summaryrefslogtreecommitdiff
path: root/docs/Samba-HOWTO-Collection
diff options
context:
space:
mode:
authorJohn Terpstra <jht@samba.org>2005-05-12 08:32:59 +0000
committerGerald W. Carter <jerry@samba.org>2008-04-23 08:46:34 -0500
commit572286eeaa2ae4c0448bc0a63a077dfad23f9099 (patch)
tree927a735dab656a45282c6cbbf7de2e3402c78438 /docs/Samba-HOWTO-Collection
parent0814d1242813e6d5d6b578038d86e46c77767519 (diff)
downloadsamba-572286eeaa2ae4c0448bc0a63a077dfad23f9099.tar.gz
samba-572286eeaa2ae4c0448bc0a63a077dfad23f9099.tar.bz2
samba-572286eeaa2ae4c0448bc0a63a077dfad23f9099.zip
Interim update.
(This used to be commit 6c3bcbb39b42c8597d25e20f36dc542117174787)
Diffstat (limited to 'docs/Samba-HOWTO-Collection')
-rw-r--r--docs/Samba-HOWTO-Collection/TOSHARG-TheNetCommand.xml241
1 files changed, 240 insertions, 1 deletions
diff --git a/docs/Samba-HOWTO-Collection/TOSHARG-TheNetCommand.xml b/docs/Samba-HOWTO-Collection/TOSHARG-TheNetCommand.xml
index 698294e27f..510fda5b3c 100644
--- a/docs/Samba-HOWTO-Collection/TOSHARG-TheNetCommand.xml
+++ b/docs/Samba-HOWTO-Collection/TOSHARG-TheNetCommand.xml
@@ -89,11 +89,167 @@ the infliction of self induced pain, agony and desperation. Be warned, this is a
</para>
<sect3>
- <title>Create, Change, Delete Group Accounts</title>
+ <title>Adding, Renaming, or Deletion of Group Accounts</title>
+
+ <sect4>
+ <title>Adding or Creating a New Group</title>
+
+ <para>
+ Before attempting to add a Windows group account the currently available groups can be listed as shown
+here:
+<screen>
+&rootprompt; net rpc group list -Uroot%not24get
+Password:
+Domain Admins
+Domain Users
+Domain Guests
+Print Operators
+Backup Operators
+Replicator
+Domain Computers
+Engineers
+</screen>
+ A Windows group account called <quote>SupportEngrs</quote> can be added by executing the following
+command:
+<screen>
+&rootprompt; net rpc group add "SupportEngrs" -Uroot%not24get
+</screen>
+ The addition will result in immediate availability of the new group account as validated by executing the
+this command:
+<screen>
+&rootprompt; net rpc group list -Uroot%not24get
+Password:
+Domain Admins
+Domain Users
+Domain Guests
+Print Operators
+Backup Operators
+Replicator
+Domain Computers
+Engineers
+SupportEngrs
+</screen>
+ </para>
+
+ <para>
+ The following demonstrates that the POSIX (UNIX/Linux system account) group has been created by calling
+ the <smbconfoption name="add group script">/opt/IDEALX/sbin/smbldap-groupadd -p "%g"</smbconfoption> interface
+ script:
+<screen>
+&rootprompt; getent group
+...
+Domain Admins:x:512:root
+Domain Users:x:513:jht,lct,ajt,met
+Domain Guests:x:514:
+Print Operators:x:550:
+Backup Operators:x:551:
+Replicator:x:552:
+Domain Computers:x:553:
+Engineers:x:1002:jht
+SupportEngrs:x:1003:
+</screen>
+ The following demonstrates that the use of the <command>net</command> command to add a group account
+results in immediate mapping of the POSIX group that has been created to the Windows group account as whown
+here:
+<screen>
+merlin:~ # net groupmap list
+Domain Admins (S-1-5-21-72630-4128915-11681869-512) -> Domain Admins
+Domain Users (S-1-5-21-72630-4128915-11681869-513) -> Domain Users
+Domain Guests (S-1-5-21-72630-4128915-11681869-514) -> Domain Guests
+Print Operators (S-1-5-21-72630-4128915-11681869-550) -> Print Operators
+Backup Operators (S-1-5-21-72630-4128915-11681869-551) -> Backup Operators
+Replicator (S-1-5-21-72630-4128915-11681869-552) -> Replicator
+Domain Computers (S-1-5-21-72630-4128915-11681869-553) -> Domain Computers
+Engineers (S-1-5-21-72630-4128915-11681869-3005) -> Engineers
+SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -> SupportEngrs
+</screen>
+ </para>
+
+ </sect4>
+
+ <sect4>
+ <title>Mapping Windows Groups to UNIX Groups</title>
+
+ <para>
+ Windows groups must be mapped to UNIX system (POSIX) groups so that file system access controls
+ can be asserted in a manner that is consistent with the methods appropriate to the operating
+ system that is hosting the Samba server.
+ </para>
+
+ <para>
+ Samba depends on default mappings for the <constant>Domain Admins, Domain Users</constant> and
+ <constant>Domain Guests</constant> global groups. Additional groups may be added as shown in the
+ examples just given. There are times when it is necessary to map an existing UNIX group account
+ to a Windows group. This operation, in effect, creates a Windows group account as a consequence
+ of creation of the mapping.
+ </para>
+
+ <para>
+ The operations that are permitted includes: <constant>add, modify, delete</constant>. An example
+ of each operation is shown here.
+ </para>
<para>
+ An existing UNIX group may be mapped to an existing Windows group by this example:
+<screen>
+&rootprompt; net groupmap modify ntgroup="Domain Users" unixgroup=users
+</screen>
+ An existing UNIX group may be mapped to a new Windows group as shown here:
+<screen>
+&rootprompt; net groupmap add ntgroup="EliteEngrs" unixgroup=Engineers type=d
+</screen>
+ A Windows group may be deleted while preserving the UNIX group using this command:
+<screen>
+&rootprompt; net groupmap modify ntgroup=EngineDrivers unixgroup=Engineers type=d
+</screen>
</para>
+ <para>
+ The reason for using the <constant>modify</constant> method is to avoid any attempt to create a new
+ UNIX group, the default operation of the <constant>add</constant> method. The <constant>add</constant>
+ method creates a new group and then maps it to the Windows group name. It is the mapping that creates
+ the Windows group; the <constant>modify</constant> method performs only the mapping and avoids the
+ creation of the POSIX group account.
+ </para>
+
+ </sect4>
+
+ <sect4>
+ <title>Deleting a Group Account</title>
+
+ <para>
+ A group account may be deleted by executing the following command:
+<screen>
+&rootprompt; net rpc group delete SupportEngineers -Uroot%not24get
+</screen>
+ </para>
+
+ <para>
+ Validation of the deletion is advisable. The same commands may be executed as shown above.
+ </para>
+
+ </sect4>
+ <sect4>
+ <title>How to Rename a Group Account</title>
+
+ <note><para>
+ This command is not documented in the man pages, it is implemented in the source code, but it does not
+ work. The example given documents (from the source code) how it should work. Watch the release notes
+ of a future release to see when this may have been be fixed.
+ </para></note>
+
+ <para>
+ Sometimes it is necessary to rename a group account. Good administrators know how painful some managers
+ demands can be if this simple request is ignored. The following command demonstrates how the Windows group
+ <quote>SupportEngrs</quote> can be renamed to <quote>CustomerSupport</quote>:
+<screen>
+&rootprompt; net rpc group rename SupportEngrs \
+ CustomerSupport -Uroot%not24get
+</screen>
+ </para>
+
+ </sect4>
+
</sect3>
<sect3>
@@ -119,6 +275,76 @@ the infliction of self induced pain, agony and desperation. Be warned, this is a
<title>Administering User Rights and Privileges</title>
<para>
+<screen>
+&rootprompt; net rpc rights list accounts -U root%not24get
+BUILTIN\Print Operators
+No privileges assigned
+
+BUILTIN\Account Operators
+No privileges assigned
+
+BUILTIN\Backup Operators
+No privileges assigned
+
+BUILTIN\Server Operators
+No privileges assigned
+
+BUILTIN\Administrators
+No privileges assigned
+
+Everyone
+No privileges assigned
+
+&rootprompt; net rpc rights list -U root%not24get
+ SeMachineAccountPrivilege Add machines to domain
+ SePrintOperatorPrivilege Manage printers
+ SeAddUsersPrivilege Add users and groups to the domain
+ SeRemoteShutdownPrivilege Force shutdown from a remote system
+ SeDiskOperatorPrivilege Manage disk shares
+&rootprompt; net rpc rights grant "MIDEARTH\Domain Admins" \
+ SeMachineAccountPrivilege SePrintOperatorPrivilege \
+ SeAddUsersPrivilege SeRemoteShutdownPrivilege \
+ SeDiskOperatorPrivilege -U root%not24get
+Successfully granted rights.
+&rootprompt; net rpc rights grant "MIDEARTH\jht" \
+ SeMachineAccountPrivilege SePrintOperatorPrivilege \
+ SeAddUsersPrivilege SeDiskOperatorPrivilege \
+ -U root%not24get
+Successfully granted rights.
+&rootprompt; net rpc rights list accounts -U root%not24get
+MIDEARTH\jht
+SeMachineAccountPrivilege
+SePrintOperatorPrivilege
+SeAddUsersPrivilege
+SeDiskOperatorPrivilege
+
+BUILTIN\Print Operators
+No privileges assigned
+
+BUILTIN\Account Operators
+No privileges assigned
+
+BUILTIN\Backup Operators
+No privileges assigned
+
+BUILTIN\Server Operators
+No privileges assigned
+
+BUILTIN\Administrators
+No privileges assigned
+
+Everyone
+No privileges assigned
+
+MIDEARTH\Domain Admins
+SeMachineAccountPrivilege
+SePrintOperatorPrivilege
+SeAddUsersPrivilege
+SeRemoteShutdownPrivilege
+SeDiskOperatorPrivilege
+
+&rootprompt;
+</screen>
</para>
</sect2>
@@ -133,6 +359,10 @@ the infliction of self induced pain, agony and desperation. Be warned, this is a
<title>Machine Trust Accounts</title>
<para>
+<screen>
+&rootprompt; net rpc testjoin
+Join to 'MIDEARTH' is OK
+</screen>
</para>
</sect3>
@@ -223,6 +453,15 @@ the infliction of self induced pain, agony and desperation. Be warned, this is a
<title>Other Miscellaneous Operations</title>
<para>
+<screen>
+&rootprompt; net rpc info
+Domain Name: MIDEARTH
+Domain SID: S-1-5-21-726309263-4128913605-1168186429
+Sequence number: 1115878548
+Num users: 5
+Num domain groups: 8
+Num local groups: 0
+</screen>
</para>
</sect2>