[K12OSN] smbldap - adding ldap users to local groups

James P. Kinney III jkinney at localnetsolutions.com
Sat Oct 20 13:24:26 UTC 2007 

On Sat, 2007-10-20 at 08:05 -0400, Rob Owens wrote:
> On Fri, Oct 19, 2007 at 07:55:53PM -0400, Rob Owens wrote:
> > How can I add LDAP users to local system groups?  I am trying to
> move to LDAP, but I'm a bit confused now...  I tried to add a new LDAP
> user to the "fuse" group (which is a non-LDAP group) and I got the
> message:  /usr/sbin/smbldap-usermod: group "fuse" doesn't exist
> > 
> > Am I supposed to make an LDAP group for every one of my local system
> groups?  This seems dangerous, because there's no guarantee that the
> "fuse" group on one of my systems is treated the same as the "fuse"
> group on another system.
> > 
> 
> Here's an example of what I'm concerned about.
> 
> I compared /etc/group on a Debian Etch machine and an Ubuntu Feisty
> machine.  Here are some system group numbers that are different
> between the two machines.
> 
> gid	Etch group	Feisty Group
> 101	crontab		dhcp
> 102	Debian-exim	syslog
> 103	ssh		klog
> 104	messagebus	ssl-cert
> 105	avahi		crontab
> 106	netdev		ssh
> 107	lpadmin		messagebus
> 108	haldaemon	avahi
> 109	powerdev	lpadmin
> 110	scanner		haldaemon
> 111	gdm		scanner
> 112	backuppc	slocate
> 113	ntp		gdm
> 114	openldap	admin
> 116	mythtv		avahi-autoipd
> 117	bind		netdev
> 118	winbindd_priv	nvram

The individual systems handle the GIDs internally but your external
connections use the text names. Don't sweat the details on this UNLESS
you have created user or group names in LDAP that have text equivalents
for the "special" names on the local systems. i.e. a user named avhai
will have some serious file system and security problems!
> 
> For gids from 0 to 100, the Etch and Feisty group names are identical.
> My Centos 5 system, however, has differences in the 0-100 range.
> Additionally, the Centos system has the all-important "fuse" group at
> gid 101, whereas the Etch and Feisty systems have "fuse" at gid 115.  
> 
> So if I want to have multiple distros on the same network, how do I
> properly tie them together with LDAP?

Yes. Define your groupings on the ldap (class2008, mathteachers,
sciclub, students, etc.) and then use the local tools on the different
systems to add ldap groups as members of local groups defined groups.

NOTE: there needs to be better group management tools in Linux than is
currently available. The tool groupmems looks like the right thing but
it does not work as discussed in the man pages and segfaults under some
uses (bug report is being sent upstream). So in the mean time manually
adding ldap groups to the local fuse group is the only reliable way.
> 
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
> 
-- 
James P. Kinney III          
CEO & Director of Engineering 
Local Net Solutions,LLC        
770-493-8244                    
http://www.localnetsolutions.com

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/k12osn/attachments/20071020/410b3305/attachment.sig>

More information about the K12OSN mailing list