diff options
| author | Jelmer Vernooij <jelmer@samba.org> | 2003-08-15 18:26:34 +0000 |
|---|---|---|
| committer | Jelmer Vernooij <jelmer@samba.org> | 2003-08-15 18:26:34 +0000 |
| commit | d069dacb6e17866dd5d3862e1837a9cae008644f (patch) | |
| tree | c1b660005d31583819c7f43f79168a3332150a85 /docs/htmldocs/groupmapping.html | |
| parent | cedd66b6e67f4c463eaa072f0e6d87ee1f55718e (diff) | |
| download | samba-d069dacb6e17866dd5d3862e1837a9cae008644f.tar.gz samba-d069dacb6e17866dd5d3862e1837a9cae008644f.tar.bz2 samba-d069dacb6e17866dd5d3862e1837a9cae008644f.zip | |
Regenerate docs
(This used to be commit dc33e94161e4fc1ca6bf66a321c708c89bb276e3)
Diffstat (limited to 'docs/htmldocs/groupmapping.html')
| -rw-r--r-- | docs/htmldocs/groupmapping.html | 196 |
1 files changed, 196 insertions, 0 deletions
diff --git a/docs/htmldocs/groupmapping.html b/docs/htmldocs/groupmapping.html new file mode 100644 index 0000000000..39d317e8cf --- /dev/null +++ b/docs/htmldocs/groupmapping.html @@ -0,0 +1,196 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 12. Mapping MS Windows and UNIX Groups</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="samba-doc.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="passdb.html" title="Chapter 11. Account Information Databases"><link rel="next" href="AccessControls.html" title="Chapter 13. File, Directory and Share Access Controls"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 12. Mapping MS Windows and UNIX Groups</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="passdb.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="AccessControls.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="groupmapping"></a>Chapter 12. Mapping MS Windows and UNIX Groups</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jean François</span> <span class="surname">Micouleau</span></h3></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="groupmapping.html#id2903181">Features and Benefits</a></dt><dt><a href="groupmapping.html#id2903416">Discussion</a></dt><dd><dl><dt><a href="groupmapping.html#id2903652">Example Configuration</a></dt></dl></dd><dt><a href="groupmapping.html#id2903718">Configuration Scripts</a></dt><dd><dl><dt><a href="groupmapping.html#id2903732">Sample smb.conf add group script</a></dt><dt><a href="groupmapping.html#id2903817">Script to configure Group Mapping</a></dt></dl></dd><dt><a href="groupmapping.html#id2903900">Common Errors</a></dt><dd><dl><dt><a href="groupmapping.html#id2903915">Adding Groups Fails</a></dt><dt><a href="groupmapping.html#id2903984">Adding MS Windows Groups to MS Windows Groups Fails</a></dt><dt><a href="groupmapping.html#id2904010">Adding Domain Users to the Power Users group</a></dt></dl></dd></dl></div><a class="indexterm" name="id2903109"></a><p> + Starting with Samba-3, new group mapping functionality is available to create associations + between Windows group SIDs and UNIX groups. The <b class="command">groupmap</b> subcommand + included with the <span class="application">net</span> tool can be used to manage these associations. + </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> + The first immediate reason to use the group mapping on a Samba PDC, is that + <a class="indexterm" name="id2903150"></a> + the <i class="parameter"><tt>domain admin group</tt></i> has been removed and should no longer + be specified in <tt class="filename">smb.conf</tt>. This parameter was used to give the listed users membership + in the <tt class="constant">Domain Admins</tt> Windows group which gave local admin rights on their workstations + (in default configurations). + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2903181"></a>Features and Benefits</h2></div></div><div></div></div><p> + Samba allows the administrator to create MS Windows NT4 / 200x group accounts and to + arbitrarily associate them with UNIX/Linux group accounts. + </p><a class="indexterm" name="id2903197"></a><a class="indexterm" name="id2903205"></a><p> + Group accounts can be managed using the MS Windows NT4 or MS Windows 200x / XP Professional MMC tools. + Appropriate interface scripts should be provided in <tt class="filename">smb.conf</tt> if it is desired that UNIX / Linux system + accounts should be automatically created when these tools are used. In the absence of these scripts, and + so long as winbind is running, Samba accounts group accounts that are created using these tools will be + allocated UNIX UIDs/GIDs from the parameters set by the <a class="indexterm" name="id2903232"></a><i class="parameter"><tt>idmap uid</tt></i>/<a class="indexterm" name="id2903245"></a><i class="parameter"><tt>idmap gid</tt></i> settings + in the <tt class="filename">smb.conf</tt> file. + </p><div class="figure"><a name="idmap-group-diag"></a><p class="title"><b>Figure 12.1. IDMAP groups</b></p><div class="mediaobject"><img src="projdoc/imagefiles/idmap-groups.png" width="270" alt="IDMAP groups"></div></div><a class="indexterm" name="id2903314"></a><a class="indexterm" name="id2903322"></a><p> + Administrators should be aware that where <tt class="filename">smb.conf</tt> group interface scripts make + direct calls to the UNIX/Linux system tools (eg: the shadow utilities, <b class="command">groupadd</b>, + <b class="command">groupdel</b>, <b class="command">groupmod</b>) then the resulting UNIX/Linux group names will be subject + to any limits imposed by these tools. If the tool does NOT allow upper case characters + or space characters, then the creation of an MS Windows NT4 / 200x style group of + <span class="emphasis"><em>Engineering Managers</em></span> will attempt to create an identically named + UNIX/Linux group, an attempt that will of course fail! + </p><a class="indexterm" name="id2903374"></a><a class="indexterm" name="id2903382"></a><p> + There are several possible work-arounds for the operating system tools limitation. One + method is to use a script that generates a name for the UNIX/Linux system group that + fits the operating system limits, and that then just passes the UNIX/Linux group id (GID) + back to the calling Samba interface. This will provide a dynamic work-around solution. + </p><p> + Another work-around is to manually create a UNIX/Linux group, then manually create the + MS Windows NT4 / 200x group on the Samba server and then use the <b class="command">net groupmap</b> + tool to connect the two to each other. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2903416"></a>Discussion</h2></div></div><div></div></div><p> + When installing <span class="application">MS Windows NT4 / 200x</span> on a computer, the installation + program creates default users and groups, notably the <tt class="constant">Administrators</tt> group, + and gives that group privileges necessary privileges to perform essential system tasks. + eg: Ability to change the date and time or to kill (or close) any process running on the + local machine. + </p><a class="indexterm" name="id2903445"></a><p> + The 'Administrator' user is a member of the 'Administrators' group, and thus inherits + 'Administrators' group privileges. If a 'joe' user is created to be a member of the + 'Administrator' group, 'joe' has exactly the same rights as 'Administrator'. + </p><p> + When an MS Windows NT4 / W200x is made a domain member, the "Domain Admins" group of the + PDC is added to the local 'Administrators' group of the workstation. Every member of the + 'Domain Administrators' group inherits the rights of the local 'Administrators' group when + logging on the workstation. + </p><p> + The following steps describe how to make Samba PDC users members of the 'Domain Admins' group? + </p><div class="orderedlist"><ol type="1"><li><p> + create a unix group (usually in <tt class="filename">/etc/group</tt>), let's call it domadm + </p></li><li><p>add to this group the users that must be Administrators. For example + if you want joe, john and mary, your entry in <tt class="filename">/etc/group</tt> will + look like: + </p><pre class="programlisting"> + domadm:x:502:joe,john,mary + </pre><p> + </p></li><li><p> + Map this domadm group to the "Domain Admins" group by running the command: + </p><p> +</p><pre class="screen"> +<tt class="prompt">root# </tt><b class="userinput"><tt>net groupmap add ntgroup="Domain Admins" unixgroup=domadm</tt></b> +</pre><p> + </p><a class="indexterm" name="id2903569"></a><p> + The quotes around "Domain Admins" are necessary due to the space in the group name. + Also make sure to leave no whitespace surrounding the equal character (=). + </p></li></ol></div><p> + Now joe, john and mary are domain administrators! + </p><a class="indexterm" name="id2903594"></a><p> + It is possible to map any arbitrary UNIX group to any Windows NT4 / 200x group as well as + making any UNIX group a Windows domain group. For example, if you wanted to include a + UNIX group (e.g. acct) in a ACL on a local file or printer on a domain member machine, + you would flag that group as a domain group by running the following on the Samba PDC: + </p><p> +</p><pre class="screen"> +<tt class="prompt">root# </tt><b class="userinput"><tt>net groupmap add rid=1000 ntgroup="Accounting" unixgroup=acct</tt></b> +</pre><p> + </p><p> + Be aware that the RID parameter is a unsigned 32 bit integer that should + normally start at 1000. However, this rid must not overlap with any RID assigned + to a user. Verifying this is done differently depending on the passdb backend + you are using. Future versions of the tools may perform the verification automatically, + but for now the burden is on you. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2903652"></a>Example Configuration</h3></div></div><div></div></div><p> + You can list the various groups in the mapping database by executing + <b class="command">net groupmap list</b>. Here is an example: + </p><p> +</p><pre class="screen"> +<tt class="prompt">root# </tt> <b class="userinput"><tt>net groupmap list</tt></b> +System Administrators (S-1-5-21-2547222302-1596225915-2414751004-1002) -> sysadmin +Domain Admins (S-1-5-21-2547222302-1596225915-2414751004-512) -> domadmin +Domain Users (S-1-5-21-2547222302-1596225915-2414751004-513) -> domuser +Domain Guests (S-1-5-21-2547222302-1596225915-2414751004-514) -> domguest +</pre><p> + </p><p> + For complete details on <b class="command">net groupmap</b>, refer to the net(8) man page. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2903718"></a>Configuration Scripts</h2></div></div><div></div></div><p> + Everyone needs tools. Some of us like to create our own, others prefer to use canned tools + (ie: prepared by someone else for general use). + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2903732"></a>Sample <tt class="filename">smb.conf</tt> add group script</h3></div></div><div></div></div><p> + A script to create complying group names for use by the Samba group interfaces: + </p><p> +</p><div class="example"><a name="id2903754"></a><p class="title"><b>Example 12.1. smbgrpadd.sh</b></p><pre class="programlisting"> + +#!/bin/bash + +# Add the group using normal system groupadd tool. +groupadd smbtmpgrp00 + +thegid=`cat /etc/group | grep smbtmpgrp00 | cut -d ":" -f3` + +# Now change the name to what we want for the MS Windows networking end +cp /etc/group /etc/group.bak +cat /etc/group.bak | sed s/smbtmpgrp00/$1/g > /etc/group + +# Now return the GID as would normally happen. +echo $thegid +exit 0 +</pre></div><p> +</p><p> + The <tt class="filename">smb.conf</tt> entry for the above script would look like: + </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>add group script = /path_to_tool/smbgrpadd.sh %g</tt></i></td></tr></table><p> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2903817"></a>Script to configure Group Mapping</h3></div></div><div></div></div><p> + In our example we have created a UNIX/Linux group called <span class="emphasis"><em>ntadmin</em></span>. + Our script will create the additional groups <span class="emphasis"><em>Orks</em></span>, <span class="emphasis"><em>Elves</em></span>, <span class="emphasis"><em>Gnomes</em></span>: + </p><p> +</p><pre class="programlisting"> +#!/bin/bash + +net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmin +net groupmap modify ntgroup="Domain Users" unixgroup=users +net groupmap modify ntgroup="Domain Guests" unixgroup=nobody +net groupmap modify ntgroup="Administrators" unixgroup=root +net groupmap modify ntgroup="Users" unixgroup=users +net groupmap modify ntgroup="Guests" unixgroup=nobody +net groupmap modify ntgroup="System Operators" unixgroup=sys +net groupmap modify ntgroup="Account Operators" unixgroup=root +net groupmap modify ntgroup="Backup Operators" unixgroup=bin +net groupmap modify ntgroup="Print Operators" unixgroup=lp +net groupmap modify ntgroup="Replicators" unixgroup=daemon +net groupmap modify ntgroup="Power Users" unixgroup=sys + +groupadd Orks +groupadd Elves +groupadd Gnomes + +net groupmap add ntgroup="Orks" unixgroup=Orks type=d +net groupmap add ntgroup="Elves" unixgroup=Elves type=d +net groupmap add ntgroup="Gnomes" unixgroup=Gnomes type=d +</pre><p> +</p><p> + Of course it is expected that the administrator will modify this to suit local needs. + For information regarding the use of the <b class="command">net groupmap</b> tool please + refer to the man page. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2903900"></a>Common Errors</h2></div></div><div></div></div><p> +At this time there are many little surprises for the unwary administrator. In a real sense +it is imperative that every step of automated control scripts must be carefully tested +manually before putting them into active service. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2903915"></a>Adding Groups Fails</h3></div></div><div></div></div><p> + This is a common problem when the <b class="command">groupadd</b> is called directly + by the Samba interface script for the <a class="indexterm" name="id2903935"></a><i class="parameter"><tt>add group script</tt></i> in + the <tt class="filename">smb.conf</tt> file. + </p><p> + The most common cause of failure is an attempt to add an MS Windows group account + that has either an upper case character and/or a space character in it. + </p><p> + There are three possible work-arounds. Firstly, use only group names that comply + with the limitations of the UNIX/Linux <b class="command">groupadd</b> system tool. + The second involves use of the script mentioned earlier in this chapter, and the + third option is to manually create a UNIX/Linux group account that can substitute + for the MS Windows group name, then use the procedure listed above to map that group + to the MS Windows group. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2903984"></a>Adding MS Windows Groups to MS Windows Groups Fails</h3></div></div><div></div></div><a class="indexterm" name="id2903992"></a><p> + Samba-3 does NOT support nested groups from the MS Windows control environment. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2904010"></a>Adding <span class="emphasis"><em>Domain Users</em></span> to the <span class="emphasis"><em>Power Users</em></span> group</h3></div></div><div></div></div><p>“<span class="quote"> + What must I do to add Domain Users to the Power Users group? + </span>”</p><p> + The Power Users group is a group that is local to each Windows + 200x / XP Professional workstation. You can not add the Domain Users group to the Power Users + group automatically, this must be done on each workstation by logging in as the local workstation + <span class="emphasis"><em>administrator</em></span> and then using click on Start / Control Panel / Users and Passwords + now click on the 'Advanced' tab, then on the 'Advanced' Button. + </p><a class="indexterm" name="id2904048"></a><p> + Now click on 'Groups', then double click on 'Power Users'. This will launch the panel to add users + or groups to the local machine 'Power Uses' group. Click on the 'Add' button, select the domain + from which the 'Domain Users' group is to be added, double click on the 'Domain Users' group, then + click on the 'Ok' button. Note: If a logon box is presented during this process please remember to + enter the connect as DOMAIN\UserName. ie: For the domain MIDEARTH and the user 'root' enter + MIDEARTH\root. + </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="passdb.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="AccessControls.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 11. Account Information Databases </td><td width="20%" align="center"><a accesskey="h" href="samba-doc.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 13. File, Directory and Share Access Controls</td></tr></table></div></body></html> |