Fedora directory users - Mar 2006 - Adding Samba Groups to FDS

I am (still) following the How To for integrating Samba with FDS and I am
working on adding Samba groups to FDS.

Everything went well until I got to the "net groupmap" section.

For each net groupmap command I got a "Can''t lookup UNIX group
Domain
Admins" message.

Were the group names specified in the previous steps merely examples?  I
have a bare install and haven''t created any groups in unix (other than
those
created with new users) nor have I created any in Samba.

If they were not simply examples are these messages expected or is something
else wrong?

Thanks,
-Mont

Mont Rothstein wrote:
> Were the group names specified in the previous steps merely examples?  
> I have a bare install and haven''t created any groups in unix
(other
> than those created with new users) nor have I created any in Samba.
>
They are not examples, but you will have to change DN''s etc.


-- 
Pete

I apologize for being so ignorant but I don''t know what you mean by
"change
DNs etc".

In my sambaGroups.ldif my dn''s look like:

dn: cn=Domain Admins,ou=Groups,dc=forayadams,dc=foray,dc=com

which as far as I know is correct for my setup.

What am I missing?

Thanks,
-Mont


On 3/16/06, Pete Rowley <prowley@redhat.com>
wrote:
>
> Mont Rothstein wrote:
>
> > Were the group names specified in the previous steps merely examples?
> > I have a bare install and haven''t created any groups in unix
(other
> > than those created with new users) nor have I created any in Samba.
> >
> They are not examples, but you will have to change DN''s etc.
>
>
> --
> Pete
>
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>
>

Mont Rothstein wrote:
> I apologize for being so ignorant but I don''t know what you mean
by
> "change DNs etc".
>
> In my sambaGroups.ldif my dn''s look like:
>
> dn: cn=Domain Admins,ou=Groups,dc=forayadams,dc=foray,dc=com
>
> which as far as I know is correct for my setup.
>
> What am I missing?
That''s fine, I was simply referring to the suffix.

-- 
Pete

If my dn is fine then do you know why I am getting the "Can''t
lookup UNIX
group Domain Admins" message?

Can I safely ignore it?

-Mont


On 3/16/06, Pete Rowley <prowley@redhat.com>
wrote:
>
> Mont Rothstein wrote:
>
> > I apologize for being so ignorant but I don''t know what you
mean by
> > "change DNs etc".
> >
> > In my sambaGroups.ldif my dn''s look like:
> >
> > dn: cn=Domain Admins,ou=Groups,dc=forayadams,dc=foray,dc=com
> >
> > which as far as I know is correct for my setup.
> >
> > What am I missing?
>
> That''s fine, I was simply referring to the suffix.
>
> --
> Pete
>
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>
>

Mont Rothstein wrote:
> If my dn is fine then do you know why I am getting the "Can''t
lookup
> UNIX group Domain Admins" message?
>
> Can I safely ignore it?
>
When you do an ldap search using the credentials that Samba uses, can 
you see those entries?

-- 
Pete

grep Groups /etc/ldap.conf

I bet you get nothing...

then

grep Group /etc/ldap.conf

I think your answer lies within

Craig

On Thu, 2006-03-16 at 16:53 -0800, Mont Rothstein wrote:
> I apologize for being so ignorant but I don''t know what you mean
by
> "change DNs etc".
> 
> In my sambaGroups.ldif my dn''s look like:
> 
> dn: cn=Domain Admins,ou=Groups,dc=forayadams,dc=foray,dc=com
> 
> which as far as I know is correct for my setup. 
> 
> What am I missing?
> 
> Thanks,
> -Mont
> 
> 
> On 3/16/06, Pete Rowley <prowley@redhat.com> wrote:
>         Mont Rothstein wrote:
>         
>         > Were the group names specified in the previous steps merely
>         examples? 
>         > I have a bare install and haven''t created any groups
in unix
>         (other
>         > than those created with new users) nor have I created any in
>         Samba.
>         >
>         They are not examples, but you will have to change DN''s
etc.
>         
>         
>         --
>         Pete
>         
>         
>         
>         --
>         Fedora-directory-users mailing list
>         Fedora-directory-users@redhat.com
>         https://www.redhat.com/mailman/listinfo/fedora-directory-users
>         
>         
>         
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

Here is the output I get:

./ldapsearch -p 3911 -b "dc=forayadams,dc=foray,dc=com" -D
"cn=directory
manager" -w - "objectclass=*" | grep Domain
Enter bind password:
dn: sambaDomainName=FORAYADAMS,dc=forayadams,dc=foray,dc=com
sambaDomainName: FORAYADAMS
objectClass: sambaDomain
dn: cn=Domain Admins,ou=Groups,dc=forayadams,dc=foray,dc=com
cn: Domain Admins
dn: cn=Domain Users,ou=Groups,dc=forayadams,dc=foray,dc=com
cn: Domain Users
dn: cn=Domain Guests,ou=Groups,dc=forayadams,dc=foray,dc=com
cn: Domain Guests
dn: cn=Domain Computers,ou=Groups,dc=forayadams,dc=foray,dc=com
cn: Domain Computers

So, the groups appear to be in FDS but it sounded like it couldn''t see
them
in Unix.

Thoughts?

-Mont


On 3/16/06, Pete Rowley <prowley@redhat.com>
wrote:
>
> Mont Rothstein wrote:
>
> > If my dn is fine then do you know why I am getting the
"Can''t lookup
> > UNIX group Domain Admins" message?
> >
> > Can I safely ignore it?
> >
> When you do an ldap search using the credentials that Samba uses, can
> you see those entries?
>
> --
> Pete
>
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>
>

I get output for both, but it is all commented out.  I don''t know what
this
means.

Here is my output:

[root@rheles4rs1 bin]# grep Groups /etc/ldap.conf #pam_groupdn
cn=PAM,ou=Groups,dc=example,dc=com
[root@rheles4rs1 bin]# grep Group /etc/ldap.conf # Group to enforce
membership of
#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com
# Group member attribute
#nss_base_group         ou=Group,dc=example,dc=com?one
#nss_map_objectclass posixGroup Group
#nss_map_objectclass posixGroup Group
#nss_map_objectclass posixGroup group
#nss_map_objectclass posixGroup aixAccessGroup


Does this mean something to you?

-Mont


On 3/16/06, Craig White <craigwhite@azapple.com>
wrote:
>
> grep Groups /etc/ldap.conf
>
> I bet you get nothing...
>
> then
>
> grep Group /etc/ldap.conf
>
> I think your answer lies within
>
> Craig
>
> On Thu, 2006-03-16 at 16:53 -0800, Mont Rothstein wrote:
> > I apologize for being so ignorant but I don''t know what you
mean by
> > "change DNs etc".
> >
> > In my sambaGroups.ldif my dn''s look like:
> >
> > dn: cn=Domain Admins,ou=Groups,dc=forayadams,dc=foray,dc=com
> >
> > which as far as I know is correct for my setup.
> >
> > What am I missing?
> >
> > Thanks,
> > -Mont
> >
> >
> > On 3/16/06, Pete Rowley <prowley@redhat.com> wrote:
> >         Mont Rothstein wrote:
> >
> >         > Were the group names specified in the previous steps
merely
> >         examples?
> >         > I have a bare install and haven''t created any
groups in unix
> >         (other
> >         > than those created with new users) nor have I created any
in
> >         Samba.
> >         >
> >         They are not examples, but you will have to change
DN''s etc.
> >
> >
> >         --
> >         Pete
> >
> >
> >
> >         --
> >         Fedora-directory-users mailing list
> >         Fedora-directory-users@redhat.com
> >         https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> >
> >
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

of course...it is why 

nss_base_passwd works and why
nss_base_group doesn''t work

and why getent passwd works and why
getent group doesn''t work

Craig

On Fri, 2006-03-17 at 09:41 -0800, Mont Rothstein wrote:
> I get output for both, but it is all commented out.  I don''t know
what
> this means.
> 
> Here is my output:
> 
> [root@rheles4rs1 bin]# grep Groups /etc/ldap.conf #pam_groupdn
> cn=PAM,ou=Groups,dc=example,dc=com
> [root@rheles4rs1 bin]# grep Group /etc/ldap.conf # Group to enforce
> membership of
> #pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com
> # Group member attribute
> #nss_base_group         ou=Group,dc=example,dc=com?one
> #nss_map_objectclass posixGroup Group 
> #nss_map_objectclass posixGroup Group
> #nss_map_objectclass posixGroup group
> #nss_map_objectclass posixGroup aixAccessGroup
> 
> 
> Does this mean something to you?
> 
> -Mont
> 
> 
> On 3/16/06, Craig White <craigwhite@azapple.com> wrote:
>         grep Groups /etc/ldap.conf
>         
>         I bet you get nothing...
>         
>         then
>         
>         grep Group /etc/ldap.conf
>         
>         I think your answer lies within
>         
>         Craig
>         
>         On Thu, 2006-03-16 at 16:53 -0800, Mont Rothstein wrote:
>         > I apologize for being so ignorant but I don''t know
what you
>         mean by
>         > "change DNs etc".
>         >
>         > In my sambaGroups.ldif my dn''s look like:
>         >
>         > dn: cn=Domain
>         Admins,ou=Groups,dc=forayadams,dc=foray,dc=com 
>         >
>         > which as far as I know is correct for my setup.
>         >
>         > What am I missing?
>         >
>         > Thanks,
>         > -Mont
>         >
>         >
>         > On 3/16/06, Pete Rowley <prowley@redhat.com> wrote:
>         >         Mont Rothstein wrote:
>         >
>         >         > Were the group names specified in the previous
>         steps merely
>         >         examples?
>         >         > I have a bare install and haven''t
created any
>         groups in unix 
>         >         (other
>         >         > than those created with new users) nor have I
>         created any in
>         >         Samba.
>         >         >
>         >         They are not examples, but you will have to change
>         DN''s etc. 
>         >
>         >
>         >         --
>         >         Pete

Figured this out.  Once again (I think I am being punished) it was the fact
that I followed the install guide''s advice and didn''t use the
default port.
Once I added the port to ldap.conf (via a URI) the net groupmap add started
working.

-Mont


On 3/17/06, Craig White <craigwhite@azapple.com>
wrote:
>
> of course...it is why
>
> nss_base_passwd works and why
> nss_base_group doesn''t work
>
> and why getent passwd works and why
> getent group doesn''t work
>
> Craig
>
> On Fri, 2006-03-17 at 09:41 -0800, Mont Rothstein wrote:
> > I get output for both, but it is all commented out.  I don''t
know what
> > this means.
> >
> > Here is my output:
> >
> > [root@rheles4rs1 bin]# grep Groups /etc/ldap.conf #pam_groupdn
> > cn=PAM,ou=Groups,dc=example,dc=com
> > [root@rheles4rs1 bin]# grep Group /etc/ldap.conf # Group to enforce
> > membership of
> > #pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com
> > # Group member attribute
> > #nss_base_group         ou=Group,dc=example,dc=com?one
> > #nss_map_objectclass posixGroup Group
> > #nss_map_objectclass posixGroup Group
> > #nss_map_objectclass posixGroup group
> > #nss_map_objectclass posixGroup aixAccessGroup
> >
> >
> > Does this mean something to you?
> >
> > -Mont
> >
> >
> > On 3/16/06, Craig White <craigwhite@azapple.com> wrote:
> >         grep Groups /etc/ldap.conf
> >
> >         I bet you get nothing...
> >
> >         then
> >
> >         grep Group /etc/ldap.conf
> >
> >         I think your answer lies within
> >
> >         Craig
> >
> >         On Thu, 2006-03-16 at 16:53 -0800, Mont Rothstein wrote:
> >         > I apologize for being so ignorant but I don''t
know what you
> >         mean by
> >         > "change DNs etc".
> >         >
> >         > In my sambaGroups.ldif my dn''s look like:
> >         >
> >         > dn: cn=Domain
> >         Admins,ou=Groups,dc=forayadams,dc=foray,dc=com
> >         >
> >         > which as far as I know is correct for my setup.
> >         >
> >         > What am I missing?
> >         >
> >         > Thanks,
> >         > -Mont
> >         >
> >         >
> >         > On 3/16/06, Pete Rowley <prowley@redhat.com> wrote:
> >         >         Mont Rothstein wrote:
> >         >
> >         >         > Were the group names specified in the
previous
> >         steps merely
> >         >         examples?
> >         >         > I have a bare install and haven''t
created any
> >         groups in unix
> >         >         (other
> >         >         > than those created with new users) nor have
I
> >         created any in
> >         >         Samba.
> >         >         >
> >         >         They are not examples, but you will have to
change
> >         DN''s etc.
> >         >
> >         >
> >         >         --
> >         >         Pete
>
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>