To answer my own question, I had to use Padls' nss_ldap to make this work.
I'd thought with Solaris 9 and later I could get away with using the Sun
libraries
but obviously not.
Hope to help someone else
Cheers
Duncan
Duncan Brannen wrote:>
> Hi All,
> I'm wondering if anyone can shed some light on a problem
I'm
> having.
>
> I have a samba PDC with an LDAP backend, keeping the smb.conf file
> constant,
>
> When I have /etc/nsswitch.conf configured with
>
> groups: files ldap
>
> Then
>
> /usr/local/samba/bin/net rpc user info dbb
>
> only returns my primary group.
>
> If I have /etc/nsswitch.conf configured with
>
> groups: files nis
>
> Then all my groups are shown when running the same net rpc command.
>
> In both cases,
>
> groups dbb
> and
> id -a dbb
>
> show all the groups I am a member of,
>
> getent group groupName shows the members of the group and
>
> /usr/local/samba/bin/net groupmap list provides a list of groups (from
> LDAP) eg
>
> Domain Users (S-1-5-21-440367617-1876916578-3462541782-513) -> Domain
> Users
> Domain Guests (S-1-5-21-440367617-1876916578-3462541782-514) -> Domain
> Guests
> Domain Computers (S-1-5-21-440367617-1876916578-3462541782-553) ->
> Domain Computers
> Domain Vagrants (S-1-5-21-440367617-1876916578-3462541782-554) ->
> Domain Vagrants
> Domain Sidekicks (S-1-5-21-440367617-1876916578-3462541782-590) ->
> Domain Sidekicks
> Domain Admins (S-1-5-21-440367617-1876916578-3462541782-512) -> domadm
>
> The group objects in LDAP look like
>
> dn: cn=<groupName>,ou=Groups,dc=st-andrews,dc=ac,dc=uk
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: <Number>
> cn: <groupName>
> memberUid: user1
> memberUid: user2
> memberUid: ...
> description: Some Descriptive Term Here
> sambaSID: S-1-5-21-xxx-yyy-zzz-<gidNumber>
> sambaGroupType: 2
> displayName: Whatever
>
> where S-1-5-21-xxx-yyy-zzz is our domain SID
>
> Watching the ldap logs, when I run net/rpc usr info dbb,
>
> samba looks up all the groups root is in
> (&objectClass=sambaGroupMapping)(gidNumber=...)),
> for sambaSID=s-1-5-32-544 and 545, then for a whole bunch of
> sambaSIDLists (I have none setup)
> or sambaGroupMapping,sambaGroupType=4
>
> It then looks up my account, searches for my primary group both by its
> gidNumber, then by its
> sambaSID, and then it stops.
>
> Is there extra configuration need for looking up groups in ldap? It
> feels like an OS issue but the
> OS commands seem to return the correct output.
>
> OS is Solaris 10 sparc. Samba versions are 3.0.23c and 3.2.1
>
>
> Thanks,
> Duncan
>
--
The University of St Andrews is a charity registered in Scotland : No SC013532