Sébastien Prud'homme
2008-Oct-16 09:32 UTC
[Samba] LDAP backend and sambaGroupType for builtin groups
Hi, I have a question about sambaGroupType attribute on a Samba 3.2 PDC with LDAP backend (and nss_ldap + nss_winbind). What should be the value for Administrators builtin group ? If i use smbldap-populate from smbldap-tools, the value of sambaGroupType is 5 (and the LDAP entry for this group is a posixGroup and a sambaGroupMapping). I've also noticed that "wbinfo -g" doesn't list the group. "getent group" displays the group correctly (i guess because of the posixGroup and nss_ldap) but the domain administrator account is not listed in that group (no nested group expand). If i simply start Samba without provisioning the Administrators builtin group in LDAP, Samba automaticaly creates it: dn: sambaSID=S-1-5-32-544,ou=groups,dc=mydomain objectClass: sambaSidEntry objectClass: sambaGroupMapping sambaSID: S-1-5-32-544 sambaGroupType: 4 displayName: Administrators gidNumber: XXXXXX structuralObjectClass: sambaSidEntry sambaSIDList: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-512 The value of sambaGroupType is 4 (and there is no posixGroup) and "wbinfo -g" list the group as "BUILTIN\administrators". "getent group" works fine (the domain administrator account is listed in the builtin Administrators group). Can anyone explains me what the correct value for sambaGroupType should be in Samba 3.2? I guess "4" but i'm not sure as a lot of people seems to use the smbldap-tools (which said "5"). Another question, is it ok to add a posixAccount object class in a builtin local group. If yes, how to avoid having twice the group entry in "getent group" (one by nss_ldap and one by nss_winbind)? Thanks!
Jeremy Allison
2008-Oct-16 22:17 UTC
[Samba] LDAP backend and sambaGroupType for builtin groups
On Thu, Oct 16, 2008 at 11:32:03AM +0200, S?bastien Prud'homme wrote:> Hi, > > I have a question about sambaGroupType attribute on a Samba 3.2 PDC > with LDAP backend (and nss_ldap + nss_winbind). > > What should be the value for Administrators builtin group ? > > If i use smbldap-populate from smbldap-tools, the value of > sambaGroupType is 5 (and the LDAP entry for this group is a posixGroup > and a sambaGroupMapping). > I've also noticed that "wbinfo -g" doesn't list the group. "getent > group" displays the group correctly (i guess because of the posixGroup > and nss_ldap) but the domain administrator account is not listed in > that group (no nested group expand). > > If i simply start Samba without provisioning the Administrators > builtin group in LDAP, Samba automaticaly creates it: > > dn: sambaSID=S-1-5-32-544,ou=groups,dc=mydomain > objectClass: sambaSidEntry > objectClass: sambaGroupMapping > sambaSID: S-1-5-32-544 > sambaGroupType: 4 > displayName: Administrators > gidNumber: XXXXXX > structuralObjectClass: sambaSidEntry > sambaSIDList: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-512 > > The value of sambaGroupType is 4 (and there is no posixGroup) and > "wbinfo -g" list the group as "BUILTIN\administrators". "getent group" > works fine (the domain administrator account is listed in the builtin > Administrators group). > > Can anyone explains me what the correct value for sambaGroupType > should be in Samba 3.2? I guess "4" but i'm not sure as a lot of > people seems to use the smbldap-tools (which said "5").That's a bug in smbldap-tools, I sent them a patch for this. See : https://bugzilla.samba.org/show_bug.cgi?id=5551 for details (and here : https://bugzilla.samba.org/attachment.cgi?id=3369&action=view is the patch for smbldap-tools. Jeremy.