Menu
▾
▴
Re: [webmin-l] ldap users and groups samba
|
From: Jamie C. <jca...@we...> - 2005-10-28 19:16:29
|
On Thu, 2005-10-27 at 14:19, Craig White wrote: > On Thu, 2005-10-27 at 13:58 +1000, Jamie Cameron wrote: > > On 27/Oct/2005 10:42 Craig White wrote .. > > > On Thu, 2005-10-27 at 09:34 +1000, Jamie Cameron wrote: > > > > On Thu, 2005-10-27 at 04:19, Craig White wrote: > > > > > Something changed in the last few versions of LDAP Users and Groups > > > > > module and I can't figure out where it changed. > > > > > > > > > > I previously automatically added the sambaPrimaryGroupSID via config: > > > > > LDAP properties for new Samba users > > > > > > > > > > If I create a new user now, that fails because... > > > > > Failed to save user : Failed to add user to LDAP database : > > > > > sambaprimarygroupsid: multiple values provided > > > > > > > > > > OK - so I remove the automatic entry from config but now the > > > > > sambaPrimaryGroupSID is set to S-1-5....-2000 instead of S-1-5...-513 > > > > > and I can't figure out where that is coming from. Any clues? > > > > > > > > In the current release of Webmin, that attribute is set automatically. > > > > The value is always DOMAIN-XXX , where XXX is the Unix GID*2+1000 . > > > > > > > > Let me know if this doesn't seem correct, as I am not too familiar with > > > > the real purpose of this attribute :-) > > > ---- > > > that's really bugging me - I don't know how other people handle > > > this. > > > > > > Your concept is fine except for one thing...well known RID's > > > > > > Link to samba documentation > > > http://us1.samba.org/samba/docs/man/Samba-HOWTO- > > > Collection/groupmapping.html#WKURIDS > > > > > > The concept is if you want all new users to automatically be a > > > member of "Domain Users" - their sambaPrimaryGroupSID, then it would > > > have an RID (Relative ID) of 513 so the SID: > > > S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-513 > > > ^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^ > > > | | > > > |------< RID > > > | > > > | > > > | |--------< Unique to > > > each domain > > > | > > > |-----< Domain Group (not local) > > > > > > since the 513 is the Well known RID for the Domain Group "Domain > > > Users" - some people (if not most) would have the default > > > sambaPrimaryGroupSID be that one. > > > > > > I can't answer for what other people do. Perhaps it would be best to > > > have this configurable by the administrator (the value of > > > sambaPrimaryGroupSID). > > > > > > Thanks > > > > > > Craig > > Ah .. so should the sambaPrimaryGroupSID be the same for all users? > > Because that is not what Webmin does currently .. and it sounds like I > > should fix this. > ---- > that was my motivation for bringing it up. With samba group mapping, I > could get that same thing done 2 different ways - the first being the > extra properties automatically entered and the second being the POSIX > group membership which is mapped to the same. I preferred to leave > nothing to chance and insert it directly into LDAP since it is possible > to change the primary POSIX group membership in an unthinking minute. As > soon as you added this feature, you defeated both of them. > > If it makes sense to you, I would suggest that you either drop it (like > it was a version or 3 ago in Webmin) or have it configurable in its own > field in the module config. Either of these options is highly preferable > to something that I can't configure which means that I have to create > the user and then go back and fix it. I will add a Module Config option in the next release that will allow you to either exclude that attribute entirely, set it automatically (as is done now), or set it to a specified value .. - Jamie |
