RE: [Samba] gidNumber's and ldap backed samba PDC
On Tue, 2009-03-24 at 13:31 -0500, Derek Werthmuller wrote: > Ok I see it appears that the ldap entries that samba needs in the directory > are under a different O. ou=groups,o=smb,dc=unav,dc=es for example. > dn: cn=Domain Admins,ou=groups,o=smb,dc=unav,dc=es > objectClass: posixGroup > objectClass: sambaGroupMapping > gidNumber: 512 > cn: Domain Admins > Where my user/file system groups would be under traditional ldap entries > like: > dn: cn=usrgrp,ou=Group,dc=ct,dc=unav,dc=es > objectClass: posixGroup > objectClass: top > cn: usrgrp > userPassword:: e2NyexB0fX9g= > gidNumber: 512 > creatorsName: cn=Manager, dc=ct,dc=unav,dc=es > createTimestamp: 20021007160601Z > modifiersName: cn=Manager,dc=ct,dc=unav,dc=es > modifyTimestamp: 20081205192619Z > This right? I don't understand the question. But perhaps you haven't configured your scripts (the smbldap stuff?) correctly [this would be my guess] or you need to manually tweak your group mapping [man net]. You should have ONE object which represents both the POSIX and CIFS group. You have two and the sambaGroupMapping seems incomplete. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] gidNumber's and ldap backed samba PDC
On Tue, 2009-03-24 at 19:31 +0100, LiPi - wrote: > Despite that RID!=GID, mappings between samba rids and groups must be > there if you want the server to act as a PDC. If there are some GID's > mapped to i.e. RID 512, and these GID is used by another group, then > there will be a conflict. No, because that is just not how the mapping works. $ ldapsearch -LLL sambaSID=S-1-5-21-2037442776-3290224752-88127236-512 dn: cn=cifsadmins,ou=Groups,ou=SAM,o=Morrison Industries,c=US objectClass: posixGroup objectClass: top objectClass: sambaGroupMapping cn: cifsadmins gidNumber: 1999 sambaSID: S-1-5-21-2037442776-3290224752-88127236-512 sambaGroupType: 2 description: Local Unix group displayName: Domain Admins memberUid: steve memberUid: cleslie memberUid: adam memberUid: rhopkins memberUid: bonjour You map domain groups to POSIX groups using the "net groupmap" command, the RID:GID relationship is completely arbitrary. They might be the same, might not, it just doesn't matter. I have no idea what "GID's mapped to i.e. RID 512, and these GID is used by another group" even means. How is a GID "used by another group"? The GID is the unique identifier of a POSIX group. If you have multiple groups with the same GID - that is just messed up. With "net groupmap" you establish the relationships of SIDs to GIDs; the RID just the part of the SID relative to the domain portion on the SID. > I had this problem one week ago, when I was trying to give permissions > to a folder. So, choose N GID's to map with samba RID's or change the > group GID of these conflicting groups. Be also areful with UID. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] gidNumber's and ldap backed samba PDC
Despite that RID!=GID, mappings between samba rids and groups must be there if you want the server to act as a PDC. If there are some GID's mapped to i.e. RID 512, and these GID is used by another group, then there will be a conflict. I had this problem one week ago, when I was trying to give permissions to a folder. So, choose N GID's to map with samba RID's or change the group GID of these conflicting groups. Be also areful with UID. 2009/3/24 Adam Tauno Williams : > On Tue, 2009-03-24 at 12:10 -0500, Derek Werthmuller wrote: >> In the planning process for migrating from NT4 PDC, and external ldap >> directory to samba 3.2.8 PDC. The external existing openldap directory is >> used currently to support the local uid mapping for the Linux logins and >> samba file servers that are members of the current NT4 PDC. >> While looking at the existing openldap UIDs and GIDs in use and what the >> samba PDC wants to use I see some uid/gid collisions. For example I see >> that the Domain Admins uses gid 512, just so happens to be the same as a >> file system group(in the ldap directory). > > No, it doesn't. RID != GID. A RID is a component of the SID and SIDs > are mapped to UIDs & GIDs. > >> Is it better to change the users group gid and leave the samba domain admins >> and such the way they are? > > Not necessary. > >> I suspect a small shell script can crawl the file system and replace one gid >> for another if I were to change the users GID. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
RE: [Samba] gidNumber's and ldap backed samba PDC
Ok I see it appears that the ldap entries that samba needs in the directory are under a different O. ou=groups,o=smb,dc=unav,dc=es for example. dn: cn=Domain Admins,ou=groups,o=smb,dc=unav,dc=es objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 512 cn: Domain Admins Where my user/file system groups would be under traditional ldap entries like: dn: cn=usrgrp,ou=Group,dc=ct,dc=unav,dc=es objectClass: posixGroup objectClass: top cn: usrgrp userPassword:: e2NyexB0fX9g= gidNumber: 512 creatorsName: cn=Manager, dc=ct,dc=unav,dc=es createTimestamp: 20021007160601Z modifiersName: cn=Manager,dc=ct,dc=unav,dc=es modifyTimestamp: 20081205192619Z This right? Thanks Derek -Original Message- From: samba-bounces+dwerthmu=ctg.albany@lists.samba.org [mailto:samba-bounces+dwerthmu=ctg.albany@lists.samba.org] On Behalf Of Adam Tauno Williams Sent: Tuesday, March 24, 2009 1:38 PM To: 'samba@lists.samba.org' Subject: Re: [Samba] gidNumber's and ldap backed samba PDC On Tue, 2009-03-24 at 12:10 -0500, Derek Werthmuller wrote: > In the planning process for migrating from NT4 PDC, and external ldap > directory to samba 3.2.8 PDC. The external existing openldap directory > is used currently to support the local uid mapping for the Linux > logins and samba file servers that are members of the current NT4 PDC. > While looking at the existing openldap UIDs and GIDs in use and what > the samba PDC wants to use I see some uid/gid collisions. For example > I see that the Domain Admins uses gid 512, just so happens to be the > same as a file system group(in the ldap directory). No, it doesn't. RID != GID. A RID is a component of the SID and SIDs are mapped to UIDs & GIDs. > Is it better to change the users group gid and leave the samba domain > admins and such the way they are? Not necessary. > I suspect a small shell script can crawl the file system and replace > one gid for another if I were to change the users GID. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] gidNumber's and ldap backed samba PDC
On Tue, 2009-03-24 at 12:10 -0500, Derek Werthmuller wrote: > In the planning process for migrating from NT4 PDC, and external ldap > directory to samba 3.2.8 PDC. The external existing openldap directory is > used currently to support the local uid mapping for the Linux logins and > samba file servers that are members of the current NT4 PDC. > While looking at the existing openldap UIDs and GIDs in use and what the > samba PDC wants to use I see some uid/gid collisions. For example I see > that the Domain Admins uses gid 512, just so happens to be the same as a > file system group(in the ldap directory). No, it doesn't. RID != GID. A RID is a component of the SID and SIDs are mapped to UIDs & GIDs. > Is it better to change the users group gid and leave the samba domain admins > and such the way they are? Not necessary. > I suspect a small shell script can crawl the file system and replace one gid > for another if I were to change the users GID. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba