Am Freitag 26 März 2010 14:29:04 schrieb Buchan Milne: > On Friday, 26 March 2010 11:27:28 Götz Reinicke - IT-Koordinator wrote: > > Buchan Milne schrieb: > > >> For the rgc2307 vs rfc2307bis group issue, I don't think samba > > > supports rfc2307bis, so you should go with rfc2307 (using memberUid for > > > denoting members of groups, holding the username, not the DN). > > > > "The nss_ldap library from PADL software (http://www.padl.com) supports > > this by enabling the library’s RFC2307bis extensions (pass the > > --enable-rfc2307bis option to the nss_ldap configure script when > > compiling) ..." > > > > > > And http://www.padl.com/OSS/nss_ldap.html mentions also Support for the > > RFC 2307/RFC 2307bis. > > > > Or do I get something wrong? > > nss_ldap supports rfc2307bis, but samba does not (AFAIK). If you are using > Samba as a Domain Controller, the groups visible on windows clients (for > local > ACLs on windows computers, rights etc.) will not align with your unix groups IIRC that depends on the samba configuration. I.e. if you have ldapsam:trusted=yes in smb.conf your statement is true. But the default for ldapsam:trusted is "no" (at least according to the smb.conf man-page) and then samba will use the NSS Subsystem (and through that nss_ldap, if configured) to access user and group information. So unless you use ldapsam:trusted=yes, the rfc2307bis is usable with Samba as well.
-- Ralf
