Re: [webmin-l] ldap users and groups samba

[Craig W. <cra...@az...>]

On Thu, 2005-10-27 at 13:58 +1000, Jamie Cameron wrote:
> On 27/Oct/2005 10:42 Craig White wrote .. 
> > On Thu, 2005-10-27 at 09:34 +1000, Jamie Cameron wrote: 
> > > On Thu, 2005-10-27 at 04:19, Craig White wrote:
> > > > Something changed in the last few versions of LDAP Users and Groups
> > > > module and I can't figure out where it changed.
> > > > 
> > > > I previously automatically added the sambaPrimaryGroupSID via config:
> > > > LDAP properties for new Samba users
> > > > 
> > > > If I create a new user now, that fails because...
> > > > Failed to save user : Failed to add user to LDAP database :
> > > > sambaprimarygroupsid: multiple values provided
> > > > 
> > > > OK - so I remove the automatic entry from config but now the
> > > > sambaPrimaryGroupSID is set to S-1-5....-2000 instead of S-1-5...-513
> > > > and I can't figure out where that is coming from. Any clues?
> > > 
> > > In the current release of Webmin, that attribute is set automatically.
> > > The value is always DOMAIN-XXX , where XXX is the Unix GID*2+1000 .
> > > 
> > > Let me know if this doesn't seem correct, as I am not too familiar with
> > > the real purpose of this attribute :-)
> > ----
> > that's really bugging me - I don't know how other people handle
> > this.
> > 
> > Your concept is fine except for one thing...well known RID's
> > 
> > Link to samba documentation
> > http://us1.samba.org/samba/docs/man/Samba-HOWTO-
> > Collection/groupmapping.html#WKURIDS
> > 
> > The concept is if you want all new users to automatically be a
> > member of "Domain Users" - their sambaPrimaryGroupSID, then it would
> > have an RID (Relative ID) of 513 so the SID:
> > S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-513
> > ^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^
> >      |                                          |
> > |------< RID
> >      |
> > |                                      
> >      |                                          |--------< Unique to
> > each domain
> >      |
> >      |-----< Domain Group (not local)
> > 
> > since the 513 is the Well known RID for the Domain Group "Domain
> > Users" - some people (if not most) would have the default
> > sambaPrimaryGroupSID be that one.
> > 
> > I can't answer for what other people do. Perhaps it would be best to
> > have this configurable by the administrator (the value of
> > sambaPrimaryGroupSID).
> > 
> > Thanks
> > 
> > Craig
> Ah .. so should the sambaPrimaryGroupSID be the same for all users?
> Because that is not what Webmin does currently .. and it sounds like I
> should fix this.
----
that was my motivation for bringing it up. With samba group mapping, I
could get that same thing done 2 different ways - the first being the
extra properties automatically entered and the second being the POSIX
group membership which is mapped to the same. I preferred to leave
nothing to chance and insert it directly into LDAP since it is possible
to change the primary POSIX group membership in an unthinking minute. As
soon as you added this feature, you defeated both of them.

If it makes sense to you, I would suggest that you either drop it (like
it was a version or 3 ago in Webmin) or have it configurable in its own
field in the module config. Either of these options is highly preferable
to something that I can't configure which means that I have to create
the user and then go back and fix it.

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.