dn: cn=ntadmins,ou=Groups,dc=firerun,dc=net cn: ntadmins objectClass: top objectClass: posixGroup gidNumber: 1000 memberUid: root memberUid: patrick memberUid: bob
Can an LDAP user have a gidNumber of 0 and be a root user on a Unix machine?
Rob
Patrick wrote:
Rob,
Maybe I can shed some light on this for you. I have just setup a Samba PDC + LDAP machine here. For the group assignments to work you will still need to have a unix group on the machine. So you use the normal method to add a unix group in the ldap directory. You can then add any users you want to that group. So for example I setup the following unix group in ldap:
# ntadmins, Groups, firerun, net dn: cn=ntadmins,ou=Groups,dc=firerun,dc=net cn: ntadmins objectClass: top objectClass: posixGroup gidNumber: 1000 memberUid: root memberUid: patrick
Then you will need to use the net tool to do a group mapping. first you will need to lookup the SID of the domain. So you will use "net getlocalsid SID" once you have the Domain SID you will use the following command to map the unix group to a domain group:
net groupmap add sid=<domain sid>-512 ntgroup="Domain Admins" unixgroup=ntadmins type=domain
That command will add the samba group mapping attributes and the ntadmins group will now be the Domain Admins group on Windows clients. Any users that are added to the ntadmins unix group will be members of the Domain Admins group. To confirm the mapping just use "net groupmap list."
Patrick
Robert Rati wrote:
I'm a little weak on how the groups assignments work with Samba and LDAP. The Samba HOWTO collection says to map each Domain Group to a UNIX system group, but if all authentication is done via LDAP (Unix and Windows) then do the groups still have to exist on the Samba Unix machine? Where do the RIDs fit into all this? I don't see a schema in LDAP for sambaGroup. Do I create the domain groups with the posixGroup schema and set their gid to a RID that will exist on the Windows machine (like 512 for Domain Admins)? Or do I just bypass the group mapping altogether and set a Domain Admins sambaPrimaryGroupSID to <SID>-512? Any help on this would be very helpful, as I think I'm confusing myself.
Rob
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
