Re: [Samba] Samba 4 posixGroup mapping
Hi Geza, hi everyone I had a go at the script: s4user where is a posiixGroup'ified group from samba-tool group add. cat s4user #!/bin/sh echo "Creating s4 posix user "$1 echo "Pls enter pwd for "$1 samba-tool user add $1 echo "dn: cn=$1,cn=Users,dc=hh3,dc=site changetype: modify add: objectclass objectclass: posixaccount - add: uidnumber uidnumber: $2 - add: gidnumber gidnumber: $3 - add:unixhomedirectory unixhomedirectory: /home/CACTUS/$1 - add: loginshell loginshell: /bin/bash" > $1 #ldbmodify -f /some/temporary-file ###can't get the syntax!### ldapmodify -h 192.168.1.3 -D cn=Administrator,cn=Users,dc=hh3,dc=site -f $1 -Y GSSAPI samba-tool group addmembers $4 $1 mkdir /home/CACTUS/$1 chown $1:$4 /home/CACTUS/$1 rm $1 echo $1 "rfc2307-ified" and: ./s4user steve6 330 2000 suseusers Creating s4 posix user steve6 Pls enter pwd for steve6 New Password: User 'steve6' created successfully SASL/GSSAPI authentication started SASL username: administra...@hh3.site SASL SSF: 56 SASL data security layer installed. modifying entry "cn=steve6,cn=Users,dc=hh3,dc=site" Added members to group suseusers steve6 rfc2307-ified hh3:/home/steve # exit exit steve@hh3:~> su steve6 Password: Warning: Your password will expire in 41 days on Tue 20 Mar 2012 14:52:02 CET steve6@hh3:/home/steve> cd ../CACTUS/steve6 steve6@hh3:~> touch hola steve6@hh3:~> ls -la total 12 drwxr-xr-x 2 steve6 suseusers 4096 Feb 7 14:53 . drwxr-xr-x 10 root root 4096 Feb 7 14:52 .. -rw-r--r-- 1 steve6 suseusers0 Feb 7 14:53 hola -rw--- 1 steve6 suseusers 48 Feb 7 14:52 .xauthoa0jlX steve6@hh3:~> Yeah! I need to tidy the script up a bit and particularly look for the nslcd pid before continuing. As usual, a few qns. Sorry. 1. As this ignores winbind, is there any need to use winbind like uid's? 2. I can't get the syntax for ldbmodify:( 3. Is there a cheap way to get the next available uid from ldap? I thought of sticking a base id in a file and incrementing it each time s4user was called. Then pulling it back from the file when the script was called for the next user. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 posixGroup mapping
Hi, I use Samba3/OpenLDAP in production and create my users using similar scripts, so no it shouldn't be difficult, something like: #!/bin/sh samba-tool user add $1 .. echo "dn: cn=$1,cn=Users,dc=hh3,dc=site changetype: modify add: objectclass objectclass: posixaccount - add: objectclass objectclass: shadowaccount - add: uidnumber uidnumber: $2 - add: gidnumber gidnumber: $3 - add:unixhomedirectory unixhomedirectory: $4 - add: loginshell loginshell: $5">/some/temporary-file ldbmodify -f /some/temporary-file rm /some/temporary-file Please take into account that it is just a very rough example I've put up in less than a minute. Regards Geza We use Samba3/openldap in real life too:) When I'm not there, they use The Yast GUI which has quite a nice point and click LDAP user and group module which links to the samba3 schema. Your echo ...> /some/temporary-file is a good idea. Would you include a default group for the user perhaps? e.g. samba-tool group addmembers $6 $1 ($6 would already exist) Looking good. Thanks for your time. Will report back. Cheers, Steve Hi Geza, hi everyone. I had a go at the script. I called it s4user and got it down to 4 parameters: s4user chmod +x s4user cat s4user #!/bin/sh echo "Creating s4 posix user "$1 echo "Pls enter pwd for "$1 samba-tool user add $1 echo "dn: cn=$1,cn=Users,dc=hh3,dc=site changetype: modify add: objectclass objectclass: posixaccount - add: uidnumber uidnumber: $2 - add: gidnumber gidnumber: $3 - add:unixhomedirectory unixhomedirectory: /home/CACTUS/$1 - add: loginshell loginshell: /bin/bash" > $1 #ldbmodify -f /some/temporary-file ldapmodify -h 192.168.1.3 -D cn=Administrator,cn=Users,dc=hh3,dc=site -f $1 -Y GSSAPI samba-tool group addmembers $4 $1 mkdir /home/CACTUS/$1 chown $1:$4 /home/CACTUS/$1 ./s4user steve6 330 2000 suseusers Creating s4 posix user steve6 Pls enter pwd for steve6 New Password: User 'steve6' created successfully SASL/GSSAPI authentication started SASL username: administra...@hh3.site SASL SSF: 56 SASL data security layer installed. modifying entry "cn=steve6,cn=Users,dc=hh3,dc=site" Added members to group suseusers hh3:/home/steve # exit exit steve@hh3:~> su steve6 Password: Warning: Your password will expire in 41 days on Tue 20 Mar 2012 14:52:02 CET steve6@hh3:/home/steve> cd ../CACTUS/steve6 steve6@hh3:~> touch hola steve6@hh3:~> ls -la total 12 drwxr-xr-x 2 steve6 suseusers 4096 Feb 7 14:53 . drwxr-xr-x 10 root root 4096 Feb 7 14:52 .. -rw-r--r-- 1 steve6 suseusers0 Feb 7 14:53 hola -rw--- 1 steve6 suseusers 48 Feb 7 14:52 .xauthoa0jlX steve6@hh3:~> Yeah! I need to tidy the script up a bit and maybe put some stuff in like checking for the nslcd pid and put a 'usage:' message. Just a couple of qns. 1. I couldn't get ldbmodify to work, which is why I used ldapmodify instead. Any idea of the syntax? 2. This now bypasses winbind completely. I just happened to use a uid in the range that winbind uses. Are there any rules for choosing uid numbers? 4. Is there an easy way to find the next free uid or reuse one from a deleted user? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 posixGroup mapping
On 07/02/12 06:57, Gémes Géza wrote: 2012-02-06 23:58 keltezéssel, steve írta: On 02/06/2012 08:10 PM, Gémes Géza wrote: 2012-02-06 09:29 keltezéssel, steve írta: On 02/06/2012 07:19 AM, Gémes Géza wrote: 2012-02-06 01:27 keltezéssel, steve írta: Hi I've created a Samba 4 group called suseusers and mixed in posixGroup and gidNumber using samba-tool group add as a basis. It works, e.g. when I added an existing user to the group: getent group suseusers suseusers:*:2000: and getent passwd steve4 steve4:x:319:2000:steve4:/home/CACTUS/steve4:/bin/bash and id uid=319(steve4) gid=2000(suseusers) groups=2000(suseusers) but there seems to be something wrong with getent group. A local group gives this: getent group users users:x:100:machine x not * This happens both on the Samba 4 machine and a client with his /home directory on nfs4. The uid:gid mappings and permissions are perfect at both ends:) But what is the difference between the group info coming from Samba 4 and the group info coming from /etc/group? I'm sure that this is an error on my part, but I can't force it into failing no matter what I throw at it. Thanks, Steve For an answer we would need some configuration details, first of all nsswitch.conf, then depending on that maybe other files Regards Geza Hi /etc/nsswitch.conf passwd: files ldap group: files ldap shadow: files ldap hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files dns services: files protocols: files rpc:files ethers: files netmasks: files Ah, maybe this has something to do with it. For the user ldapmodify I have: dn: cn=steve4,cn=Users,dc=hh3,dc=site changetype: modify add: objectclass objectclass: posixaccount - add: objectclass objectclass: shadowaccount - add: uidnumber uidnumber: 321 - add: gidnumber gidnumber: 2000 - add:unixhomedirectory unixhomedirectory: /home/CACTUS/steve2 - add: loginshell loginshell: /bin/bash and for the group I have: dn: cn=suseusers,cn=Users,dc=hh3,dc=site changetype: modify add: objectclass objectclass: posixGroup - add: gidnumber gidnumber: 2000 /etc/nslcd.conf: uid nslcd-user gid nslcd-user uri ldap://192.168.1.3 base dc=hh3,dc=site mappasswd uid sAMAccountName mappasswd homeDirectoryunixHomeDirectory mapshadow uid sAMAccountName #mappasswd gidNumbergidNumber sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /tmp/krb5cc_0 Then: samba-tool group addmembers suseusers steve4 getent group suseusers suseusers:*:2000: Comes out with the * But steve4 comes out correctly, as a local user would: getent passwd steve4 steve4:x:319:2000:steve4:/home/CACTUS/steve4:/bin/bash The only difference I see is that steve4 has a shadowaccount object which can't be mapped for the group (because it doesn't have one). Is there anything else here? Any other files needed? In fact, I don't think I need shadowaccount mappings at all do I? Isn't that where the unix passwords are stored? But that's probably another thread. Thanks, Steve I'm ot sure but maybe you should change how nslcd.conf maps group memberships (by default it looks at membership expecting stock posixaccount and posixgroup objectclasses, while AD uses member and memberoff which are close but not the same). You can safely ignore anything shadowaccont related, because you would be better authenticating via kerberos anyway. Regards Geza Hi Geza, hi everyone This looks like good news. I asked the nslcd author directly: My question is, how do I extract the gid from the ldap? I've tried: map group gid gidnumber You shouldn't need to map the gidNumber attribute because nslcd already uses that attribute by default. In any case if you're trying to find the primary group of a user you should do: map passwd gidNumber XXX (where XXX is the attribute in your LDAP server) The passwd map is what defines the output of getent passwd, the group map defines the information on groups. That seems true. The posixGroup I defined is mapped without me doing anything in nslcd and map passwd gidNumber gidNumber would seem pointless as it's already got the gidNumber. You are right about the shadowaccount. This also solves the x and *. I removed the objectclass shadowaccount from ldap and the map shadow uid from nslcd and hey: getent passwd steve4 steve4:*:319:2000:steve4:/home/CACTUS/steve4:/bin/bash I interpret that as 'it's an x if there's a shadow entry, a * if there isn't' This is getting to the stage where it's not worth waiting for a working winbind. i.e. leave the windows side as it is and go with nfs4 and rpc.idmapd for the the Linux side. How difficult do you think it would be to script the adding of the user posix attributes after creating the s4 user? I envisage something like: samba-tool user add steve --posix --defaultgroup=somegroup Also, a startup script for samba4 and nslcd which I think should just be a 2 liner. Cheers,
Re: [Samba] Samba 4 posixGroup mapping
2012-02-06 23:58 keltezéssel, steve írta: > On 02/06/2012 08:10 PM, Gémes Géza wrote: >> 2012-02-06 09:29 keltezéssel, steve írta: >>> On 02/06/2012 07:19 AM, Gémes Géza wrote: 2012-02-06 01:27 keltezéssel, steve írta: > Hi > I've created a Samba 4 group called suseusers and mixed in posixGroup > and gidNumber using samba-tool group add as a basis. > > It works, e.g. when I added an existing user to the group: > getent group suseusers > suseusers:*:2000: > and > getent passwd steve4 > steve4:x:319:2000:steve4:/home/CACTUS/steve4:/bin/bash > and > id > uid=319(steve4) gid=2000(suseusers) groups=2000(suseusers) > > but there seems to be something wrong with getent group. A local > group > gives this: > getent group users > users:x:100:machine > x not * > > This happens both on the Samba 4 machine and a client with his /home > directory on nfs4. The uid:gid mappings and permissions are > perfect at > both ends:) But what is the difference between the group info coming > from Samba 4 and the group info coming from /etc/group? I'm sure that > this is an error on my part, but I can't force it into failing no > matter what I throw at it. > Thanks, > Steve > For an answer we would need some configuration details, first of all nsswitch.conf, then depending on that maybe other files Regards Geza >>> Hi >>> >>> /etc/nsswitch.conf >>> passwd: files ldap >>> group: files ldap >>> shadow: files ldap >>> hosts: files mdns4_minimal [NOTFOUND=return] dns >>> networks: files dns >>> services: files >>> protocols: files >>> rpc:files >>> ethers: files >>> netmasks: files >>> >>> Ah, maybe this has something to do with it. For the user ldapmodify I >>> have: >>> >>> dn: cn=steve4,cn=Users,dc=hh3,dc=site >>> changetype: modify >>> add: objectclass >>> objectclass: posixaccount >>> - >>> add: objectclass >>> objectclass: shadowaccount >>> - >>> add: uidnumber >>> uidnumber: 321 >>> - >>> add: gidnumber >>> gidnumber: 2000 >>> - >>> add:unixhomedirectory >>> unixhomedirectory: /home/CACTUS/steve2 >>> - >>> add: loginshell >>> loginshell: /bin/bash >>> >>> and for the group I have: >>> >>> dn: cn=suseusers,cn=Users,dc=hh3,dc=site >>> changetype: modify >>> add: objectclass >>> objectclass: posixGroup >>> - >>> add: gidnumber >>> gidnumber: 2000 >>> >>> /etc/nslcd.conf: >>> uid nslcd-user >>> gid nslcd-user >>> uri ldap://192.168.1.3 >>> base dc=hh3,dc=site >>> mappasswd uid sAMAccountName >>> mappasswd homeDirectoryunixHomeDirectory >>> mapshadow uid sAMAccountName >>> #mappasswd gidNumbergidNumber >>> sasl_mech GSSAPI >>> sasl_realm HH3.SITE >>> krb5_ccname /tmp/krb5cc_0 >>> >>> Then: >>> samba-tool group addmembers suseusers steve4 >>> >>> getent group suseusers >>> suseusers:*:2000: >>> Comes out with the * >>> >>> But steve4 comes out correctly, as a local user would: >>> getent passwd steve4 >>> steve4:x:319:2000:steve4:/home/CACTUS/steve4:/bin/bash >>> >>> The only difference I see is that steve4 has a shadowaccount object >>> which can't be mapped for the group (because it doesn't have one). Is >>> there anything else here? Any other files needed? >>> >>> In fact, I don't think I need shadowaccount mappings at all do I? >>> Isn't that where the unix passwords are stored? But that's probably >>> another thread. >>> >>> Thanks, >>> Steve >> I'm ot sure but maybe you should change how nslcd.conf maps group >> memberships (by default it looks at membership expecting stock >> posixaccount and posixgroup objectclasses, while AD uses member and >> memberoff which are close but not the same). >> You can safely ignore anything shadowaccont related, because you would >> be better authenticating via kerberos anyway. >> >> Regards >> >> Geza > Hi Geza, hi everyone > > This looks like good news. > > I asked the nslcd author directly: > > > My question is, how do I extract the gid from the ldap? I've tried: > map group gid gidnumber > > You shouldn't need to map the gidNumber attribute because nslcd already > uses that attribute by default. In any case if you're trying to find the > primary group of a user you should do: > > map passwd gidNumber XXX > > (where XXX is the attribute in your LDAP server) The passwd map is what > defines the output of getent passwd, the group map defines the > information on groups. > > > That seems true. The posixGroup I defined is mapped without me doing > anything in nslcd and > map passwd gidNumber gidNumber > would seem pointless as it's already got the gidNumber. > > You are right about the shadowaccount. This also solves the x and *. I > removed the objectclass shadowaccount from ldap and the map shadow uid > from nslcd and hey: > getent passwd steve4 > steve4:*:319:2000:steve4:/home/CACTUS
Re: [Samba] Samba 4 posixGroup mapping
On 02/06/2012 08:10 PM, Gémes Géza wrote: 2012-02-06 09:29 keltezéssel, steve írta: On 02/06/2012 07:19 AM, Gémes Géza wrote: 2012-02-06 01:27 keltezéssel, steve írta: Hi I've created a Samba 4 group called suseusers and mixed in posixGroup and gidNumber using samba-tool group add as a basis. It works, e.g. when I added an existing user to the group: getent group suseusers suseusers:*:2000: and getent passwd steve4 steve4:x:319:2000:steve4:/home/CACTUS/steve4:/bin/bash and id uid=319(steve4) gid=2000(suseusers) groups=2000(suseusers) but there seems to be something wrong with getent group. A local group gives this: getent group users users:x:100:machine x not * This happens both on the Samba 4 machine and a client with his /home directory on nfs4. The uid:gid mappings and permissions are perfect at both ends:) But what is the difference between the group info coming from Samba 4 and the group info coming from /etc/group? I'm sure that this is an error on my part, but I can't force it into failing no matter what I throw at it. Thanks, Steve For an answer we would need some configuration details, first of all nsswitch.conf, then depending on that maybe other files Regards Geza Hi /etc/nsswitch.conf passwd: files ldap group: files ldap shadow: files ldap hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files dns services: files protocols: files rpc:files ethers: files netmasks: files Ah, maybe this has something to do with it. For the user ldapmodify I have: dn: cn=steve4,cn=Users,dc=hh3,dc=site changetype: modify add: objectclass objectclass: posixaccount - add: objectclass objectclass: shadowaccount - add: uidnumber uidnumber: 321 - add: gidnumber gidnumber: 2000 - add:unixhomedirectory unixhomedirectory: /home/CACTUS/steve2 - add: loginshell loginshell: /bin/bash and for the group I have: dn: cn=suseusers,cn=Users,dc=hh3,dc=site changetype: modify add: objectclass objectclass: posixGroup - add: gidnumber gidnumber: 2000 /etc/nslcd.conf: uid nslcd-user gid nslcd-user uri ldap://192.168.1.3 base dc=hh3,dc=site mappasswd uid sAMAccountName mappasswd homeDirectoryunixHomeDirectory mapshadow uid sAMAccountName #mappasswd gidNumbergidNumber sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /tmp/krb5cc_0 Then: samba-tool group addmembers suseusers steve4 getent group suseusers suseusers:*:2000: Comes out with the * But steve4 comes out correctly, as a local user would: getent passwd steve4 steve4:x:319:2000:steve4:/home/CACTUS/steve4:/bin/bash The only difference I see is that steve4 has a shadowaccount object which can't be mapped for the group (because it doesn't have one). Is there anything else here? Any other files needed? In fact, I don't think I need shadowaccount mappings at all do I? Isn't that where the unix passwords are stored? But that's probably another thread. Thanks, Steve I'm ot sure but maybe you should change how nslcd.conf maps group memberships (by default it looks at membership expecting stock posixaccount and posixgroup objectclasses, while AD uses member and memberoff which are close but not the same). You can safely ignore anything shadowaccont related, because you would be better authenticating via kerberos anyway. Regards Geza Hi Geza, hi everyone This looks like good news. I asked the nslcd author directly: My question is, how do I extract the gid from the ldap? I've tried: map group gid gidnumber You shouldn't need to map the gidNumber attribute because nslcd already uses that attribute by default. In any case if you're trying to find the primary group of a user you should do: map passwd gidNumber XXX (where XXX is the attribute in your LDAP server) The passwd map is what defines the output of getent passwd, the group map defines the information on groups. That seems true. The posixGroup I defined is mapped without me doing anything in nslcd and map passwd gidNumber gidNumber would seem pointless as it's already got the gidNumber. You are right about the shadowaccount. This also solves the x and *. I removed the objectclass shadowaccount from ldap and the map shadow uid from nslcd and hey: getent passwd steve4 steve4:*:319:2000:steve4:/home/CACTUS/steve4:/bin/bash I interpret that as 'it's an x if there's a shadow entry, a * if there isn't' This is getting to the stage where it's not worth waiting for a working winbind. i.e. leave the windows side as it is and go with nfs4 and rpc.idmapd for the the Linux side. How difficult do you think it would be to script the adding of the user posix attributes after creating the s4 user? I envisage something like: samba-tool user add steve --posix --defaultgroup=somegroup Also, a startup script for samba4 and nslcd which I think should just be a 2 liner. Cheers, Steve -- To unsubscribe from this list go to the following URL and read th
Re: [Samba] Samba 4 posixGroup mapping
2012-02-06 09:29 keltezéssel, steve írta: > On 02/06/2012 07:19 AM, Gémes Géza wrote: >> 2012-02-06 01:27 keltezéssel, steve írta: >>> Hi >>> I've created a Samba 4 group called suseusers and mixed in posixGroup >>> and gidNumber using samba-tool group add as a basis. >>> >>> It works, e.g. when I added an existing user to the group: >>> getent group suseusers >>> suseusers:*:2000: >>> and >>> getent passwd steve4 >>> steve4:x:319:2000:steve4:/home/CACTUS/steve4:/bin/bash >>> and >>> id >>> uid=319(steve4) gid=2000(suseusers) groups=2000(suseusers) >>> >>> but there seems to be something wrong with getent group. A local group >>> gives this: >>> getent group users >>> users:x:100:machine >>> x not * >>> >>> This happens both on the Samba 4 machine and a client with his /home >>> directory on nfs4. The uid:gid mappings and permissions are perfect at >>> both ends:) But what is the difference between the group info coming >>> from Samba 4 and the group info coming from /etc/group? I'm sure that >>> this is an error on my part, but I can't force it into failing no >>> matter what I throw at it. >>> Thanks, >>> Steve >>> >> For an answer we would need some configuration details, first of all >> nsswitch.conf, then depending on that maybe other files >> >> Regards >> >> Geza > Hi > > /etc/nsswitch.conf > passwd: files ldap > group: files ldap > shadow: files ldap > hosts: files mdns4_minimal [NOTFOUND=return] dns > networks: files dns > services: files > protocols: files > rpc:files > ethers: files > netmasks: files > > Ah, maybe this has something to do with it. For the user ldapmodify I > have: > > dn: cn=steve4,cn=Users,dc=hh3,dc=site > changetype: modify > add: objectclass > objectclass: posixaccount > - > add: objectclass > objectclass: shadowaccount > - > add: uidnumber > uidnumber: 321 > - > add: gidnumber > gidnumber: 2000 > - > add:unixhomedirectory > unixhomedirectory: /home/CACTUS/steve2 > - > add: loginshell > loginshell: /bin/bash > > and for the group I have: > > dn: cn=suseusers,cn=Users,dc=hh3,dc=site > changetype: modify > add: objectclass > objectclass: posixGroup > - > add: gidnumber > gidnumber: 2000 > > /etc/nslcd.conf: > uid nslcd-user > gid nslcd-user > uri ldap://192.168.1.3 > base dc=hh3,dc=site > mappasswd uid sAMAccountName > mappasswd homeDirectoryunixHomeDirectory > mapshadow uid sAMAccountName > #mappasswd gidNumbergidNumber > sasl_mech GSSAPI > sasl_realm HH3.SITE > krb5_ccname /tmp/krb5cc_0 > > Then: > samba-tool group addmembers suseusers steve4 > > getent group suseusers > suseusers:*:2000: > Comes out with the * > > But steve4 comes out correctly, as a local user would: > getent passwd steve4 > steve4:x:319:2000:steve4:/home/CACTUS/steve4:/bin/bash > > The only difference I see is that steve4 has a shadowaccount object > which can't be mapped for the group (because it doesn't have one). Is > there anything else here? Any other files needed? > > In fact, I don't think I need shadowaccount mappings at all do I? > Isn't that where the unix passwords are stored? But that's probably > another thread. > > Thanks, > Steve I'm ot sure but maybe you should change how nslcd.conf maps group memberships (by default it looks at membership expecting stock posixaccount and posixgroup objectclasses, while AD uses member and memberoff which are close but not the same). You can safely ignore anything shadowaccont related, because you would be better authenticating via kerberos anyway. Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 posixGroup mapping
On 02/06/2012 07:19 AM, Gémes Géza wrote: 2012-02-06 01:27 keltezéssel, steve írta: Hi I've created a Samba 4 group called suseusers and mixed in posixGroup and gidNumber using samba-tool group add as a basis. It works, e.g. when I added an existing user to the group: getent group suseusers suseusers:*:2000: and getent passwd steve4 steve4:x:319:2000:steve4:/home/CACTUS/steve4:/bin/bash and id uid=319(steve4) gid=2000(suseusers) groups=2000(suseusers) but there seems to be something wrong with getent group. A local group gives this: getent group users users:x:100:machine x not * This happens both on the Samba 4 machine and a client with his /home directory on nfs4. The uid:gid mappings and permissions are perfect at both ends:) But what is the difference between the group info coming from Samba 4 and the group info coming from /etc/group? I'm sure that this is an error on my part, but I can't force it into failing no matter what I throw at it. Thanks, Steve For an answer we would need some configuration details, first of all nsswitch.conf, then depending on that maybe other files Regards Geza Hi /etc/nsswitch.conf passwd: files ldap group: files ldap shadow: files ldap hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files dns services: files protocols: files rpc:files ethers: files netmasks: files Ah, maybe this has something to do with it. For the user ldapmodify I have: dn: cn=steve4,cn=Users,dc=hh3,dc=site changetype: modify add: objectclass objectclass: posixaccount - add: objectclass objectclass: shadowaccount - add: uidnumber uidnumber: 321 - add: gidnumber gidnumber: 2000 - add:unixhomedirectory unixhomedirectory: /home/CACTUS/steve2 - add: loginshell loginshell: /bin/bash and for the group I have: dn: cn=suseusers,cn=Users,dc=hh3,dc=site changetype: modify add: objectclass objectclass: posixGroup - add: gidnumber gidnumber: 2000 /etc/nslcd.conf: uid nslcd-user gid nslcd-user uri ldap://192.168.1.3 base dc=hh3,dc=site mappasswd uid sAMAccountName mappasswd homeDirectoryunixHomeDirectory mapshadow uid sAMAccountName #mappasswd gidNumbergidNumber sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /tmp/krb5cc_0 Then: samba-tool group addmembers suseusers steve4 getent group suseusers suseusers:*:2000: Comes out with the * But steve4 comes out correctly, as a local user would: getent passwd steve4 steve4:x:319:2000:steve4:/home/CACTUS/steve4:/bin/bash The only difference I see is that steve4 has a shadowaccount object which can't be mapped for the group (because it doesn't have one). Is there anything else here? Any other files needed? In fact, I don't think I need shadowaccount mappings at all do I? Isn't that where the unix passwords are stored? But that's probably another thread. Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 posixGroup mapping
2012-02-06 01:27 keltezéssel, steve írta: > Hi > I've created a Samba 4 group called suseusers and mixed in posixGroup > and gidNumber using samba-tool group add as a basis. > > It works, e.g. when I added an existing user to the group: > getent group suseusers > suseusers:*:2000: > and > getent passwd steve4 > steve4:x:319:2000:steve4:/home/CACTUS/steve4:/bin/bash > and > id > uid=319(steve4) gid=2000(suseusers) groups=2000(suseusers) > > but there seems to be something wrong with getent group. A local group > gives this: > getent group users > users:x:100:machine > x not * > > This happens both on the Samba 4 machine and a client with his /home > directory on nfs4. The uid:gid mappings and permissions are perfect at > both ends:) But what is the difference between the group info coming > from Samba 4 and the group info coming from /etc/group? I'm sure that > this is an error on my part, but I can't force it into failing no > matter what I throw at it. > Thanks, > Steve > For an answer we would need some configuration details, first of all nsswitch.conf, then depending on that maybe other files Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 posixGroup mapping
Hi I've created a Samba 4 group called suseusers and mixed in posixGroup and gidNumber using samba-tool group add as a basis. It works, e.g. when I added an existing user to the group: getent group suseusers suseusers:*:2000: and getent passwd steve4 steve4:x:319:2000:steve4:/home/CACTUS/steve4:/bin/bash and id uid=319(steve4) gid=2000(suseusers) groups=2000(suseusers) but there seems to be something wrong with getent group. A local group gives this: getent group users users:x:100:machine x not * This happens both on the Samba 4 machine and a client with his /home directory on nfs4. The uid:gid mappings and permissions are perfect at both ends:) But what is the difference between the group info coming from Samba 4 and the group info coming from /etc/group? I'm sure that this is an error on my part, but I can't force it into failing no matter what I throw at it. Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba