diff options
| author | Gerald Carter <jerry@samba.org> | 2003-09-24 15:05:22 +0000 |
|---|---|---|
| committer | Gerald Carter <jerry@samba.org> | 2003-09-24 15:05:22 +0000 |
| commit | 293421f3c64a2adff7dc15f7ad3adb6120c9fd16 (patch) | |
| tree | b18b6e0cda6e04dac9f47ab9fdb661f1dfa65b7b /docs/htmldocs/groupmapping.html | |
| parent | 43004ba8830874a8ab02bc755b1e99160af982b5 (diff) | |
| download | samba-293421f3c64a2adff7dc15f7ad3adb6120c9fd16.tar.gz samba-293421f3c64a2adff7dc15f7ad3adb6120c9fd16.tar.bz2 samba-293421f3c64a2adff7dc15f7ad3adb6120c9fd16.zip | |
syncing up docs, examples, & packaging from 3.0
(This used to be commit dd1348c566b4700ea01bd89639e2d3330c878167)
Diffstat (limited to 'docs/htmldocs/groupmapping.html')
| -rw-r--r-- | docs/htmldocs/groupmapping.html | 278 |
1 files changed, 166 insertions, 112 deletions
diff --git a/docs/htmldocs/groupmapping.html b/docs/htmldocs/groupmapping.html index 39d317e8cf..da8cf8f4b1 100644 --- a/docs/htmldocs/groupmapping.html +++ b/docs/htmldocs/groupmapping.html @@ -1,119 +1,164 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 12. Mapping MS Windows and UNIX Groups</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="samba-doc.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="passdb.html" title="Chapter 11. Account Information Databases"><link rel="next" href="AccessControls.html" title="Chapter 13. File, Directory and Share Access Controls"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 12. Mapping MS Windows and UNIX Groups</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="passdb.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="AccessControls.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="groupmapping"></a>Chapter 12. Mapping MS Windows and UNIX Groups</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jean François</span> <span class="surname">Micouleau</span></h3></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="groupmapping.html#id2903181">Features and Benefits</a></dt><dt><a href="groupmapping.html#id2903416">Discussion</a></dt><dd><dl><dt><a href="groupmapping.html#id2903652">Example Configuration</a></dt></dl></dd><dt><a href="groupmapping.html#id2903718">Configuration Scripts</a></dt><dd><dl><dt><a href="groupmapping.html#id2903732">Sample smb.conf add group script</a></dt><dt><a href="groupmapping.html#id2903817">Script to configure Group Mapping</a></dt></dl></dd><dt><a href="groupmapping.html#id2903900">Common Errors</a></dt><dd><dl><dt><a href="groupmapping.html#id2903915">Adding Groups Fails</a></dt><dt><a href="groupmapping.html#id2903984">Adding MS Windows Groups to MS Windows Groups Fails</a></dt><dt><a href="groupmapping.html#id2904010">Adding Domain Users to the Power Users group</a></dt></dl></dd></dl></div><a class="indexterm" name="id2903109"></a><p> +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 12. Group Mapping MS Windows and UNIX</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="passdb.html" title="Chapter 11. Account Information Databases"><link rel="next" href="AccessControls.html" title="Chapter 13. File, Directory and Share Access Controls"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 12. Group Mapping MS Windows and UNIX</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="passdb.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="AccessControls.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="groupmapping"></a>Chapter 12. Group Mapping MS Windows and UNIX</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jean François</span> <span class="surname">Micouleau</span></h3></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="groupmapping.html#id2909181">Features and Benefits</a></dt><dt><a href="groupmapping.html#id2909551">Discussion</a></dt><dd><dl><dt><a href="groupmapping.html#id2909853">Default Users, Groups and Relative Identifiers</a></dt><dt><a href="groupmapping.html#id2910488">Example Configuration</a></dt></dl></dd><dt><a href="groupmapping.html#id2910567">Configuration Scripts</a></dt><dd><dl><dt><a href="groupmapping.html#id2910581">Sample smb.conf Add Group Script</a></dt><dt><a href="groupmapping.html#id2910716">Script to Configure Group Mapping</a></dt></dl></dd><dt><a href="groupmapping.html#id2910824">Common Errors</a></dt><dd><dl><dt><a href="groupmapping.html#id2910839">Adding Groups Fails</a></dt><dt><a href="groupmapping.html#id2910907">Adding MS Windows Groups to MS Windows Groups Fails</a></dt><dt><a href="groupmapping.html#id2910933">Adding Domain Users to the Power Users Group</a></dt></dl></dd></dl></div><p> +<a class="indexterm" name="id2909098"></a> Starting with Samba-3, new group mapping functionality is available to create associations between Windows group SIDs and UNIX groups. The <b class="command">groupmap</b> subcommand included with the <span class="application">net</span> tool can be used to manage these associations. + </p><p> + The new facility for mapping NT Groups to UNIX system groups allows the administrator to decide + which NT Domain Groups are to be exposed to MS Windows clients. Only those NT Groups that map + to a UNIX group that has a value other than the default (<tt class="constant">-1</tt>) will be exposed + in group selection lists in tools that access domain users and groups. </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> - The first immediate reason to use the group mapping on a Samba PDC, is that - <a class="indexterm" name="id2903150"></a> - the <i class="parameter"><tt>domain admin group</tt></i> has been removed and should no longer - be specified in <tt class="filename">smb.conf</tt>. This parameter was used to give the listed users membership - in the <tt class="constant">Domain Admins</tt> Windows group which gave local admin rights on their workstations + <a class="indexterm" name="id2909148"></a> + The <i class="parameter"><tt>domain admin group</tt></i> parameter has been removed in Samba-3 and should no longer + be specified in <tt class="filename">smb.conf</tt>. This parameter was used to give the listed users membership in the + <tt class="constant">Domain Admins</tt> Windows group which gave local admin rights on their workstations (in default configurations). - </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2903181"></a>Features and Benefits</h2></div></div><div></div></div><p> - Samba allows the administrator to create MS Windows NT4 / 200x group accounts and to + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2909181"></a>Features and Benefits</h2></div></div><div></div></div><p> + Samba allows the administrator to create MS Windows NT4/200x group accounts and to arbitrarily associate them with UNIX/Linux group accounts. - </p><a class="indexterm" name="id2903197"></a><a class="indexterm" name="id2903205"></a><p> - Group accounts can be managed using the MS Windows NT4 or MS Windows 200x / XP Professional MMC tools. - Appropriate interface scripts should be provided in <tt class="filename">smb.conf</tt> if it is desired that UNIX / Linux system + </p><p> +<a class="indexterm" name="id2909199"></a> +<a class="indexterm" name="id2909207"></a> + Group accounts can be managed using the MS Windows NT4 or MS Windows 200x/XP Professional MMC tools. + Appropriate interface scripts should be provided in <tt class="filename">smb.conf</tt> if it is desired that UNIX/Linux system accounts should be automatically created when these tools are used. In the absence of these scripts, and - so long as winbind is running, Samba accounts group accounts that are created using these tools will be - allocated UNIX UIDs/GIDs from the parameters set by the <a class="indexterm" name="id2903232"></a><i class="parameter"><tt>idmap uid</tt></i>/<a class="indexterm" name="id2903245"></a><i class="parameter"><tt>idmap gid</tt></i> settings - in the <tt class="filename">smb.conf</tt> file. - </p><div class="figure"><a name="idmap-group-diag"></a><p class="title"><b>Figure 12.1. IDMAP groups</b></p><div class="mediaobject"><img src="projdoc/imagefiles/idmap-groups.png" width="270" alt="IDMAP groups"></div></div><a class="indexterm" name="id2903314"></a><a class="indexterm" name="id2903322"></a><p> + so long as <b class="command">winbindd</b> is running, Samba group accounts that are created using these + tools will be allocated UNIX UIDs/GIDs from the ID range specified by the + <a class="indexterm" name="id2909237"></a><i class="parameter"><tt>idmap uid</tt></i>/<a class="indexterm" name="id2909250"></a><i class="parameter"><tt>idmap gid</tt></i> + parameters in the <tt class="filename">smb.conf</tt> file. + </p><div class="figure"><a name="idmap-sid2gid"></a><p class="title"><b>Figure 12.1. IDMAP: group SID to GID resolution.</b></p><div class="mediaobject"><img src="projdoc/imagefiles/idmap-sid2gid.png" width="270" alt="IDMAP: group SID to GID resolution."></div></div><div class="figure"><a name="idmap-gid2sid"></a><p class="title"><b>Figure 12.2. IDMAP: GID resolution to matching SID.</b></p><div class="mediaobject"><img src="projdoc/imagefiles/idmap-gid2sid.png" width="270" alt="IDMAP: GID resolution to matching SID."></div></div><p> + In both cases, when winbindd is not running, only locally resolvable groups can be recognized. Please refer to + <link linkend="idmap-sid2gid"> and <link linkend="idmap-gid2sid">. The <b class="command">net groupmap</b> is + used to establish UNIX group to NT SID mappings as shown in <link linkend="idmap-store-gid2sid">. + </p><div class="figure"><a name="idmap-store-gid2sid"></a><p class="title"><b>Figure 12.3. IDMAP storing group mappings.</b></p><div class="mediaobject"><img src="projdoc/imagefiles/idmap-store-gid2sid.png" width="270" alt="IDMAP storing group mappings."></div></div><p> + <a class="indexterm" name="id2909453"></a> + <a class="indexterm" name="id2909460"></a> Administrators should be aware that where <tt class="filename">smb.conf</tt> group interface scripts make - direct calls to the UNIX/Linux system tools (eg: the shadow utilities, <b class="command">groupadd</b>, - <b class="command">groupdel</b>, <b class="command">groupmod</b>) then the resulting UNIX/Linux group names will be subject - to any limits imposed by these tools. If the tool does NOT allow upper case characters - or space characters, then the creation of an MS Windows NT4 / 200x style group of + direct calls to the UNIX/Linux system tools (the shadow utilities, <b class="command">groupadd</b>, + <b class="command">groupdel</b>, and <b class="command">groupmod</b>), the resulting UNIX/Linux group names will be subject + to any limits imposed by these tools. If the tool does not allow upper case characters + or space characters, then the creation of an MS Windows NT4/200x style group of <span class="emphasis"><em>Engineering Managers</em></span> will attempt to create an identically named - UNIX/Linux group, an attempt that will of course fail! - </p><a class="indexterm" name="id2903374"></a><a class="indexterm" name="id2903382"></a><p> + UNIX/Linux group, an attempt that will of course fail. + </p><p> + <a class="indexterm" name="id2909513"></a> + <a class="indexterm" name="id2909521"></a> There are several possible work-arounds for the operating system tools limitation. One method is to use a script that generates a name for the UNIX/Linux system group that - fits the operating system limits, and that then just passes the UNIX/Linux group id (GID) + fits the operating system limits, and that then just passes the UNIX/Linux group ID (GID) back to the calling Samba interface. This will provide a dynamic work-around solution. </p><p> Another work-around is to manually create a UNIX/Linux group, then manually create the - MS Windows NT4 / 200x group on the Samba server and then use the <b class="command">net groupmap</b> + MS Windows NT4/200x group on the Samba server and then use the <b class="command">net groupmap</b> tool to connect the two to each other. - </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2903416"></a>Discussion</h2></div></div><div></div></div><p> - When installing <span class="application">MS Windows NT4 / 200x</span> on a computer, the installation + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2909551"></a>Discussion</h2></div></div><div></div></div><p> + When installing <span class="application">MS Windows NT4/200x</span> on a computer, the installation program creates default users and groups, notably the <tt class="constant">Administrators</tt> group, - and gives that group privileges necessary privileges to perform essential system tasks. - eg: Ability to change the date and time or to kill (or close) any process running on the + and gives that group privileges necessary privileges to perform essential system tasks, + such as the ability to change the date and time or to kill (or close) any process running on the local machine. - </p><a class="indexterm" name="id2903445"></a><p> - The 'Administrator' user is a member of the 'Administrators' group, and thus inherits - 'Administrators' group privileges. If a 'joe' user is created to be a member of the - 'Administrator' group, 'joe' has exactly the same rights as 'Administrator'. </p><p> - When an MS Windows NT4 / W200x is made a domain member, the "Domain Admins" group of the - PDC is added to the local 'Administrators' group of the workstation. Every member of the - 'Domain Administrators' group inherits the rights of the local 'Administrators' group when + <a class="indexterm" name="id2909584"></a> + The <tt class="constant">Administrator</tt> user is a member of the <tt class="constant">Administrators</tt> group, and thus inherits + <tt class="constant">Administrators</tt> group privileges. If a <tt class="constant">joe</tt> user is created to be a member of the + <tt class="constant">Administrators</tt> group, <tt class="constant">joe</tt> has exactly the same rights as the user, + <tt class="constant">Administrator</tt>. + </p><p> + When an MS Windows NT4/200x/XP machine is made a Domain Member, the “<span class="quote">Domain Admins</span>” group of the + PDC is added to the local <tt class="constant">Administrators</tt> group of the workstation. Every member of the + <tt class="constant">Domain Administrators</tt> group inherits the rights of the local <tt class="constant">Administrators</tt> group when logging on the workstation. </p><p> - The following steps describe how to make Samba PDC users members of the 'Domain Admins' group? + The following steps describe how to make Samba PDC users members of the <tt class="constant">Domain Admins</tt> group? </p><div class="orderedlist"><ol type="1"><li><p> - create a unix group (usually in <tt class="filename">/etc/group</tt>), let's call it domadm - </p></li><li><p>add to this group the users that must be Administrators. For example - if you want joe, john and mary, your entry in <tt class="filename">/etc/group</tt> will - look like: + Create a UNIX group (usually in <tt class="filename">/etc/group</tt>), let's call it <tt class="constant">domadm</tt>. + </p></li><li><p> + Add to this group the users that must be “<span class="quote">Administrators</span>”. For example, + if you want <tt class="constant">joe, john</tt> and <tt class="constant">mary</tt> to be administrators, + your entry in <tt class="filename">/etc/group</tt> will look like this: </p><pre class="programlisting"> domadm:x:502:joe,john,mary </pre><p> </p></li><li><p> - Map this domadm group to the "Domain Admins" group by running the command: + Map this domadm group to the “<span class="quote">Domain Admins</span>” group by running the command: </p><p> -</p><pre class="screen"> -<tt class="prompt">root# </tt><b class="userinput"><tt>net groupmap add ntgroup="Domain Admins" unixgroup=domadm</tt></b> -</pre><p> - </p><a class="indexterm" name="id2903569"></a><p> - The quotes around "Domain Admins" are necessary due to the space in the group name. - Also make sure to leave no whitespace surrounding the equal character (=). + </p><pre class="screen"> + <tt class="prompt">root# </tt><b class="userinput"><tt>net groupmap add ntgroup=“<span class="quote">Domain Admins</span>” UNIXgroup=domadm</tt></b> + </pre><p> + </p><p> + <a class="indexterm" name="id2909766"></a> + The quotes around “<span class="quote">Domain Admins</span>” are necessary due to the space in the group name. + Also make sure to leave no white-space surrounding the equal character (=). </p></li></ol></div><p> - Now joe, john and mary are domain administrators! - </p><a class="indexterm" name="id2903594"></a><p> - It is possible to map any arbitrary UNIX group to any Windows NT4 / 200x group as well as - making any UNIX group a Windows domain group. For example, if you wanted to include a - UNIX group (e.g. acct) in a ACL on a local file or printer on a domain member machine, + Now <tt class="constant">joe, john</tt> and <tt class="constant">mary</tt> are domain administrators. + </p><p> + <a class="indexterm" name="id2909799"></a> + It is possible to map any arbitrary UNIX group to any Windows NT4/200x group as well as + making any UNIX group a Windows domain group. For example, if you wanted to include a + UNIX group (e.g., acct) in an ACL on a local file or printer on a Domain Member machine, you would flag that group as a domain group by running the following on the Samba PDC: </p><p> </p><pre class="screen"> -<tt class="prompt">root# </tt><b class="userinput"><tt>net groupmap add rid=1000 ntgroup="Accounting" unixgroup=acct</tt></b> +<tt class="prompt">root# </tt><b class="userinput"><tt>net groupmap add rid=1000 ntgroup="Accounting" UNIXgroup=acct</tt></b> </pre><p> </p><p> - Be aware that the RID parameter is a unsigned 32 bit integer that should - normally start at 1000. However, this rid must not overlap with any RID assigned - to a user. Verifying this is done differently depending on the passdb backend - you are using. Future versions of the tools may perform the verification automatically, + Be aware that the RID parameter is a unsigned 32-bit integer that should + normally start at 1000. However, this RID must not overlap with any RID assigned + to a user. Verification for this is done differently depending on the passdb backend + you are using. Future versions of the tools may perform the verification automatically, but for now the burden is on you. - </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2903652"></a>Example Configuration</h3></div></div><div></div></div><p> - You can list the various groups in the mapping database by executing - <b class="command">net groupmap list</b>. Here is an example: - </p><p> + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2909853"></a>Default Users, Groups and Relative Identifiers</h3></div></div><div></div></div><p> +<a class="indexterm" name="id2909865"></a> +<a class="indexterm" name="id2909875"></a> + When first installed, Microsoft Windows NT4/200x/XP are preconfigured with certain User, Group, and + Alias entities. Each has a well-known Relative Identifier (RID). These must be preserved for continued + integrity of operation. Samba must be provisioned with certain essential Domain Groups that require + the appropriate RID value. When Samba-3 is configured to use <tt class="constant">tdbsam</tt> the essential + Domain Groups are automatically created. It is the LDAP administrators' responsibility to create + (provision) the default NT Groups. + </p><p> + Each essential Domain Group must be assigned its respective well-kown RID. The default Users, Groups, + Aliases, and RIDs are shown in <link linkend="WKURIDS">. + </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3> + When the <i class="parameter"><tt>passdb backend</tt></i> uses LDAP (<tt class="constant">ldapsam</tt>) it is the + admininstrators' responsibility to create the essential Domain Groups, and to assign each its default RID. + </div><p> + It is permissible to create any Domain Group that may be necessary, just make certain that the essential + Domain Groups (well known) have been created and assigned its default RID. Other groups you create may + be assigned any arbitrary RID you care to use. + </p><p> + Be sure to map each Domain Group to a UNIX system group. That is the only way to ensure that the group + will be available for use as an NT Domain Group. + </p><p> + </p><div class="table"><a name="WKURIDS"></a><p class="title"><b>Table 12.1. Well-Known User Default RIDs</b></p><table summary="Well-Known User Default RIDs" border="1"><colgroup><col align="left"><col align="left"><col align="left"><col align="center"></colgroup><thead><tr><th align="left">Well-Known Entity</th><th align="left">RID</th><th align="left">Type</th><th align="center">Essential</th></tr></thead><tbody><tr><td align="left">Domain Administrator</td><td align="left">500</td><td align="left">User</td><td align="center">No</td></tr><tr><td align="left">Domain Guest</td><td align="left">501</td><td align="left">User</td><td align="center">No</td></tr><tr><td align="left">Domain KRBTGT</td><td align="left">502</td><td align="left">User</td><td align="center">No</td></tr><tr><td align="left">Domain Admins</td><td align="left">512</td><td align="left">Group</td><td align="center">Yes</td></tr><tr><td align="left">Domain Users</td><td align="left">513</td><td align="left">Group</td><td align="center">Yes</td></tr><tr><td align="left">Domain Guests</td><td align="left">514</td><td align="left">Group</td><td align="center">Yes</td></tr><tr><td align="left">Domain Computers</td><td align="left">515</td><td align="left">Group</td><td align="center">No</td></tr><tr><td align="left">Domain Controllers</td><td align="left">516</td><td align="left">Group</td><td align="center">No</td></tr><tr><td align="left">Domain Certificate Admins</td><td align="left">517</td><td align="left">Group</td><td align="center">No</td></tr><tr><td align="left">Domain Schema Admins</td><td align="left">518</td><td align="left">Group</td><td align="center">No</td></tr><tr><td align="left">Domain Enterprise Admins</td><td align="left">519</td><td align="left">Group</td><td align="center">No</td></tr><tr><td align="left">Domain Policy Admins</td><td align="left">520</td><td align="left">Group</td><td align="center">No</td></tr><tr><td align="left">Builtin Admins</td><td align="left">544</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin users</td><td align="left">545</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin Guests</td><td align="left">546</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin Power Users</td><td align="left">547</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin Account Operators</td><td align="left">548</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin System Operators</td><td align="left">549</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin Print Operators</td><td align="left">550</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin Backup Operators</td><td align="left">551</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin Replicator</td><td align="left">552</td><td align="left">Alias</td><td align="center">No</td></tr><tr><td align="left">Builtin RAS Servers</td><td align="left">553</td><td align="left">Alias</td><td align="center">No</td></tr></tbody></table></div><p> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2910488"></a>Example Configuration</h3></div></div><div></div></div><p> + You can list the various groups in the mapping database by executing + <b class="command">net groupmap list</b>. Here is an example: + </p><a class="indexterm" name="id2910510"></a><p> </p><pre class="screen"> <tt class="prompt">root# </tt> <b class="userinput"><tt>net groupmap list</tt></b> -System Administrators (S-1-5-21-2547222302-1596225915-2414751004-1002) -> sysadmin Domain Admins (S-1-5-21-2547222302-1596225915-2414751004-512) -> domadmin Domain Users (S-1-5-21-2547222302-1596225915-2414751004-513) -> domuser Domain Guests (S-1-5-21-2547222302-1596225915-2414751004-514) -> domguest </pre><p> </p><p> For complete details on <b class="command">net groupmap</b>, refer to the net(8) man page. - </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2903718"></a>Configuration Scripts</h2></div></div><div></div></div><p> + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2910567"></a>Configuration Scripts</h2></div></div><div></div></div><p> Everyone needs tools. Some of us like to create our own, others prefer to use canned tools - (ie: prepared by someone else for general use). - </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2903732"></a>Sample <tt class="filename">smb.conf</tt> add group script</h3></div></div><div></div></div><p> - A script to create complying group names for use by the Samba group interfaces: - </p><p> -</p><div class="example"><a name="id2903754"></a><p class="title"><b>Example 12.1. smbgrpadd.sh</b></p><pre class="programlisting"> + (i.e., prepared by someone else for general use). + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2910581"></a>Sample <tt class="filename">smb.conf</tt> Add Group Script</h3></div></div><div></div></div><p> + A script to create complying group names for use by the Samba group interfaces + is provided in <link linkend="smbgrpadd.sh">. + </p><a class="indexterm" name="id2910610"></a><p> +</p><div class="example"><a name="smbgrpadd.sh"></a><p class="title"><b>Example 12.1. smbgrpadd.sh</b></p><pre class="programlisting"> #!/bin/bash # Add the group using normal system groupadd tool. groupadd smbtmpgrp00 -thegid=`cat /etc/group | grep smbtmpgrp00 | cut -d ":" -f3` +thegid=`cat /etc/group | grep smbtmpgrp00 | cut -d ":" -f3` # Now change the name to what we want for the MS Windows networking end cp /etc/group /etc/group.bak @@ -124,73 +169,82 @@ echo $thegid exit 0 </pre></div><p> </p><p> - The <tt class="filename">smb.conf</tt> entry for the above script would look like: - </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>add group script = /path_to_tool/smbgrpadd.sh %g</tt></i></td></tr></table><p> - </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2903817"></a>Script to configure Group Mapping</h3></div></div><div></div></div><p> + The <tt class="filename">smb.conf</tt> entry for the above script would be something like that in <link linkend="smbgrpadd">. +</p><div class="example"><a name="smbgrpadd"></a><p class="title"><b>Example 12.2. Configuration of smb.conf for the add group script.</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td>...</td></tr><tr><td><i class="parameter"><tt>add group script = /path_to_tool/smbgrpadd.sh %g</tt></i></td></tr><tr><td>...</td></tr></table></div><p> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2910716"></a>Script to Configure Group Mapping</h3></div></div><div></div></div><p> In our example we have created a UNIX/Linux group called <span class="emphasis"><em>ntadmin</em></span>. - Our script will create the additional groups <span class="emphasis"><em>Orks</em></span>, <span class="emphasis"><em>Elves</em></span>, <span class="emphasis"><em>Gnomes</em></span>: + Our script will create the additional groups <span class="emphasis"><em>Orks</em></span>, <span class="emphasis"><em>Elves</em></span>, and <span class="emphasis"><em>Gnomes</em></span>. + It is a good idea to save this shell script for later re-use just in case you ever need to rebuild your mapping database. + For the sake of concenience we elect to save this script as a file called <tt class="filename">initGroups.sh</tt>. + This script is given in <link linkend="set-group-map">. </p><p> -</p><pre class="programlisting"> +<a class="indexterm" name="id2910771"></a> +</p><div class="example"><a name="set-group-map"></a><p class="title"><b>Example 12.3. Script to Set Group Mapping</b></p><pre class="programlisting"> #!/bin/bash -net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmin -net groupmap modify ntgroup="Domain Users" unixgroup=users -net groupmap modify ntgroup="Domain Guests" unixgroup=nobody -net groupmap modify ntgroup="Administrators" unixgroup=root -net groupmap modify ntgroup="Users" unixgroup=users -net groupmap modify ntgroup="Guests" unixgroup=nobody -net groupmap modify ntgroup="System Operators" unixgroup=sys -net groupmap modify ntgroup="Account Operators" unixgroup=root -net groupmap modify ntgroup="Backup Operators" unixgroup=bin -net groupmap modify ntgroup="Print Operators" unixgroup=lp -net groupmap modify ntgroup="Replicators" unixgroup=daemon -net groupmap modify ntgroup="Power Users" unixgroup=sys +net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmin +net groupmap modify ntgroup="Domain Users" unixgroup=users +net groupmap modify ntgroup="Domain Guests" unixgroup=nobody groupadd Orks groupadd Elves groupadd Gnomes -net groupmap add ntgroup="Orks" unixgroup=Orks type=d -net groupmap add ntgroup="Elves" unixgroup=Elves type=d -net groupmap add ntgroup="Gnomes" unixgroup=Gnomes type=d -</pre><p> +net groupmap add ntgroup="Orks" unixgroup=Orks type=d +net groupmap add ntgroup="Elves" unixgroup=Elves type=d +net groupmap add ntgroup="Gnomes" unixgroup=Gnomes type=d +</pre></div><p> </p><p> Of course it is expected that the administrator will modify this to suit local needs. For information regarding the use of the <b class="command">net groupmap</b> tool please refer to the man page. - </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2903900"></a>Common Errors</h2></div></div><div></div></div><p> + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2910824"></a>Common Errors</h2></div></div><div></div></div><p> At this time there are many little surprises for the unwary administrator. In a real sense it is imperative that every step of automated control scripts must be carefully tested manually before putting them into active service. -</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2903915"></a>Adding Groups Fails</h3></div></div><div></div></div><p> +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2910839"></a>Adding Groups Fails</h3></div></div><div></div></div><p> This is a common problem when the <b class="command">groupadd</b> is called directly - by the Samba interface script for the <a class="indexterm" name="id2903935"></a><i class="parameter"><tt>add group script</tt></i> in + by the Samba interface script for the <a class="indexterm" name="id2910858"></a><i class="parameter"><tt>add group script</tt></i> in the <tt class="filename">smb.conf</tt> file. </p><p> The most common cause of failure is an attempt to add an MS Windows group account that has either an upper case character and/or a space character in it. </p><p> - There are three possible work-arounds. Firstly, use only group names that comply + There are three possible work-arounds. First, use only group names that comply with the limitations of the UNIX/Linux <b class="command">groupadd</b> system tool. - The second involves use of the script mentioned earlier in this chapter, and the - third option is to manually create a UNIX/Linux group account that can substitute + Second, it involves the use of the script mentioned earlier in this chapter, and + third is the option is to manually create a UNIX/Linux group account that can substitute for the MS Windows group name, then use the procedure listed above to map that group to the MS Windows group. - </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2903984"></a>Adding MS Windows Groups to MS Windows Groups Fails</h3></div></div><div></div></div><a class="indexterm" name="id2903992"></a><p> - Samba-3 does NOT support nested groups from the MS Windows control environment. - </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2904010"></a>Adding <span class="emphasis"><em>Domain Users</em></span> to the <span class="emphasis"><em>Power Users</em></span> group</h3></div></div><div></div></div><p>“<span class="quote"> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2910907"></a>Adding MS Windows Groups to MS Windows Groups Fails</h3></div></div><div></div></div><a class="indexterm" name="id2910916"></a><p> + Samba-3 does not support nested groups from the MS Windows control environment. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2910933"></a>Adding <span class="emphasis"><em>Domain Users</em></span> to the <span class="emphasis"><em>Power Users</em></span> Group</h3></div></div><div></div></div><p>“<span class="quote"> What must I do to add Domain Users to the Power Users group? - </span>”</p><p> - The Power Users group is a group that is local to each Windows - 200x / XP Professional workstation. You can not add the Domain Users group to the Power Users - group automatically, this must be done on each workstation by logging in as the local workstation - <span class="emphasis"><em>administrator</em></span> and then using click on Start / Control Panel / Users and Passwords - now click on the 'Advanced' tab, then on the 'Advanced' Button. - </p><a class="indexterm" name="id2904048"></a><p> - Now click on 'Groups', then double click on 'Power Users'. This will launch the panel to add users - or groups to the local machine 'Power Uses' group. Click on the 'Add' button, select the domain - from which the 'Domain Users' group is to be added, double click on the 'Domain Users' group, then - click on the 'Ok' button. Note: If a logon box is presented during this process please remember to - enter the connect as DOMAIN\UserName. ie: For the domain MIDEARTH and the user 'root' enter - MIDEARTH\root. - </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="passdb.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="AccessControls.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 11. Account Information Databases </td><td width="20%" align="center"><a accesskey="h" href="samba-doc.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 13. File, Directory and Share Access Controls</td></tr></table></div></body></html> + </span>”</p><a class="indexterm" name="id2910956"></a><p> + The Power Users group is a group that is local to each Windows 200x/XP Professional workstation. + You cannot add the Domain Users group to the Power Users group automatically, it must be done on + each workstation by logging in as the local workstation <span class="emphasis"><em>administrator</em></span> and + then using the following procedure: + </p><div class="procedure"><ol type="1"><li><p> + Click <span class="guimenu">Start -> Control Panel -> Users and Passwords</span>. + </p></li><li><p> + Click the <span class="guimenuitem">Advanced</span> tab. + </p></li><li><p> + Click the <span class="guibutton">Advanced</span> button. + </p></li><li><p> + Click <tt class="constant">Groups</tt>. + </p></li><li><p> + Double click <tt class="constant">Power Users</tt>. This will launch the panel to add users or groups + to the local machine <tt class="constant">Power Uses</tt> group. + </p></li><li><p> + Click the <span class="guibutton">Add</span> button. + </p></li><li><p> + Select the domain from which the <tt class="constant">Domain Users</tt> group is to be added. + </p></li><li><p> + Double click the <tt class="constant">Domain Users</tt> group. + </p></li><li><p> + Click the <span class="guibutton">Ok</span> button. If a logon box is presented during this process + please remember to enter the connect as <tt class="constant">DOMAIN\UserName</tt>. i.e., For the + domain <tt class="constant">MIDEARTH</tt> and the user <tt class="constant">root</tt> enter + <tt class="constant">MIDEARTH\root</tt>. + </p></li></ol></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="passdb.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="AccessControls.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 11. Account Information Databases </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 13. File, Directory and Share Access Controls</td></tr></table></div></body></html> |