Thank you very much indeed. This thread should be closed
JC DOLE Selon Douglas VanLeuven <[EMAIL PROTECTED]>: > > When you do getent group you're getting what's in the local /etc/group > and what's defined in the ldap group membership. See gidNumber above. > Using /etc/nsswitch.conf to define ldap lookups extends the /etc/passwd > and /etc/group membership so passwd and group uid/gid's can be defined > system wide and used by any unix machine. > > So yes. Users belonging to group 512 are "Domain Admins". You need to > add users to this group when you want them to have related security > privileges. You should be able to chgrp 512 filename and have it show > as "Domain Admins" when you ls the directory. I haven't used the > smbldap tools package, but it looks like the most common windows groups > have already been defined for you. All you need to do is avoid using > the ldap passwd & group uid/gids in the local files. Yast tools will > probably not allow you to generate duplicates. > > And yes, you only need to map groups when the unix name doesn't match > the windows name and you don't want samba to create the account on the > fly using whatever idmap backend you pick. Your idmap backend should > probably be idmap_ldap and accounts generated then become available > system wide using the same uid/gid's and network file sharing offers the > same membership security regardless of client machine access. > > This is probably in a FAQ somewhere where the answer would be more > structured. I use the following to resolve my issues: > http://us6.samba.org/samba/docs/man/Samba-HOWTO-Collection/ > http://us6.samba.org/samba/docs/man/Samba-Guide/ > > Since samba is evolving almost daily, sometime the Howto syntax has been > modified in the current manifestation of the command. Always refer to > the current command documentation to resolve any discrepancies. > > Doug > > [EMAIL PROTECTED] wrote: > > As I said, I did a fresh install of opensuse 10.3, samba, ldap. > > > > During the process, I filled the ldap database directly with an ldif file > built > > using smbldap tools. > > > > (one item in that file --> > > > > dn: cn=Domain Admins,ou=Groups,dc=ldap_hathor,dc=nwk > > objectClass: top > > objectClass: posixGroup > > objectClass: sambaGroupMapping > > gidNumber: 512 > > cn: Domain Admins > > memberUid: root > > sambaSID: S-1-5-21-3134345319-2430187646-2919245149-512 > > sambaGroupType: 2 > > displayName: Domain Admins > > description: Netbios Domain Administrators > > #sambaPrimaryGroupSID: SID of the user group (512 = Admins group) > > #description: Netbios Domain Administrators > > ) > > > > So you mean by doing this it is not necessary to map the native existing > unix > > group "ntadmin" (gid 71) with "Domain Admins" ? > > (ntadmin appear in /etc/group and "Domain Admins" not) > > > > Reading the samba documentation was not very clear for me. > > > > jcdole > > > > > > Selon Douglas VanLeuven <[EMAIL PROTECTED]>: > >> It looks like you already have an existing unix group called "Domain > >> Admins" being pulled in from ldap. When that is true, there is no need > >> for groupmap and indeed it would appear it is illegal to map a windows > >> group that matches an existing unix group to another unix group. > >> > >> Doug > >> > >> > >> [EMAIL PROTECTED] wrote: > >>> Hello. > >>> > >>> After fresh install. > >>> > >>> Samba and ldap seems to run normally ( I can join win2k workstation to > >> linux > >>> samba pdc ). > >>> > >>> Using yast I create a system group named domadmin > >>> > >>> But I am unable to map "Domain Admins" to domadmin > >>> I am unable to map "Domain Admins" to existing ntadmin group > >>> > >>> I am unable to mofify mapping "Domain Admins" to domadmin group > >>> > >>> Thank you for helping. > >>> > >>> LINUX-SRV: # net groupmap add ntgroup="Domain Admins" unixgroup=domadmin > >>> rid=512 type=d > >>> adding entry for group Domain Admins failed! > >>> LINUX-SRV: # > >>> > >>> LINUX-SRV: # net groupmap add ntgroup="Domain Admins" unixgroup=ntadmin > >> rid=512 > >>> type=d > >>> adding entry for group Domain Admins failed! > >>> LINUX-SRV: # > >>> > >>> LINUX-SRV: # net groupmap modify ntgroup="Domain Admins" > unixgroup=domadmin > >>> Can't map to an unknown group type. > >>> LINUX-SRV: # > >>> > >>> LINUX-SRV:~ # net groupmap modify ntgroup="Domain Admins" > >> unixgroup=domadmin > >>> type=d > >>> Could not update group database > >>> LINUX-SRV: # > >>> > >>> LINUX-SRV:~ net groupmap list > >>> request done: ld 0x555555c881e0 msgid 1 > >>> request done: ld 0x555555c881e0 msgid 2 > >>> Domain Admins (S-1-5-21-3134345319-2430187646-2919245149-512) -> Domain > >> Admins > >>> request done: ld 0x555555c881e0 msgid 3 > >>> Domain Users (S-1-5-21-3134345319-2430187646-2919245149-513) -> Domain > >> Users > >>> request done: ld 0x555555c881e0 msgid 4 > >>> Domain Guests (S-1-5-21-3134345319-2430187646-2919245149-514) -> Domain > >> Guests > >>> request done: ld 0x555555c881e0 msgid 5 > >>> Domain Computers (S-1-5-21-3134345319-2430187646-2919245149-515) -> > Domain > >>> Computers > >>> request done: ld 0x555555c881e0 msgid 6 > >>> Administrators (S-1-5-32-544) -> Administrators > >>> request done: ld 0x555555c881e0 msgid 7 > >>> Account Operators (S-1-5-32-548) -> Account Operators > >>> request done: ld 0x555555c881e0 msgid 8 > >>> Print Operators (S-1-5-32-550) -> Print Operators > >>> request done: ld 0x555555c881e0 msgid 9 > >>> Backup Operators (S-1-5-32-551) -> Backup Operators > >>> request done: ld 0x555555c881e0 msgid 10 > >>> Replicators (S-1-5-32-552) -> Replicators > >>> request done: ld 0x555555c881e0 msgid 11 > >>> Users (S-1-5-32-545) -> 15000 > >>> LINUX-SRV: # > >>> > >>> LINUX-SRV: # getent group > >>> at:!:25: > >>> .............. > >>> .............. > >>> domadmin:x:114: > >>> root:x:0: > >>> ............... > >>> .............. > >>> users:x:100: > >>> +::0: > >>> request done: ld 0x618d10 msgid 1 > >>> Domain Admins:*:512:root,user_admin > >>> Domain Users:*:513: > >>> Domain Guests:*:514: > >>> Domain Computers:*:515: > >>> Administrators:*:544: > >>> Account Operators:*:548: > >>> Print Operators:*:550: > >>> Backup Operators:*:551: > >>> Replicators:*:552: > >>> request done: ld 0x618d10 msgid 2 > >> It looks like you already have an existing unix group called "Domain > >> Admins" being pulled in from ldap. When that is true, there is no need > >> for groupmap and indeed it would appear it is illegal to map a windows > >> group that matches an existing unix group to another unix group. > >> > >> Doug > >> > >> > > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba