Rob,
Maybe I can shed some light on this for you. I have just setup a Samba
PDC + LDAP machine here. For the group assignments to work you will
still need to have a unix group on the machine. So you use the normal
method to add a unix group in the ldap directory. You can then add any
users you want to that group. So for example I setup the following unix
group in ldap:
# ntadmins, Groups, firerun, net
dn: cn=ntadmins,ou=Groups,dc=firerun,dc=net
cn: ntadmins
objectClass: top
objectClass: posixGroup
gidNumber: 1000
memberUid: root
memberUid: patrick
Then you will need to use the net tool to do a group mapping. first you
will need to lookup the SID of the domain. So you will use "net
getlocalsid SID" once you have the Domain SID you will use the following
command to map the unix group to a domain group:
net groupmap add sid=<domain sid>-512 ntgroup="Domain Admins"
unixgroup=ntadmins type=domain
That command will add the samba group mapping attributes and the
ntadmins group will now be the Domain Admins group on Windows clients.
Any users that are added to the ntadmins unix group will be members of
the Domain Admins group. To confirm the mapping just use "net groupmap
list."
Patrick
Robert Rati wrote:
> I'm a little weak on how the groups assignments work with Samba and
> LDAP. The Samba HOWTO collection says to map each Domain Group to a
> UNIX system group, but if all authentication is done via LDAP (Unix
> and Windows) then do the groups still have to exist on the Samba Unix
> machine? Where do the RIDs fit into all this? I don't see a schema
> in LDAP for sambaGroup. Do I create the domain groups with the
> posixGroup schema and set their gid to a RID that will exist on the
> Windows machine (like 512 for Domain Admins)? Or do I just bypass the
> group mapping altogether and set a Domain Admins sambaPrimaryGroupSID
> to <SID>-512? Any help on this would be very helpful, as I think
I'm
> confusing myself.
>
> Rob
>