thr3ads.net - samba - [Samba] Using LDAP and Unix Group Group Mappings [Jul 2007]

If this information is useful, please help other people find it:
Share via:

Svancara, Randall

2007-Jul-18 15:22 UTC

[Samba] Using LDAP and Unix Group Group Mappings

Hello all,

I could not find anything in the discussion groups or documentation
about using LDAP and Unix group mappings.  

The documentation states that in order to map unix groups to samba
groups, you need to use the net group add command.  However, I have an
ldap backend and all my groups, that I care about are in LDAP.

So I have a group called mainwdev. 

dn: cn=test,ou=Group,dc=somewhere,dc=com
objectClass: posixGroup
objectClass: sambaGroupMapping
sambaSID: S-1-5-21-582185903-2148186938-2210701745-801
sambaGroupType: 2
objectClass: top
cn: test
gidNumber: 801
memberUid: user1
memberUid: user2
memberUid: user3
memberUid: user4
memberUid: user5
memberUid: user6

Now, if I run "net groupmap list", I can see the group mapping as
follows.

test (S-1-5-21-582185903-2148186938-2210701745-801) -> test

But when I attempt to log onto a share that only allows anyone that
belongs to the group test (say user1), i get permission denied errors.
Do I still have to run "net group map" command to establish a
relationship between unix and samba groups?

Randall

Adam Tauno Williams

2007-Jul-18 15:50 UTC

head link

[Samba] Using LDAP and Unix Group Group Mappings

> I could not find anything in the discussion groups or documentation
> about using LDAP and Unix group mappings.  
> The documentation states that in order to map unix groups to samba
> groups, you need to use the net group add command.  However, I have an
> ldap backend and all my groups, that I care about are in LDAP.
It makes no difference;  groups from LDAP presented via NSS are "unix
groups" 
> So I have a group called mainwdev. 
> dn: cn=test,ou=Group,dc=somewhere,dc=com
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> sambaSID: S-1-5-21-582185903-2148186938-2210701745-801
> sambaGroupType: 2
> objectClass: top
> cn: test
> gidNumber: 801
> memberUid: user1
> memberUid: user2
> memberUid: user3
> memberUid: user4
> memberUid: user5
> memberUid: user6
> Now, if I run "net groupmap list", I can see the group mapping as
> follows.
> test (S-1-5-21-582185903-2148186938-2210701745-801) -> test
> But when I attempt to log onto a share that only allows anyone that
> belongs to the group test (say user1), i get permission denied errors.
Are you running nscd?  Did you restart/stop it and do your test?  Always
test with nscd disabled.  Does "id user1" show him/her in group
"test"?
> Do I still have to run "net group map" command to establish a
> relationship between unix and samba groups?
Looks like you already did.

-- 
Adam Tauno Williams, Network & Systems Administrator
Consultant - http://www.whitemiceconsulting.com
Developer - http://www.opengroupware.org

Randall Svancara

2007-Jul-18 16:11 UTC

head link

[Samba] Using LDAP and Unix Group Group Mappings

On Wed, 2007-07-18 at 11:48 -0400, Adam Tauno Williams
wrote:> > I could not find anything in the discussion groups or documentation
> > about using LDAP and Unix group mappings.  
> > The documentation states that in order to map unix groups to samba
> > groups, you need to use the net group add command.  However, I have an
> > ldap backend and all my groups, that I care about are in LDAP.
> 
> It makes no difference;  groups from LDAP presented via NSS are "unix
> groups" 
> 
> > So I have a group called mainwdev. 
> > dn: cn=test,ou=Group,dc=somewhere,dc=com
> > objectClass: posixGroup
> > objectClass: sambaGroupMapping
> > sambaSID: S-1-5-21-582185903-2148186938-2210701745-801
> > sambaGroupType: 2
> > objectClass: top
> > cn: test
> > gidNumber: 801
> > memberUid: user1
> > memberUid: user2
> > memberUid: user3
> > memberUid: user4
> > memberUid: user5
> > memberUid: user6
> > Now, if I run "net groupmap list", I can see the group
mapping as
> > follows.
> > test (S-1-5-21-582185903-2148186938-2210701745-801) -> test
> > But when I attempt to log onto a share that only allows anyone that
> > belongs to the group test (say user1), i get permission denied errors.
> 
> Are you running nscd?  Did you restart/stop it and do your test?  Always
> test with nscd disabled.  Does "id user1" show him/her in group
"test"?
I have had these groups configured for a long time.  So they should be
cached by nscd already.  Never the less, I ran getent with the following
output.

#getent group test
 test::801:user1,user2,user3,user4,user5,user6

user1 clearly is being recognized by ldap, otherwise it would not show
up in getent.  
> 
> > Do I still have to run "net group map" command to establish
a
> > relationship between unix and samba groups?
> 
> Looks like you already did.
Actually, I did not run the net group add command.  

In SID, you will notice that the group id (GID) 801 appended to the end
of the SID.  Is Samba smart enough to automatically recognize the
relationship between the Unix groups and Samba groups via ldap.

Here is the stanza from the smb.conf I am trying to access:

[Data]
  comment               = "Data files"
  path                  = /path/somewhere
  browseable            = yes
  read only             = no
  guest ok              = no
  force create mode     = 0660
  force directory mode  = 0770
  force group           = test 
  valid users           = @test

Will this even work?



> 
> -- 
> Adam Tauno Williams, Network & Systems Administrator
> Consultant - http://www.whitemiceconsulting.com
> Developer - http://www.opengroupware.org
>

Edmundo Valle Neto

2007-Jul-18 21:33 UTC

head link

[Samba] Using LDAP and Unix Group Group Mappings

Svancara, Randall escreveu:> Hello all,
>
> I could not find anything in the discussion groups or documentation
> about using LDAP and Unix group mappings.  
>
> The documentation states that in order to map unix groups to samba
> groups, you need to use the net group add command.  However, I have an
> ldap backend and all my groups, that I care about are in LDAP.
>   
Yes, it states that, but in all examples a tdbsam backend is used not ldap.
> So I have a group called mainwdev. 
>
> dn: cn=test,ou=Group,dc=somewhere,dc=com
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> sambaSID: S-1-5-21-582185903-2148186938-2210701745-801
> sambaGroupType: 2
> objectClass: top
> cn: test
> gidNumber: 801
> memberUid: user1
> memberUid: user2
> memberUid: user3
> memberUid: user4
> memberUid: user5
> memberUid: user6
>
> Now, if I run "net groupmap list", I can see the group mapping as
> follows.
>
> test (S-1-5-21-582185903-2148186938-2210701745-801) -> test
>
> But when I attempt to log onto a share that only allows anyone that
> belongs to the group test (say user1), i get permission denied errors.
>   
It should be another problem not related to group mapping.
> Do I still have to run "net group map" command to establish a
> relationship between unix and samba groups?
>   
No. When using ldap, the objectClass sambaGroupMapping represents the 
relationship of the UNIX and NT groups (that in ldap are stored normally 
in the same dn, and almost all tools creates the accounts that way by 
default).

You can use "net groupmap" with ldap when you have UNIX and NT groups
in
different places (lest suppose that you have a container for UNIX groups 
and another to NT groups), and it works, but normally nobody creates 
groups that way unless have a good reason.
> Randall
>   
Regards.

Edmundo Valle Neto

Seemingly Similar Threads

Search for more reasonably related threads

samba - Jul 2007 - Using LDAP and Unix Group Group Mappings

[Samba] Using LDAP and Unix Group Group Mappings

[Samba] Using LDAP and Unix Group Group Mappings

[Samba] Using LDAP and Unix Group Group Mappings

[Samba] Using LDAP and Unix Group Group Mappings

Seemingly Similar Threads