On Sunday 11 April 2004 14:25, you wrote: > Wim Bakker �rta: > > Hello, > > > > I try to add a domain group to samba + ldap with the following command: > > > > slapadd -v -l g.ldif > > content of g.ldif: > > -- > > dn: cn=Domain Admins,dc=ahm,dc=nl > > cn: Domain Admins > > objectClass: sambaGroupMapping > > sambaSID: S-1-5-21-4269728302-1655870493-3894479995-512 > > sambaGroupType: Domain > > -- > > and slapadd returns with: > > could not parse entry (line=6) > > > > what is wrong here? > > The reference guide states only that it is the responsibility > > of the administrator to add the essential Domain Groups (page 154) > > but fails to mention how to (rather funny for an official how-to book). > > As this book allso fails to explain the meaning/values of sambaGroupType > > and how they relate I am a bit at a loss here. > > > > TIA > > Wim Bakker > > As a sidenote you need to ad the posixAccount objectclass and related > attributes as well, and all the objectclasses upon which posixAccount > relies. > Yes, so it seems , I used smbldap-groupadd -a -g 512 -o -r 512 -s S-1-5-21-4269728302-1655870493-3894479995-512 -t builtin "Domain Admins" and now it is nicely added, slapcat: --------------- dn: cn=Domain Admins,ou=Groups,dc=ahm,dc=nl objectClass: posixGroup objectClass: sambaGroupMapping cn: Domain Admins gidNumber: 512 structuralObjectClass: posixGroup entryUUID: da450b08-2002-1028-9366-cd900415d4ac creatorsName: cn=Manager,dc=ahm,dc=nl createTimestamp: 20040411125236Z sambaSID: S-1-5-21-4269728302-1655870493-3894479995-512 sambaGroupType: 5 entryCSN: 2004041112:52:36Z#0x0002#0#0000 modifiersName: cn=Manager,dc=ahm,dc=nl modifyTimestamp: 20040411125236Z --------------- still don't know what sambaGroupType is though. From the samba-howto on http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html:
SID_NAME_USE_NONE = 0,/* NOTUSED */ SID_NAME_USER = 1, /* user */ SID_NAME_DOM_GRP = 2, /* domain group */ SID_NAME_DOMAIN = 3, /* domain: don't know what this is */ SID_NAME_ALIAS = 4, /* local group */ SID_NAME_WKN_GRP = 5, /* well-known group */ SID_NAME_DELETED = 6, /* deleted account: needed for c2 rating */ SID_NAME_INVALID = 7, /* invalid account */ SID_NAME_UNKNOWN = 8 /* oops. */ is the number 5 for the sambaGroupType the SID_NAME_WKN_GRP? so translates the samba type "builtin" to "SID_NAME_WKN_GRP"? deleted the group and added again with: smbldap-groupadd -a -g 512 -o -r 512 -s S-1-5-21-4269728302-1655870493-3894479995-512 -t domain "Domain Admins" slapcat: dn: cn=Domain Admins,ou=Groups,dc=ahm,dc=nl objectClass: posixGroup objectClass: sambaGroupMapping cn: Domain Admins gidNumber: 512 structuralObjectClass: posixGroup entryUUID: ec233b38-2007-1028-936b-cd900415d4ac creatorsName: cn=Manager,dc=ahm,dc=nl createTimestamp: 20040411132854Z sambaSID: S-1-5-21-4269728302-1655870493-3894479995-512 sambaGroupType: 2 entryCSN: 2004041113:28:54Z#0x0002#0#0000 modifiersName: cn=Manager,dc=ahm,dc=nl modifyTimestamp: 20040411132854Z looks like it. But from that same site I see: ntSid: S-1-5-21-298858960-1863792627-3661451959-512 ntGroupType: 2 is ntSid the same as sambaSID and ntGroup the same as sambaGroupType? Next , it is impossible to add users to this group: #smbldap-groupmod.pl -m gerrit "Domain Admins" #/usr/local/bin/smbldap-groupmod.pl: group Domain Admins not found! but : # smbldap-groupshow.pl "Domain Admins" dn: cn=Domain Admins,ou=Groups,dc=ahm,dc=nl objectClass: posixGroup,sambaGroupMapping cn: Domain Admins gidNumber: 512 sambaSID: S-1-5-21-4269728302-1655870493-3894479995-512 sambaGroupType: 2 returns the group info, how's that? and if I add the group wheel to ldap: #smbldap-groupadd.pl -a -g 512 -o -t local "wheel" and #smbldap-groupmod.pl -m gerrit wheel slapcat: dn: cn=wheel,ou=Groups,dc=ahm,dc=nl objectClass: posixGroup objectClass: sambaGroupMapping cn: wheel gidNumber: 512 structuralObjectClass: posixGroup entryUUID: 2ad34a12-2003-1028-9367-cd900415d4ac creatorsName: cn=Manager,dc=ahm,dc=nl createTimestamp: 20040411125451Z sambaSID: S-1-5-21-4269728302-1655870493-3894479995-2025 sambaGroupType: 4 memberUid: gerrit entryCSN: 2004041112:56:21Z#0x0001#0#0000 modifiersName: cn=Manager,dc=ahm,dc=nl modifyTimestamp: 20040411125621Z The user gerrit has been added , now why wheel yes, but "Domain Admins" no? Allso "net groupmap list" doesn't show anything. Is the net command anywhere usable with a samba + ldap setup? If I want a groupmapping from ntgroup "Domain Admins" to unixgroup wheel , how do I do that than. I gave the group "Domain Admins" the gid 512, get's that translated to the unixgroup 512 , being wheel? Do I have to add the group wheel at all to ldap, as wheel allready exists as a local group? Yes I do because the user gerrit exists only in ldap. Is the type "local" from the various samba types referring to a "local unix group" or to a "local windows group on a machine"? Apparently not because the type local gets sambaGroupType 4 , and I assume that means SID_NAME_ALIAS, being a local group on a windows ws. So where happens the groupmapping? TIA Wim Bakker -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
