samba - Nov 2000 - ldap woes

Hello

I just set up a LDAP server for user and group management. From the OS
level this works fine and all group permissions etc. are working just the
way they ought to.
The idea was (and still is) to use the LDAP server as a repository for each
Samba server. I set up the /etc/nsswitch.conf file on each Samba server
accordingly and when I connect from a Win$ box I can log into a samba share
and the existence of the Unix account is checked against LDAP.
I tried the following.

User:               Member of Group:

john           sales, marketing, all
jack           sales, all
fred           all

the default (primary) group for all users is group "all"


I defined a share "testing" on Samba saying "valid users =
+sales" and
behold only john and jack are able to connect.
I redifined the share to "valid users = +all" and john,jack,and fred
can
connect.
I created a directory under testing named "budget" and did a
"chown
fred:sales and a chmod 770 for that thing"
As root I do a "su john" changed into budget and created a file
without a
hitch.

On Thu, Nov 23, 2000 at 05:13:06PM +0100, robert.gehr@web2cad.de
wrote:
> 
> Hello
> 
> I just set up a LDAP server for user and group management. From the OS
> level this works fine and all group permissions etc. are working just the
> way they ought to.
> The idea was (and still is) to use the LDAP server as a repository for each
> Samba server. I set up the /etc/nsswitch.conf file on each Samba server
> accordingly and when I connect from a Win$ box I can log into a samba share
> and the existence of the Unix account is checked against LDAP.
I have a very similar setup (testing phase right now, hopefully going 
live next week :)
> I tried the following.
> 
> User:               Member of Group:
> 
> john           sales, marketing, all
> jack           sales, all
> fred           all
> 
> the default (primary) group for all users is group "all"
> 
> 
> I defined a share "testing" on Samba saying "valid users =
+sales" and
> behold only john and jack are able to connect.
> I redifined the share to "valid users = +all" and john,jack,and
fred can
> connect.
> I created a directory under testing named "budget" and did a
"chown
> fred:sales and a chmod 770 for that thing"
> As root I do a "su john" changed into budget and created a file
without a
> hitch.
what were the usr/group and  access rights of this file when you created it
on Unix ?

correct me if i am wrong, but if a user creates a file, the group is always
the users primary group.
> >From Windows I tried to create a directory as user john under budget
and
> get "no permission"
> I define a "force group = sales" for that share and it works.
i use force group on most of my shares (thats the reason why the 
"force group" parameter exists)

> Now this isn't of much use, of no use at all to be true so I put all
the
whats the problem with "force groups" ?
> information from the Ldap server into /etc/passwd /etc/group
> adjusted /etc/nsswitch turned the Ldap server off and everything worked as
> expected.
> 
> Why is the LDAP server in conjunction with samba always comming along with
> the default group ID not checking whether the user belongs to any other
> groups that would permit the requested action as it is on the OS level or
> when using the /etc files ???
> Strangely enough it must be checking for additional groups in the first
> place for when I connect to the share being defined as "valid users
> +sales" the connect succeeds and I can mount the thing.
> 
> If I could get this solved that would make it ready to go.
Manuel
-- 
     .-.                        | Manuel Bessler
     /v\    L   I   N   U   X   | <manuel@varxec.de>,
<m.bessler@gmx.net>
    // \\  >Phear the Penguin<  | 
   /(   )\                      | Debian/GNU Linux user
    ^^-^^
GPG Fingerprint: 278D 2DC2 8A3E 9AEE 98F1  71D2 B224 68D1 1240 28BC