Hi all, I'm testing group mapping, wondering how It works exactly... I thought Samba was storing a mapping table allowing to retreive infos on Unix/Windows groups in a DYNAMIC way. Unfortunately, group mapping seems to be static, here is what I did : [I'm using Samba b3v3 + LDAP, WITHOUT nss-ldap/pam-ldap/winbind -> everything is stored in my /etc/passwd and /etc/group + in LDAP for Samba accounts] 1) Created Unix group (let's say domusers) : groupadd domusers 2) Created LDAP group, with ldapadd, and a file containing : dn: cn=domusers,ou=Users,dc=domain,dc=org objectClass: posixGroup gidNumber: 1001 cn: domusers memberUid: foo 3) Created Unix user (foo, primary group domusers) : useradd -g domusers foo 4) Created Group mapping : net groupmap add sid=<mySID>-513 unixgroup=domusers ntgroup="Domain Users" type=domain (then "net groupmap list", OK) 5) Finally, created LDAP (samba) user : smbpasswd -a foo Ok, no problem, foo gets the domain local sid + the domain users rid as SambaPrimaryGroupSid, he IS a Win Domain User. Here is what I don't understand : If I delete the groupmapping or modify it, the SambaPrimaryGroupSid of foo isn't modified ! Foo remains a Domain User... Another example : if I create first the user, then the mapping : the user doens't get the new SambaPrimaryGroupSid and doesn't become a Domain User... Am I missing something ? Is the mapping only used while creating users ? I thought the table was used in a more dynamic way... Is there a technical limit in implementing this function this way ? Please help me... Regards, Gana?l.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 4 Aug 2003, Ganael LAPLANCHE wrote:> Hi all, > > I'm testing group mapping, wondering how It works exactly... > I thought Samba was storing a mapping table allowing to retreive infos on > Unix/Windows groups in a DYNAMIC way. Unfortunately, group mapping seems to > be static, here is what I did :net groupmap sets up static mappings. winbindd can assign mappings between group SIDs and gids dynamtically.> Here is what I don't understand : If I delete the groupmapping or modify > it, the SambaPrimaryGroupSid of foo isn't modified ! Foo remains a > Domain User... Another example : if I create first the user, then the > mapping : the user doens't get the new SambaPrimaryGroupSid and doesn't > become a Domain User... > > Am I missing something ? Is the mapping only used while creating users ? > I thought the table was used in a more dynamic way... Is there a > technical limit in implementing this function this way ? Please help > me...For now you just have to make sure to clean up both entries. Sorry. It's on the todo list somewhere to fix. cheers, jerry ---------------------------------------------------------------------- Hewlett-Packard ------------------------- http://www.hp.com SAMBA Team ---------------------- http://www.samba.org GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc "You can never go home again, Oatman, but I guess you can shop there." --John Cusack - "Grosse Point Blank" (1997) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE/Mz8JIR7qMdg1EfYRAmVJAJ0S/oLuzHfpOQ8RIjjbNMdJ8obrmACgsVY/ Us2N3IlcT/Y1RcGMb33ev9c=vwft -----END PGP SIGNATURE-----