tor, 05.05.2005 kl. 21.34 skrev Flatfender: > If I created local groups and users in /etc/passwd & > /etc/groups I get farther along. > > For instance, if I have a Samba PDC with LDAP basically like I listed > in my post. If I browse from a w2k pro box to the samba server > without the workstation having joined the domain, I can authenticate > to the samba server with a user who is not in /etc/passwd but is in > LDAP. So samba is able to do the lookup via ldap. > > Now, if I create a posix group in ldap but not in /etc/group, I can > not use "net groupmap modify" to modify the ntgroup to unix group > mapping. But if I create the group in /etc/groups then the group > mapping works. This leads me to believe either that the > nsswitch/nss_ldap stuff in FreeBSD is either insufficient or not > configured. Since their is so little to configure, I tend to lean > towards NSSwitch not being fully implemented.
FWIW (and it's probably not going to help you) I read your post and tried 'net groupmap modify' on my RHAS3/OpenLDAP 2.2.24 test rig. All my Samba 3.0.14a stuff is in LDAP. 'net groupmap modify ntgroup="Domain Admins" unixgroup=katter' (i.e. "cats", it was domadm) and it *added* a new NT groupmapping, for Domain Admins beside the old groupmapping and changed the "katter" group RID from 3009 to 512 as well as changing displayName from "Domain Katter" to "Domain Admins". Then I wanted to change it back again from the command line, but no no. It couldn't find "Domain Admins" in the database, it said. Thank God I use GQ to manage LDAP, so I could see what was going on. Changing the RID and displayName in GQ got it back to the original state. > Also If I try to join the domain with from a workstation that neither > has a /etc/passwd account or an ldap account then, joining the domain > fails, but smbldap-tools creates a workstation account in ldap with > posix only attributes and no samba attributes. > > If I create the workstation account in /etc/passwd and then join the > domain, then I can sucessfully join the domain, and smbldap tools > creates an account in ldap, but this time with only samba attributes > and no posix attributes. I don't use those scripts. I use LDAP for far too many other things besides Samba and my DIT is completely different from what Idealx would like for me. If you use the Idealx adduser script to make a posixAccount entry, try smbpasswd or pdbedit after that to make the sambaSamAccount modifications. The only trouble is, that you can't make LDAP records on the fly, that way. Actually, the Samba tools are brilliant and *they* can cope with my non-Idealx DIT more than well enough. I use smbpasswd on my rigs, called out of shell scripts, for adding users and machines. What you describe /would/ point to the nss libraries on your FreeBSD rig. Maybe others with the same OS could comment, and someone like Padl's Luke Howard on the Padl [EMAIL PROTECTED] mailing list would surely know, since it's mainly he who writes the nss_ldap software. > I have not tested any other group/user scenarios yet. Well I have. I have Samba 3.0.11 with LDAP (RHAS3 again) on a zero-maintenance production rig running at a reasonably large high school site in Amsterdam. It's taken over from an NT4 PDC that continually clapped out. --Tonni -- Nothing sucksseeds like a pigeon without a beak ... mail: [EMAIL PROTECTED] http://www.billy.demon.nl They'll love us, won't they? They feed us, don't they? ... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
