Hi list,
If I have multiple Samba member servers in a domain can I store the groupmap
data in LDAP? When I try this I get this error
# net groupmap add ntgroup=Everyone unixgroup=nobody
No rid or sid specified, choosing algorithmic mapping
adding entry for group nobody failed!
But this works correctly (creates account in LDAP server)
smbpasswd -a username password
the LDAP config in my smb.conf is as follows,
security = ads
encrypt passwords = yes
idmap backend = ldap:ldap://bbcwwp-sun19.worldwide.bbc.co.uk/
passdb backend = ldapsam:"ldap://bbcwwp-sun19.worldwide.bbc.co.uk
ldap://bbcwwp_sun21.worldwide.bbc.co.uk"
ldap suffix = dc=worldwide,dc=bbc,dc=co,dc=uk
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=machines,ou=Samba
ldap idmap suffix = ou=idmap,ou=Samba
ldap admin dn = uid=sambaadmin,ou=Special
Users,dc=worldwide,dc=bbc,dc=co,dc=uk
ldap ssl = no
any answers much appreciated,
thanks Andy.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ww m-pubsyssamba ?rta: | Hi list, | | If I have multiple Samba member servers in a domain can I store the groupmap data in LDAP? When I try this I get this error | | # net groupmap add ntgroup=Everyone unixgroup=nobody | No rid or sid specified, choosing algorithmic mapping | adding entry for group nobody failed! | | | But this works correctly (creates account in LDAP server) | | smbpasswd -a username password | | | the LDAP config in my smb.conf is as follows, | | | security = ads | encrypt passwords = yes | idmap backend = ldap:ldap://bbcwwp-sun19.worldwide.bbc.co.uk/ | passdb backend = ldapsam:"ldap://bbcwwp-sun19.worldwide.bbc.co.uk ldap://bbcwwp_sun21.worldwide.bbc.co.uk" | ldap suffix = dc=worldwide,dc=bbc,dc=co,dc=uk | ldap user suffix = ou=People | ldap group suffix = ou=Groups | ldap machine suffix = ou=machines,ou=Samba | ldap idmap suffix = ou=idmap,ou=Samba | ldap admin dn = uid=sambaadmin,ou=Special Users,dc=worldwide,dc=bbc,dc=co,dc=uk | ldap ssl = no | | | any answers much appreciated, | | thanks Andy. Sorry but it seems to me that security = ads and idmap backend and ldap backend doesn't play nice together. In the case that you have an AD member server you should remove anything about passdb backend and ldap suffixes, except the idmap one. But if your server is the DC of the Domain, you should have security = user. Cheers, Geza -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAbYjU/PxuIn+i1pIRAiXlAKCINSDHqLBxgigd7wxMf66+bjr1lQCgqO+3 241APAwKWHNHX8+Ju55MzhY=knvT -----END PGP SIGNATURE-----
Thanks for your reply. Ah, the whole reason I'm using LDAP passdb backend for AD member servers is because winbind won't work correctly in large AD domains when running on Solaris systems. The idmap settings in my smb.conf are actually redundent, I have tried commenting them out but this makes no difference to my problem. Does anyone on the technical list have any comments on this, can future versions of Samba be modified to work with this type of configuration? thanks Andy. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ww m-pubsyssamba ?rta: | Hi list, | | If I have multiple Samba member servers in a domain can I store the groupmap data in LDAP? When I try this I get this error | | # net groupmap add ntgroup=Everyone unixgroup=nobody | No rid or sid specified, choosing algorithmic mapping | adding entry for group nobody failed! | | | But this works correctly (creates account in LDAP server) | | smbpasswd -a username password | | | the LDAP config in my smb.conf is as follows, | | | security = ads | encrypt passwords = yes | idmap backend = ldap:ldap://bbcwwp-sun19.worldwide.bbc.co.uk/ | passdb backend = ldapsam:"ldap://bbcwwp-sun19.worldwide.bbc.co.uk ldap://bbcwwp_sun21.worldwide.bbc.co.uk" | ldap suffix = dc=worldwide,dc=bbc,dc=co,dc=uk | ldap user suffix = ou=People | ldap group suffix = ou=Groups | ldap machine suffix = ou=machines,ou=Samba | ldap idmap suffix = ou=idmap,ou=Samba | ldap admin dn = uid=sambaadmin,ou=Special Users,dc=worldwide,dc=bbc,dc=co,dc=uk | ldap ssl = no | | | any answers much appreciated, | | thanks Andy. Sorry but it seems to me that security = ads and idmap backend and ldap backend doesn't play nice together. In the case that you have an AD member server you should remove anything about passdb backend and ldap suffixes, except the idmap one. But if your server is the DC of the Domain, you should have security = user. Cheers, Geza BBCi at http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this.