smbgroupedit and ldap groups?
Hi list, Please observe the case below: I download, compile and install Samba 3.0 from cvs. I am using ldap. I have installed the nss_ldap package. I have setup the pam and /etc/nsswitch.conf files as required. etc Now, this is in the smbgroupedit man page: To give access to a certain directory on a domain member machine (an NT/W2K or a samba server running winbind) to some users who are member of a group on your samba PDC, flag that group as a domain group: root# smbgroupedit -a unixgroup -td But what if the group I want to map as a domain group is the Domain Admins group that is in the ldap database? And I want current unix user(s) (in /etc/passwd and /etc/group) to be able to become a member of the Domain Users or Domain Admins global groups? I allready tried the given scenario's (mapping all groups as said in the smbgroupedit man page and make certain users members of them, etc...), but still no luck. At this moment, when a user logs in, his/her primairy gid is still being taken from the /etc/group file and so the user is not indentified as a member of any domain group. Also, the Windows NT UserManager (srvtools) for domains does not work (I think because of this problem e.g. the user is not indentified as a Domain Admin.). The only time I was able to use the NT UserManager was when I logged on as root. I thought this would be solved by Kai's patches, but whatever I try, it still doesn't work here. The more I am expirimenting with it, the more confused I get. Again, any help would be appreciated. Thanks. Eddie.
Re: smbgroupedit and ldap groups?
Also, the Windows NT UserManager (srvtools) for domains does not work (I think because of this problem e.g. the user is not indentified as a Domain Admin.). The only time I was able to use the NT UserManager was when I logged on as root. I thought this would be solved by Kai's patches, but whatever I try, it still doesn't work here. you have to specify the Domain Admins group as 'admin users' if you map 'Domain Admins' to 'domadmins' then admin users = @domadmins But I think the admin users have to go till 3.0 and the 'Domain Admins' and 'Administrators' groups should be used... The more I am expirimenting with it, the more confused I get. Again, any help would be appreciated. Thanks. Eddie. metze - Stefan metze Metzmacher [EMAIL PROTECTED]
Re: smbgroupedit and ldap groups?
Hi Metze and list, I am willing to try this, but I thought the admin users parameter primairily is used in the services section and not as a global parameter? So this parameter would only affect rights on a service. Am I right or wrong? Eddie. - Original Message - From: Stefan (metze) Metzmacher [EMAIL PROTECTED] To: Eddie Lania [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, October 04, 2002 10:38 AM Subject: Re: smbgroupedit and ldap groups? Also, the Windows NT UserManager (srvtools) for domains does not work (I think because of this problem e.g. the user is not indentified as a Domain Admin.). The only time I was able to use the NT UserManager was when I logged on as root. I thought this would be solved by Kai's patches, but whatever I try, it still doesn't work here. you have to specify the Domain Admins group as 'admin users' if you map 'Domain Admins' to 'domadmins' then admin users = @domadmins But I think the admin users have to go till 3.0 and the 'Domain Admins' and 'Administrators' groups should be used... The more I am expirimenting with it, the more confused I get. Again, any help would be appreciated. Thanks. Eddie. metze -- --- Stefan metze Metzmacher [EMAIL PROTECTED]
Re: smbgroupedit and ldap groups?
HI Eddie, I am willing to try this, but I thought the admin users parameter primairily is used in the services section and not as a global parameter? So this parameter would only affect rights on a service. Am I right or wrong? a parameter marked as service parameter only says that you can specify it seperate for each service or use the default value of this parameter from the global section. so each service AND global parameter are in the globals section. metze - Stefan metze Metzmacher [EMAIL PROTECTED]
Re: smbgroupedit and ldap groups?
Hi Metze and list, Is this the common behaviour when I did it like you told me? I.o.w. is this like it is supposed to behave when I log on as user eddie and am a member of domain admins? Eddie. [2002/10/04 10:59:14, 0, effective(0, 0), real(0, 0)] smbd/service.c:set_admin_user(309) eddie logged in as admin user (root privileges) [2002/10/04 11:01:58, 0, effective(0, 0), real(0, 0)] smbd/service.c:set_admin_user(309) eddie logged in as admin user (root privileges) [2002/10/04 11:01:58, 1, effective(0, 500), real(0, 0)] smbd/service.c:make_connection_snum(681) p1400elania (192.168.168.35) connect to service eddie initially as user eddie (uid=0, gid=500) (pid 31282) [2002/10/04 11:02:02, 1, effective(0, 0), real(0, 0)] smbd/service.c:close_cnum(852) p1400elania (192.168.168.35) closed connection to service eddie [2002/10/04 11:02:19, 0, effective(0, 0), real(0, 0)] smbd/service.c:set_admin_user(309) eddie logged in as admin user (root privileges) [2002/10/04 11:02:19, 1, effective(0, 500), real(0, 0)] smbd/service.c:make_connection_snum(681) p1400elania (192.168.168.35) connect to service eddie initially as user eddie (uid=0, gid=500) (pid 31282) [2002/10/04 11:03:06, 0, effective(0, 0), real(0, 0)] smbd/service.c:set_admin_user(309) eddie logged in as admin user (root privileges) [2002/10/04 11:03:06, 1, effective(0, 500), real(0, 0)] smbd/service.c:make_connection_snum(681) p1400elania (192.168.168.35) connect to service eddie initially as user eddie (uid=0, gid=500) (pid 31282) [2002/10/04 11:03:52, 1, effective(0, 0), real(0, 0)] smbd/service.c:close_cnum(852) p1400elania (192.168.168.35) closed connection to service eddie [2002/10/04 11:04:03, 1, effective(0, 0), real(0, 0)] smbd/service.c:close_cnum(852) p1400elania (192.168.168.35) closed connection to service eddie - Original Message - From: Stefan (metze) Metzmacher [EMAIL PROTECTED] To: Eddie Lania [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, October 04, 2002 10:38 AM Subject: Re: smbgroupedit and ldap groups? Also, the Windows NT UserManager (srvtools) for domains does not work (I think because of this problem e.g. the user is not indentified as a Domain Admin.). The only time I was able to use the NT UserManager was when I logged on as root. I thought this would be solved by Kai's patches, but whatever I try, it still doesn't work here. you have to specify the Domain Admins group as 'admin users' if you map 'Domain Admins' to 'domadmins' then admin users = @domadmins But I think the admin users have to go till 3.0 and the 'Domain Admins' and 'Administrators' groups should be used... The more I am expirimenting with it, the more confused I get. Again, any help would be appreciated. Thanks. Eddie. metze -- --- Stefan metze Metzmacher [EMAIL PROTECTED]
Re: smbgroupedit and ldap groups?
HI Eddie, Is this the common behaviour when I did it like you told me? I.o.w. is this like it is supposed to behave when I log on as user eddie and am a member of domain admins? Yes, if you don't want to be an admin on the shares. set 'admin user = ' in each service section I know this isn't so nice and it have to be changed in the future... metze - Stefan metze Metzmacher [EMAIL PROTECTED]
Re: Fw: smbgroupedit and ldap groups?
And BTW, the UserManager for domains still doesn't work after this addition. Eddie. current HEAD or alpha20 and what error? for me alpha20 works fine but HEAD can't get some local groups and exit. metze - Stefan metze Metzmacher [EMAIL PROTECTED]
Re: Fw: smbgroupedit and ldap groups?
Metze, you are correct. I was using HEAD. I recompiled 3.0alpha20 and now it is working. Thanks. Eddie. - Original Message - From: Stefan (metze) Metzmacher [EMAIL PROTECTED] To: Eddie Lania [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, October 04, 2002 11:34 AM Subject: Re: Fw: smbgroupedit and ldap groups? And BTW, the UserManager for domains still doesn't work after this addition. Eddie. current HEAD or alpha20 and what error? for me alpha20 works fine but HEAD can't get some local groups and exit. metze -- --- Stefan metze Metzmacher [EMAIL PROTECTED]
