diff options
-rw-r--r-- | docs/docbook/projdoc/GROUP-MAPPING-HOWTO.xml | 110 | ||||
-rw-r--r-- | docs/docbook/projdoc/passdb.xml | 73 |
2 files changed, 182 insertions, 1 deletions
diff --git a/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.xml b/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.xml index adb1689017..61561cb55f 100644 --- a/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.xml +++ b/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.xml @@ -29,7 +29,36 @@ <title>Features and Benefits</title> <para> - Stuff goes here. + Samba allows the administrator to create MS Windows NT4 / 200x group accounts and to + arbitrarily associate them with Unix/Linux group accounts. + </para> + + <para> + Group accounts can be managed using the MS Windows NT4 or MS Windows 200x MMC tools + so long as appropriate interface scripts have been provided to &smb.conf; + </para> + + <para> + Administrators should be aware that where &smb.conf; group interface scripts make + direct calls to the Unix/Linux system tools (eg: the shadow utilities, <command>groupadd, + groupdel, groupmod</command>) then the resulting Unix/Linux group names will be subject + to any limits imposed by these tools. If the tool does NOT allow upper case characters + or space characters, then the creation of an MS Windows NT4 / 200x style group of + <parameter>Engineering Managers</parameter> will attempt to create an identically named + Unix/Linux group, an attempt that will of course fail! + </para> + + <para> + There are several possible work-arounds for the operating system tools limitation. One + method is to use a script that generates a name for the Unix/Linux system group that + fits the operating system limits, and that then just passes the Unix/Linux group id (GID) + back to the calling samba interface. This will provide a dynamic work-around solution. + </para> + + <para> + Another work-around is to manually create a Unix/Linux group, then manually create the + MS Windows NT4 / 200x group on the Samba server and then use the <command>net groupmap</command> + tool to connect the two to each other. </para> </sect1> @@ -150,6 +179,85 @@ (ie: prepared by someone else for general use). </para> + <sect2> + <title>Sample &smb.conf; <emphasis><parameter>add group script</parameter></emphasis></title> + + <para> + A script to great complying group names for use by the samba group interfaces: + </para> + +<para> +<screen> +Script name: smbgrpadd.sh + +#!/bin/bash + +# Add the group using normal system groupadd tool. +groupadd smbtmpgrp00 + +thegid=`cat /etc/group | grep smbtmpgrp00 | cut -d ":" -f3` + +# Now change the name to what we want for the MS Windows networking end +cat /etc/group | sed s/smbtmpgrp00/$1/g > /etc/group + +# Now return the GID as would normally happen. +echo $thegid +exit 0 +</screen> +</para> + + <para> + The &smb.conf; entry for the above script would look like: + <screen> + add group script = /path_to_tool/smbgrpadd.sh %g + </screen> + </para> + + </sect2> + + <sect2> + <title>Script to configure Group Mapping</title> + + <para> + In our example we have created a Unix/Linux group called <parameter>ntadmin</parameter>. + Our script will create the additional groups <parameter>Engineers, Marketoids, Gnomes</parameter>: + </para> + +<para> +<screen> +#!/bin/bash + +net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmin +net groupmap modify ntgroup="Domain Users" unixgroup=users +net groupmap modify ntgroup="Domain Guests" unixgroup=nobody +net groupmap modify ntgroup="Administrators" unixgroup=root +net groupmap modify ntgroup="Users" unixgroup=users +net groupmap modify ntgroup="Guests" unixgroup=nobody +net groupmap modify ntgroup="System Operators" unixgroup=sys +net groupmap modify ntgroup="Account Operators" unixgroup=root +net groupmap modify ntgroup="Backup Operators" unixgroup=bin +net groupmap modify ntgroup="Print Operators" unixgroup=lp +net groupmap modify ntgroup="Replicators" unixgroup=daemon +net groupmap modify ntgroup="Power Users" unixgroup=sys + +#groupadd Engineers +#groupadd Marketoids +#groupadd Gnomes + +#net groupmap add ntgroup="Engineers" unixgroup=Engineers type=d +#net groupmap add ntgroup="Marketoids" unixgroup=Marketoids type=d +#net groupmap add ntgroup="Gnomes" unixgroup=Gnomes type=d +</screen> +</para> + + <para> + Of course it is expected that the admininstrator will modify this to suit local needs. + For information regarding the use of the <command>net groupmap</command> tool please + refer to the man page. + </para> + + </sect2> + </sect1> <sect1> diff --git a/docs/docbook/projdoc/passdb.xml b/docs/docbook/projdoc/passdb.xml index 419dd51335..4152494d24 100644 --- a/docs/docbook/projdoc/passdb.xml +++ b/docs/docbook/projdoc/passdb.xml @@ -866,6 +866,79 @@ index default sub </sect3> <sect3> + <title>Initialise the LDAP database</title> + + <para> + Before you can add accounts to the LDAP database you must create the account containers + that they will be stored in. The following LDIF file should be modified to match your + needs (ie: Your DNS entries, etc.). + </para> + +<para> +<screen> +# Organization for Samba Base +dn: dc=plainjoe,dc=org +objectclass: dbObject +objectclass: organization +dc: plainjoe +o: Terpstra Org Network +description: The Samba-3 Network LDAP Example + +# Organizational Role for Directory Management +db: cn=Manager,dc=plainjoe,dc=org +objectclass: organizationalRole +cn: Manager +description: Directory Manager + +# Setting up container for users +dn: ou=People,dc=plainjoe,dc=org +objectclass: top +objectclass: organizationalUnit +ou: People + +# Setting up admin handle for People OU +dn: cn=admin,ou=People,dc=plainjoe,dc=org +cn: admin +objectclass: top +objectclass: organizationalRole +objectclass: simpleSecurityObject +userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz +</screen> +</para> + + <para> + The userPassword shown above should be generated using <command>slappasswd</command>. + </para> + + <para> + The following command will then load the contents of the LDIF file into the LDAP + database. + </para> + +<para> +<screen> +slapadd -v -l initldap.dif +</screen> +</para> + + <para> + Do not forget to secure your LDAP server with an adequate access control list, + as well as an admin password. + </para> + + <note> + <para> + Before Samba can access the LDAP server you need to stoe the LDAP admin password + into the Samba-3 <filename>secrets.tdb</filename> database by: + <screen> + &rootprompt; <command>smbpasswd -w secret</command> + </screen> + </para> + </note> + + </sect3> + + <sect3> <title>Configuring Samba</title> <para> |