[K12OSN] smbldap - adding ldap users to local groups

[Craig White]

On Wed, 2007-10-24 at 20:02 -0400, David Hopkins wrote:
> Perhaps I am missing something here, but I thought the whole reason
> for using a central ldap authentication approach is that all groups
> and users are defined in the ldap server and every local machine uses
> that server for authentication and association of rights to local
> resources (files and such) for all accounts, except for local system
> accounts and root?  The global groups being added to local groups is
> something that I am familiar with from Microsoft's view of how to
> assign rights to files, and local resources, but I have never seen it
> used that way in *nix. 
> 
> As an aside, isn't the purpose of newgrp so you can switch what group
> your associated with on a local system?  
> 
----
the mysql user is a local user/group by Red Hat packaging and I am
presuming by the OP, the same is true of Debian/Ubuntu.

the issue becomes the toolset that you use to maintain users and groups
and the suggestion of smbldap makes me think that OP is using Windows
tools to maintain user accounts which isn't going to know about the
local users/groups on a specific server.

There are all sorts of different tools to maintain users/groups, some
make use of smbldap and some could care less (though in the case of
having Samba act as a PDC, it's still necessary to have smbldap or
suitable replacement for allowing $MACHINE accounts to change their
passwords).

I don't know of any concept that embraces nested groups within
UNIX/Linux (well winbindd can but that is just too tacky for UNIX/Linux
group purposes) but if someone has some new tricks, I'd love to hear
them.

Craig