Re: [Samba] Description of LDAP-attribute sambaSIDList

Fri, 22 Apr 2005 20:29:29 -0700 

Daniel Wilson wrote:

So does this mean that everyone for example in GroupA could then also be a member of GroupB if you added GroupA's SID into GroupB's sambaSIDList...if so this would help us out soooo much as then we dont need to keep adding people into multiple groups!

Yes, it does mean that. But this has also (always) been possible with Posix groups (a group can be a member of another group), for Unix/Linux groups. In this case, Hallvor Engen is saying that for Windows groups it can be done with group SIDs. I do it for OpenLDAP with Posix groups and MemberUid instead for Samba and that works just as well - where there's already a Posix group..

could you give me the syntax so i can update my schema file (were using Sun Directory Server 5.2 as our LDAP backend...)

I'm not sure what you mean by "syntax". A group-mapping for the Posix group domadm might look like:

dn: cn=domadm,ou=groups,ou=smb,dc=billy,dc=demon,dc=nl
memberUid: Administrator
memberUid: root
memberUid: billy
memberUid: tonni
description: Local Unix group
objectClass: top
objectClass: posixGroup
objectClass: uidObject
objectClass: sambaGroupMapping
uid: domadm
cn: domadm
sambaGroupType: 2
sambaSID: S-1-5-21-18666911-1472750480-3707222013-512
gidNumber: 5004
displayName: Domain Admins
sambaSIDList: S-1-5-21-18666911-1472750480-3707222013-3001

where the value for the multi-value attribute sambaSIDList (there can be more than one attribute with different values) might be the SID for the Windows group "Administrative Staff". That might be a pure Windows group and not be present as a Posix group.

This ldif (in the form above) would most probably not be possible to generate on sites using the idealx scrips; I don't. And everybody would be far better off if they got and compiled GQ and played around with it, then they'd see this for themselves ;).

--Tonni

--

mail: [EMAIL PROTECTED]
http://www.billy.demon.nl

They love us, don't they, They feed us, won't they ...
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Reply via email to