objectClass=group)
>>
>> map     passwd  uid                sAMAccountName
>> map     passwd  homeDirectory      unixHomeDirectory
>> map     passwd  gecos              displayName
>> map     passwd  gidNumber          primaryGroupID
>> map     group   uniqueMember       member
>>
>> I know that 513 should mean "Domain Users" from ADUC. However, "Domain
>> Users" has the "UNIX Attributes" configuration of GID=10000.
>>
>
> How do you 'know' 513 should mean "Domain Users" ?
> 513 is the RID of "Domain Users" and by your own admission "Domain Users"
> has the gidNumber of 10000
> RID does not necessarily equal gidNumber
>
>
>> # getent group|grep 10000
>> Domain Users:*:10000:
>>
>> Should I change the UNIX Attributes ID of Domain Users to 513 ?
>> What am I doing wrong ?
>>
>> Thanks
>>
>
> You can if you so wish, but you will need to 'chgrp' anything stored on
> Unix owned by the "Domain Users" group.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list