Hi all,
I'm testing group mapping, wondering how It works exactly...
I thought Samba was storing a mapping table allowing to retreive infos on
Unix/Windows groups in a DYNAMIC way. Unfortunately, group mapping seems to
be static, here is what I did :
[I'm using Samba b3v3 + LDAP, WITHOUT nss-ldap/pam-ldap/winbind ->
everything is stored in my /etc/passwd and /etc/group + in LDAP for Samba
accounts]
1) Created Unix group (let's say domusers) : groupadd domusers
2) Created LDAP group, with ldapadd, and a file containing :
dn: cn=domusers,ou=Users,dc=domain,dc=org
objectClass: posixGroup
gidNumber: 1001
cn: domusers
memberUid: foo
3) Created Unix user (foo, primary group domusers) : useradd -g domusers
foo
4) Created Group mapping : net groupmap add sid=<mySID>-513
unixgroup=domusers ntgroup="Domain Users" type=domain (then "net
groupmap
list", OK)
5) Finally, created LDAP (samba) user : smbpasswd -a foo
Ok, no problem, foo gets the domain local sid + the domain users rid as
SambaPrimaryGroupSid, he IS a Win Domain User.
Here is what I don't understand : If I delete the groupmapping or modify
it, the SambaPrimaryGroupSid of foo isn't modified ! Foo remains a Domain
User...
Another example : if I create first the user, then the mapping : the user
doens't get the new SambaPrimaryGroupSid and doesn't become a Domain
User...
Am I missing something ? Is the mapping only used while creating users ? I
thought the table was used in a more dynamic way... Is there a technical
limit in implementing this function this way ? Please help me...
Regards,
Gana?l.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 4 Aug 2003, Ganael LAPLANCHE wrote:> Hi all, > > I'm testing group mapping, wondering how It works exactly... > I thought Samba was storing a mapping table allowing to retreive infos on > Unix/Windows groups in a DYNAMIC way. Unfortunately, group mapping seems to > be static, here is what I did :net groupmap sets up static mappings. winbindd can assign mappings between group SIDs and gids dynamtically.> Here is what I don't understand : If I delete the groupmapping or modify > it, the SambaPrimaryGroupSid of foo isn't modified ! Foo remains a > Domain User... Another example : if I create first the user, then the > mapping : the user doens't get the new SambaPrimaryGroupSid and doesn't > become a Domain User... > > Am I missing something ? Is the mapping only used while creating users ? > I thought the table was used in a more dynamic way... Is there a > technical limit in implementing this function this way ? Please help > me...For now you just have to make sure to clean up both entries. Sorry. It's on the todo list somewhere to fix. cheers, jerry ---------------------------------------------------------------------- Hewlett-Packard ------------------------- http://www.hp.com SAMBA Team ---------------------- http://www.samba.org GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc "You can never go home again, Oatman, but I guess you can shop there." --John Cusack - "Grosse Point Blank" (1997) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE/Mz8JIR7qMdg1EfYRAmVJAJ0S/oLuzHfpOQ8RIjjbNMdJ8obrmACgsVY/ Us2N3IlcT/Y1RcGMb33ev9c=vwft -----END PGP SIGNATURE-----