[EMAIL PROTECTED] wrote:
As I said, I did a fresh install of opensuse 10.3, samba, ldap.
During the process, I filled the ldap database directly with an ldif file built
using smbldap tools.
(one item in that file -->
dn: cn=Domain Admins,ou=Groups,dc=ldap_hathor,dc=nwk
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: Domain Admins
memberUid: root
sambaSID: S-1-5-21-3134345319-2430187646-2919245149-512
sambaGroupType: 2
displayName: Domain Admins
description: Netbios Domain Administrators
#sambaPrimaryGroupSID: SID of the user group (512 = Admins group)
#description: Netbios Domain Administrators
)
So you mean by doing this it is not necessary to map the native existing unix
group "ntadmin" (gid 71) with "Domain Admins" ?
(ntadmin appear in /etc/group and "Domain Admins" not)
When you do getent group you're getting what's in the local /etc/group
and what's defined in the ldap group membership. See gidNumber above.
Using /etc/nsswitch.conf to define ldap lookups extends the /etc/passwd
and /etc/group membership so passwd and group uid/gid's can be defined
system wide and used by any unix machine.
So yes. Users belonging to group 512 are "Domain Admins". You need to
add users to this group when you want them to have related security
privileges. You should be able to chgrp 512 filename and have it show
as "Domain Admins" when you ls the directory. I haven't used the
smbldap tools package, but it looks like the most common windows groups
have already been defined for you. All you need to do is avoid using
the ldap passwd & group uid/gids in the local files. Yast tools will
probably not allow you to generate duplicates.
And yes, you only need to map groups when the unix name doesn't match
the windows name and you don't want samba to create the account on the
fly using whatever idmap backend you pick. Your idmap backend should
probably be idmap_ldap and accounts generated then become available
system wide using the same uid/gid's and network file sharing offers the
same membership security regardless of client machine access.
This is probably in a FAQ somewhere where the answer would be more
structured. I use the following to resolve my issues:
http://us6.samba.org/samba/docs/man/Samba-HOWTO-Collection/
http://us6.samba.org/samba/docs/man/Samba-Guide/
Since samba is evolving almost daily, sometime the Howto syntax has been
modified in the current manifestation of the command. Always refer to
the current command documentation to resolve any discrepancies.
Doug
Reading the samba documentation was not very clear for me.
jcdole
Selon Douglas VanLeuven <[EMAIL PROTECTED]>:
It looks like you already have an existing unix group called "Domain
Admins" being pulled in from ldap. When that is true, there is no need
for groupmap and indeed it would appear it is illegal to map a windows
group that matches an existing unix group to another unix group.
Doug
[EMAIL PROTECTED] wrote:
Hello.
After fresh install.
Samba and ldap seems to run normally ( I can join win2k workstation to
linux
samba pdc ).
Using yast I create a system group named domadmin
But I am unable to map "Domain Admins" to domadmin
I am unable to map "Domain Admins" to existing ntadmin group
I am unable to mofify mapping "Domain Admins" to domadmin group
Thank you for helping.
LINUX-SRV: # net groupmap add ntgroup="Domain Admins" unixgroup=domadmin
rid=512 type=d
adding entry for group Domain Admins failed!
LINUX-SRV: #
LINUX-SRV: # net groupmap add ntgroup="Domain Admins" unixgroup=ntadmin
rid=512
type=d
adding entry for group Domain Admins failed!
LINUX-SRV: #
LINUX-SRV: # net groupmap modify ntgroup="Domain Admins" unixgroup=domadmin
Can't map to an unknown group type.
LINUX-SRV: #
LINUX-SRV:~ # net groupmap modify ntgroup="Domain Admins"
unixgroup=domadmin
type=d
Could not update group database
LINUX-SRV: #
LINUX-SRV:~ net groupmap list
request done: ld 0x555555c881e0 msgid 1
request done: ld 0x555555c881e0 msgid 2
Domain Admins (S-1-5-21-3134345319-2430187646-2919245149-512) -> Domain
Admins
request done: ld 0x555555c881e0 msgid 3
Domain Users (S-1-5-21-3134345319-2430187646-2919245149-513) -> Domain
Users
request done: ld 0x555555c881e0 msgid 4
Domain Guests (S-1-5-21-3134345319-2430187646-2919245149-514) -> Domain
Guests
request done: ld 0x555555c881e0 msgid 5
Domain Computers (S-1-5-21-3134345319-2430187646-2919245149-515) -> Domain
Computers
request done: ld 0x555555c881e0 msgid 6
Administrators (S-1-5-32-544) -> Administrators
request done: ld 0x555555c881e0 msgid 7
Account Operators (S-1-5-32-548) -> Account Operators
request done: ld 0x555555c881e0 msgid 8
Print Operators (S-1-5-32-550) -> Print Operators
request done: ld 0x555555c881e0 msgid 9
Backup Operators (S-1-5-32-551) -> Backup Operators
request done: ld 0x555555c881e0 msgid 10
Replicators (S-1-5-32-552) -> Replicators
request done: ld 0x555555c881e0 msgid 11
Users (S-1-5-32-545) -> 15000
LINUX-SRV: #
LINUX-SRV: # getent group
at:!:25:
..............
..............
domadmin:x:114:
root:x:0:
...............
..............
users:x:100:
+::0:
request done: ld 0x618d10 msgid 1
Domain Admins:*:512:root,user_admin
Domain Users:*:513:
Domain Guests:*:514:
Domain Computers:*:515:
Administrators:*:544:
Account Operators:*:548:
Print Operators:*:550:
Backup Operators:*:551:
Replicators:*:552:
request done: ld 0x618d10 msgid 2
It looks like you already have an existing unix group called "Domain
Admins" being pulled in from ldap. When that is true, there is no need
for groupmap and indeed it would appear it is illegal to map a windows
group that matches an existing unix group to another unix group.
Doug
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
