debian5:~# ldapsearch -LLL -x -b ou=groups,dc=samba,dc=org dn dn: ou=groups,dc=samba,dc=org dn: cn=domusers,ou=groups,dc=samba,dc=org dn: cn=domadmins,ou=groups,dc=samba,dc=org dn: cn=domguests,ou=groups,dc=samba,dc=org
David, please add the output of 'net sam provision -d10'. Thanks!
Here we go. http://dmarkey.com/~dmarkey/net_sam_provision
I have a patch nearly completed that creates the following: dn: cn=admins,ou=groups,dc=samba,dc=org objectClass: posixGroup objectClass: sambaGroupMapping cn: admins displayName: Administrators gidNumber: 1000002 sambaSID: S-1-5-32-544 sambaGroupType: 4 dn: cn=users,ou=groups,dc=samba,dc=org objectClass: posixGroup objectClass: sambaGroupMapping cn: users displayName: Users gidNumber: 1000003 sambaSID: S-1-5-32-545 sambaGroupType: 4 dn: cn=guests,ou=groups,dc=samba,dc=org objectClass: posixGroup objectClass: sambaGroupMapping cn: guests displayName: Guests gidNumber: 1000004 sambaSID: S-1-5-32-546 sambaGroupType: 4 dn: cn=powerusers,ou=groups,dc=samba,dc=org objectClass: posixGroup objectClass: sambaGroupMapping cn: powerusers displayName: Power Users gidNumber: 1000005 sambaSID: S-1-5-32-547 sambaGroupType: 4 1. How many of the builtin groups should be created? 2. What should be the POSIX name for builtin groups? e.g. powerusers localpowerusers "BUILTIN\Power Users"?
(In reply to comment #3) > > 1. How many of the builtin groups should be created? I'd say the minimum necessary, do we really need Users or Power Users for a basic install ? Or just Administrators ? > 2. What should be the POSIX name for builtin groups? e.g. powerusers > localpowerusers "BUILTIN\Power Users"? The latter I guess, these are special accounts and should not be confused with normal ones. Simo.
(In reply to comment #4) > (In reply to comment #3) > > > > 1. How many of the builtin groups should be created? > > I'd say the minimum necessary, do we really need Users or Power Users for a > basic install ? Or just Administrators ? > I dont know, is there any harm having them anyway? > > 2. What should be the POSIX name for builtin groups? e.g. powerusers > > localpowerusers "BUILTIN\Power Users"? > > The latter I guess, these are special accounts and should not be confused with > normal ones. Having spaces in group names isnt posix compliant and the "Domain Admins" group has a posix name of domadmins, so would it not make sense to use localadmins? > > Simo. >
(In reply to comment #5) > I dont know, is there any harm having them anyway? I tend to refrain from adding unneeded stuff, but I see no harm indeed. > Having spaces in group names isnt posix compliant and the "Domain Admins" > group has a posix name of domadmins, so would it not make sense to use > localadmins? In this case I'd use builtinadmins, builtinusers, etc... Simo.
Created attachment 4309 [details] Patch Heres a patch, Works fine for me. See any obvious problems?
Created attachment 4313 [details] The first patch had the wrong group type, this one's fixed
According to Microsoft "Domain Admins" should be a member of "BUILTIN\Administrators", Should this be done? This raises the question of nested groups. nss_ldap wouldn't unroll nested groups.
(In reply to comment #9) > According to Microsoft "Domain Admins" should be a member of > "BUILTIN\Administrators", Should this be done? > > This raises the question of nested groups. nss_ldap wouldn't unroll nested > groups. Yep this was my concern, and probably the reason why we didn't add BUILTIN groups. It seem you would need nss_winbind if you want BUILTIN groups ...
I really cant see how nss_ldap and nss_winbind can live together. nss_ldap is going to supply the group name/GID (objectClass: posixGroup), so is nss_winbind going to fill in the group members?!? It would be ideal if the functionality of nss_ldap could be absorbed into nss_winbind.
Within my pdb_ads efforts right now I'm working on exactly that. Volker
cool! so are you suggesting the amalgamation of pdb_ldap and pdb_ads?
No, not yet :-) But in that process I need winbind to also provide local users from passdb. Once that works fine, putting pdb_ldap into that picture should be simple. Volker
Cool, so do you think your work should obsolete the use of nss_ldap?
I noticed 3.4.0 RC1 creating the following: 14 sambaSID=S-1-5-32-544,dc=samba,dc=org objectClass: sambaIdmapEntry objectClass: sambaSidEntry gidNumber: 1000005 sambaSID: S-1-5-32-544 15 sambaSID=S-1-5-32-545,dc=samba,dc=org objectClass: sambaIdmapEntry objectClass: sambaSidEntry gidNumber: 1000006 sambaSID: S-1-5-32-545 16 sambaSID=S-1-5-32-546,dc=samba,dc=org objectClass: sambaIdmapEntry objectClass: sambaSidEntry gidNumber: 1000007 sambaSID: S-1-5-32-546 smbd creates these after a provision, on first launch. Is this expected behavior? Shouldn't the above have cn, displayName and sambaGroupType? Maybe if we created the builtin groups in the provision it wouldnt create ones like these?
Too late for enhancements for 3.5. Raising version.