Menu
▾
▴
Re: [webmin-l] ldap users and groups samba
|
From: Craig W. <cra...@az...> - 2005-10-27 00:42:26
|
On Thu, 2005-10-27 at 09:34 +1000, Jamie Cameron wrote: > On Thu, 2005-10-27 at 04:19, Craig White wrote: > > Something changed in the last few versions of LDAP Users and Groups > > module and I can't figure out where it changed. > > > > I previously automatically added the sambaPrimaryGroupSID via config: > > LDAP properties for new Samba users > > > > If I create a new user now, that fails because... > > Failed to save user : Failed to add user to LDAP database : > > sambaprimarygroupsid: multiple values provided > > > > OK - so I remove the automatic entry from config but now the > > sambaPrimaryGroupSID is set to S-1-5....-2000 instead of S-1-5...-513 > > and I can't figure out where that is coming from. Any clues? > > In the current release of Webmin, that attribute is set automatically. > The value is always DOMAIN-XXX , where XXX is the Unix GID*2+1000 . > > Let me know if this doesn't seem correct, as I am not too familiar with > the real purpose of this attribute :-) ---- that's really bugging me - I don't know how other people handle this. Your concept is fine except for one thing...well known RID's Link to samba documentation http://us1.samba.org/samba/docs/man/Samba-HOWTO- Collection/groupmapping.html#WKURIDS The concept is if you want all new users to automatically be a member of "Domain Users" - their sambaPrimaryGroupSID, then it would have an RID (Relative ID) of 513 so the SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-513 ^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^ | | |------< RID | | | |--------< Unique to each domain | |-----< Domain Group (not local) since the 513 is the Well known RID for the Domain Group "Domain Users" - some people (if not most) would have the default sambaPrimaryGroupSID be that one. I can't answer for what other people do. Perhaps it would be best to have this configurable by the administrator (the value of sambaPrimaryGroupSID). Thanks Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. |
