Hi, I have setup samba 3.0.7 with LDAP and NetApps Filers as our file store. We are going to lots of departmental shares, firstly we want only people from their own dept to have access to their department share, but users from other departments may need access to other dept shares, i would like to set up permissions on each dept share so a group is applied, then every user is added to the group, but i cant seem to find a way for a user to be part of multiple groups, sambaPrimaryGroupSID isnt multi-valued, neither is gidNumber. Is there any way around this, has anybody have sugesstions? I was thinking of groupmappings to either /etc/group or a posixGroup in LDAP (net groupmap) Thanks -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Daniel Wilson Systems Administrator IT & Communications Service University of Sunderland Unit1 Technology Park Chester Road Sunderland SR2 7PT Tel: 0191 515 2695 This e-mail contains information which is confidential and may be privileged and is for the exclusive use of the recipient. It is the responsibility of the recipient to ensure that this message and its attachments are virus free. Any views or opinions presented are solely those of the author and do not necessarily represent those of the University, unless otherwise specifically stated.
> every user is added to the group, but i cant seem to find a way for a > user to be part of multiple groups, sambaPrimaryGroupSID isnt > multi-valued, neither is gidNumber. Is there any way around this, has > anybody have sugesstions?Bone up on your UNIX group membership theory. Every user has a primary group that is specified in their user account. Secondary groups are applied 'backwards' to that setup. That means that users are added to the group's entry in wherever that group is defined (/etc/group, ou=Groups in a 'standard' LDAP DIT. You can have many many user entries in each group (up to like 1024 characters long for the list I believe) and the user can be both specified in the group object and have their primary group as that group without causing issues. There are a couple of commands that come in handy once you start setting up secondary group memberships, and they work differently on different os's. groups <username> and id <username> give interesting output: [root@mail log]# id pgienger uid=2266(pgienger) gid=2028(itserv) groups=2028(itserv),3000(applied),2027(itadmin),2081(office),2082(projects),512(Domain Admins) [root@mail log]# groups pgienger pgienger : itserv applied itadmin office projects Domain Admins -- -- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Systems Architect Fax: 701-281-1322 URL: www.ae-solutions.com mailto: pgienger@ae-solutions.com
> quigon1:~ # getent groups > Unknown database: groupsOh yeah, duh... you know, I thought I made a mistake once, but then when I reexamined the situation, it turned out that I didn't... AAAANYWAY the populate script made this for me: [fgoserv:tmp]# getent group "Domain Admins" Domain Admins::512:Administrator,pgienger,smoorhou,rklose,speterso but I see you have a ntadmin and nothing like the "Domain Users" so I wonder if you used an old version of the script package. I would suggest getting the newest version of the tool package and re-running the populate script.> > quigon1:~ # groups ws0dwi > id: cannot find name for group ID 901 > quigon1:~ # id ws0dwi > uid=186712(ws0dwi) gid=901 groups=901This leads me to ask where group 901 is/should be coming from. Did you start making samba groups in LDAP without creating them as posix groups first? The procedure should be to make the group in unix, presumably you should do this in ldap with whatever tool you like (gq, phpldapadmin, bare metal LDIF file input) and then do a groupmapping with a "net groupmap add" command.> > yes my groups were created using smbldap-populate.pl, but i cant see > it being mapped to any UNIX group, which group should it be mapped to > and how is the done?Again, this should all be taken care of for you. You should end up with this: (among some others perhaps) [fgoserv:tmp]# /opt/samba/bin/net groupmap list Domain Admins (S-1-5-21-112718084-1284083569-2990761952-512) -> Domain Admins Domain Users (S-1-5-21-112718084-1284083569-2990761952-513) -> Domain Users Domain Guests (S-1-5-21-112718084-1284083569-2990761952-514) -> Domain Guests Print Operators (S-1-5-32-550) -> Print Operators Backup Operators (S-1-5-32-551) -> Backup Operators Replicators (S-1-5-32-552) -> Replicators Domain Computers (S-1-5-21-112718084-1284083569-2990761952-515) -> Domain Computers Administrators (S-1-5-32-544) -> Administrators Power Users (S-1-5-32-547) -> Power Users -- -- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Systems Architect Fax: 701-281-1322 URL: www.ae-solutions.com mailto: pgienger@ae-solutions.com
> We are going to lots of departmental shares, firstly we want only people...> anybody have sugesstions? > > I was thinking of groupmappings to either /etc/group or a posixGroup in > LDAP (net groupmap)There's something you should know in regards to posixGroup if you don't already. The LDAP schema for it is way out of date and the consequence is that group based access to the database using posixgroup is broken. Use duplicate groups of the type "groupofnames" until they get it fixed. Jim C. -- ----------------------------------------------------------------- | I can be reached on the following Instant Messenger services: | |---------------------------------------------------------------| | MSN: j_c_llings @ hotmail.com AIM: WyteLi0n ICQ: 123291844 | |---------------------------------------------------------------| | Y!: j_c_llings Jabber: jcllings @ njs.netlab.cz | -----------------------------------------------------------------