samba - Nov 2004 - groupmap + ldapsam questions

Hi,

Two questions regarding the use of group map combined with ldapsam.

First, the Official HOWTO is relatively unclear about what need to be 
done wrt to group map when using ldapsam.  It state it is the 
responsability of the admin to add the group map to the ldap backend, 
but nothing else.  What need to be in an LDAP groupmap object ?  I tried 
the following LDIF, and it seem to work using "net groupmap list" :

# Domain Users, Group, domain.com
dn: displayName=Domain Users,ou=Group,dc=domain,dc=com
objectClass: sambaSidEntry
objectClass: sambaGroupMapping
gidNumber: 100
description: Netbios Domain Users
sambaSID: S-1-5-21-3952100455-2014430628-1234567890-513
sambaGroupType: 2
displayName: Domain Users

Notice that the object is not of objectClass posixAccount.  Also not 
that the gidNumber is the one of the "users" group, defined in 
/etc/group.  Similarly, I want to map the "Domain Guests" group to
Unix
group nobody, and "Domain Admins" to group root.  Are there
implication
I should be aware of ?  Any better way to achieve similar results ?


Also, I can list group map with "net groupmap list", but I fail to add
any groupmap.  Example :

[root@server root]# net groupmap add ntgroup=blah unixgroup=wheel
No rid or sid specified, choosing algorithmic mapping
adding entry for group blah failed!

Logs are silent.  How come ?  Are we supposed to managed the group map 
at the LDAP level, and forego the use of "net groupmap" for this
purpose?

Thanks very much for your input !

Etienne Goyer

Etienne,

Please refer to the "Samba-3 by Example" book Chapters 5 and 6 for
detailed
worked examples of how to use Samba-3 with LDAP. You can download the latest 
version of this book from: http://www.samba.org/samba/docs/Samba-Guide.pdf

When you have it all figured out, please send me your patches to help make the 
Samba-HOWTO-Collection much clearer. We very much appreciate user 
contributions as we believe that the knowledge of the masses makes Samba a 
better proposition.

I apologize for any lack of clarity in the Samba-HOWTO-Collection - but do 
point out that it is a "green" document. This means it is constantly
updated,
either as I receive tips, suggestions - and in particular contributions. The 
latest version can be found on the Samba web site as:
http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf

I look forward to your assistance to make Samba a better product.

Cheers,
John T.

On Tuesday 09 November 2004 11:37, Etienne Goyer wrote:
> Hi,
>
> Two questions regarding the use of group map combined with ldapsam.
>
> First, the Official HOWTO is relatively unclear about what need to be
> done wrt to group map when using ldapsam.  It state it is the
> responsability of the admin to add the group map to the ldap backend,
> but nothing else.  What need to be in an LDAP groupmap object ?  I tried
> the following LDIF, and it seem to work using "net groupmap list"
:
>
> # Domain Users, Group, domain.com
> dn: displayName=Domain Users,ou=Group,dc=domain,dc=com
> objectClass: sambaSidEntry
> objectClass: sambaGroupMapping
> gidNumber: 100
> description: Netbios Domain Users
> sambaSID: S-1-5-21-3952100455-2014430628-1234567890-513
> sambaGroupType: 2
> displayName: Domain Users
>
> Notice that the object is not of objectClass posixAccount.  Also not
> that the gidNumber is the one of the "users" group, defined in
> /etc/group.  Similarly, I want to map the "Domain Guests" group
to Unix
> group nobody, and "Domain Admins" to group root.  Are there
implication
> I should be aware of ?  Any better way to achieve similar results ?
>
>
> Also, I can list group map with "net groupmap list", but I fail
to add
> any groupmap.  Example :
>
> [root@server root]# net groupmap add ntgroup=blah unixgroup=wheel
> No rid or sid specified, choosing algorithmic mapping
> adding entry for group blah failed!
>
> Logs are silent.  How come ?  Are we supposed to managed the group map
> at the LDAP level, and forego the use of "net groupmap" for this
purpose?
>
> Thanks very much for your input !
>
> Etienne Goyer
-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.