diff options
Diffstat (limited to 'docs/htmldocs/groupmapping.html')
| -rw-r--r-- | docs/htmldocs/groupmapping.html | 412 |
1 files changed, 177 insertions, 235 deletions
diff --git a/docs/htmldocs/groupmapping.html b/docs/htmldocs/groupmapping.html index 84cf521fc9..8508edf2a5 100644 --- a/docs/htmldocs/groupmapping.html +++ b/docs/htmldocs/groupmapping.html @@ -1,235 +1,177 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<HTML -><HEAD -><TITLE ->Group mapping HOWTO</TITLE -><META -NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+ -"><LINK -REL="HOME" -TITLE="SAMBA Project Documentation" -HREF="samba-howto-collection.html"><LINK -REL="UP" -TITLE="Optional configuration" -HREF="optional.html"><LINK -REL="PREVIOUS" -TITLE="HOWTO Access Samba source code via CVS" -HREF="cvs-access.html"><LINK -REL="NEXT" -TITLE="Samba performance issues" -HREF="speed.html"></HEAD -><BODY -CLASS="CHAPTER" -BGCOLOR="#FFFFFF" -TEXT="#000000" -LINK="#0000FF" -VLINK="#840084" -ALINK="#0000FF" -><DIV -CLASS="NAVHEADER" -><TABLE -SUMMARY="Header navigation table" -WIDTH="100%" -BORDER="0" -CELLPADDING="0" -CELLSPACING="0" -><TR -><TH -COLSPAN="3" -ALIGN="center" ->SAMBA Project Documentation</TH -></TR -><TR -><TD -WIDTH="10%" -ALIGN="left" -VALIGN="bottom" -><A -HREF="cvs-access.html" -ACCESSKEY="P" ->Prev</A -></TD -><TD -WIDTH="80%" -ALIGN="center" -VALIGN="bottom" -></TD -><TD -WIDTH="10%" -ALIGN="right" -VALIGN="bottom" -><A -HREF="speed.html" -ACCESSKEY="N" ->Next</A -></TD -></TR -></TABLE -><HR -ALIGN="LEFT" -WIDTH="100%"></DIV -><DIV -CLASS="CHAPTER" -><H1 -><A -NAME="GROUPMAPPING">Chapter 21. Group mapping HOWTO</H1 -><P -> -Starting with Samba 3.0 alpha 2, a new group mapping function is available. The -current method (likely to change) to manage the groups is a new command called -<B -CLASS="COMMAND" ->smbgroupedit</B ->.</P -><P ->The first immediate reason to use the group mapping on a PDC, is that -the <B -CLASS="COMMAND" ->domain admin group</B -> of <TT -CLASS="FILENAME" ->smb.conf</TT -> is -now gone. This parameter was used to give the listed users local admin rights -on their workstations. It was some magic stuff that simply worked but didn't -scale very well for complex setups.</P -><P ->Let me explain how it works on NT/W2K, to have this magic fade away. -When installing NT/W2K on a computer, the installer program creates some users -and groups. Notably the 'Administrators' group, and gives to that group some -privileges like the ability to change the date and time or to kill any process -(or close too) running on the local machine. The 'Administrator' user is a -member of the 'Administrators' group, and thus 'inherit' the 'Administrators' -group privileges. If a 'joe' user is created and become a member of the -'Administrator' group, 'joe' has exactly the same rights as 'Administrator'.</P -><P ->When a NT/W2K machine is joined to a domain, during that phase, the "Domain -Administrators' group of the PDC is added to the 'Administrators' group of the -workstation. Every members of the 'Domain Administrators' group 'inherit' the -rights of the 'Administrators' group when logging on the workstation.</P -><P ->You are now wondering how to make some of your samba PDC users members of the -'Domain Administrators' ? That's really easy.</P -><P -></P -><OL -TYPE="1" -><LI -><P ->create a unix group (usually in <TT -CLASS="FILENAME" ->/etc/group</TT ->), let's call it domadm</P -></LI -><LI -><P ->add to this group the users that must be Administrators. For example if you want joe,john and mary, your entry in <TT -CLASS="FILENAME" ->/etc/group</TT -> will look like:</P -><P -><PRE -CLASS="PROGRAMLISTING" ->domadm:x:502:joe,john,mary</PRE -></P -></LI -><LI -><P ->Map this domadm group to the <B -CLASS="COMMAND" ->domain admins</B -> group by running the command:</P -><P -><B -CLASS="COMMAND" ->smbgroupedit -c "Domain Admins" -u domadm</B -></P -></LI -></OL -><P ->You're set, joe, john and mary are domain administrators !</P -><P ->Like the Domain Admins group, you can map any arbitrary Unix group to any NT -group. You can also make any Unix group a domain group. For example, on a domain -member machine (an NT/W2K or a samba server running winbind), you would like to -give access to a certain directory to some users who are member of a group on -your samba PDC. Flag that group as a domain group by running:</P -><P -><B -CLASS="COMMAND" ->smbgroupedit -a unixgroup -td</B -></P -><P ->You can list the various groups in the mapping database like this</P -><P -><B -CLASS="COMMAND" ->smbgroupedit -v</B -></P -></DIV -><DIV -CLASS="NAVFOOTER" -><HR -ALIGN="LEFT" -WIDTH="100%"><TABLE -SUMMARY="Footer navigation table" -WIDTH="100%" -BORDER="0" -CELLPADDING="0" -CELLSPACING="0" -><TR -><TD -WIDTH="33%" -ALIGN="left" -VALIGN="top" -><A -HREF="cvs-access.html" -ACCESSKEY="P" ->Prev</A -></TD -><TD -WIDTH="34%" -ALIGN="center" -VALIGN="top" -><A -HREF="samba-howto-collection.html" -ACCESSKEY="H" ->Home</A -></TD -><TD -WIDTH="33%" -ALIGN="right" -VALIGN="top" -><A -HREF="speed.html" -ACCESSKEY="N" ->Next</A -></TD -></TR -><TR -><TD -WIDTH="33%" -ALIGN="left" -VALIGN="top" ->HOWTO Access Samba source code via CVS</TD -><TD -WIDTH="34%" -ALIGN="center" -VALIGN="top" -><A -HREF="optional.html" -ACCESSKEY="U" ->Up</A -></TD -><TD -WIDTH="33%" -ALIGN="right" -VALIGN="top" ->Samba performance issues</TD -></TR -></TABLE -></DIV -></BODY -></HTML ->
\ No newline at end of file +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 12. Mapping MS Windows and Unix Groups</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="passdb.html" title="Chapter 11. Account Information Databases"><link rel="next" href="AccessControls.html" title="Chapter 13. File, Directory and Share Access Controls"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 12. Mapping MS Windows and Unix Groups</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="passdb.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="AccessControls.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="groupmapping"></a>Chapter 12. Mapping MS Windows and Unix Groups</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jean François</span> <span class="surname">Micouleau</span></h3></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="groupmapping.html#id2921059">Features and Benefits</a></dt><dt><a href="groupmapping.html#id2921161">Discussion</a></dt><dd><dl><dt><a href="groupmapping.html#id2921352">Example Configuration</a></dt></dl></dd><dt><a href="groupmapping.html#id2921416">Configuration Scripts</a></dt><dd><dl><dt><a href="groupmapping.html#id2921430">Sample smb.conf add group script</a></dt><dt><a href="groupmapping.html#id2921498">Script to configure Group Mapping</a></dt></dl></dd><dt><a href="groupmapping.html#id2921590">Common Errors</a></dt><dd><dl><dt><a href="groupmapping.html#id2921606">Adding Groups Fails</a></dt><dt><a href="groupmapping.html#id2921666">Adding MS Windows Groups to MS Windows Groups Fails</a></dt></dl></dd></dl></div><p> + Starting with Samba-3, new group mapping functionality is available to create associations + between Windows group SIDs and UNIX groups. The <i class="parameter"><tt>groupmap</tt></i> subcommand + included with the <span class="application">net</span> tool can be used to manage these associations. + </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> + The first immediate reason to use the group mapping on a Samba PDC, is that + the <i class="parameter"><tt>domain admin group</tt></i> has been removed and should no longer + be specified in <tt class="filename">smb.conf</tt>. This parameter was used to give the listed users membership + in the <tt class="constant">Domain Admins</tt> Windows group which gave local admin rights on their workstations + (in default configurations). + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2921059"></a>Features and Benefits</h2></div></div><div></div></div><p> + Samba allows the administrator to create MS Windows NT4 / 200x group accounts and to + arbitrarily associate them with Unix/Linux group accounts. + </p><p> + Group accounts can be managed using the MS Windows NT4 or MS Windows 200x MMC tools + so long as appropriate interface scripts have been provided to <tt class="filename">smb.conf</tt> + </p><p> + Administrators should be aware that where <tt class="filename">smb.conf</tt> group interface scripts make + direct calls to the Unix/Linux system tools (eg: the shadow utilities, <b class="command">groupadd</b>, + <b class="command">groupdel</b>, <b class="command">groupmod</b>) then the resulting Unix/Linux group names will be subject + to any limits imposed by these tools. If the tool does NOT allow upper case characters + or space characters, then the creation of an MS Windows NT4 / 200x style group of + <i class="parameter"><tt>Engineering Managers</tt></i> will attempt to create an identically named + Unix/Linux group, an attempt that will of course fail! + </p><p> + There are several possible work-arounds for the operating system tools limitation. One + method is to use a script that generates a name for the Unix/Linux system group that + fits the operating system limits, and that then just passes the Unix/Linux group id (GID) + back to the calling samba interface. This will provide a dynamic work-around solution. + </p><p> + Another work-around is to manually create a Unix/Linux group, then manually create the + MS Windows NT4 / 200x group on the Samba server and then use the <b class="command">net groupmap</b> + tool to connect the two to each other. + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2921161"></a>Discussion</h2></div></div><div></div></div><p> + When installing <span class="application">MS Windows NT4 / 200x</span> on a computer, the installation + program creates default users and groups. Notably the <tt class="constant">Administrators</tt> group, + and gives to that group privileges necessary privilidges to perform essential system tasks. + eg: Ability to change the date and time or to kill any process (or close too) running on the + local machine. + </p><p> + The 'Administrator' user is a member of the 'Administrators' group, and thus inherits + 'Administrators' group privileges. If a 'joe' user is created to be a member of the + 'Administrator' group, 'joe' has exactly the same rights as 'Administrator'. + </p><p> + When an MS Windows NT4 / W200x is made a domain member, the "Domain Adminis" group of the + PDC is added to the local 'Administrators' group of the workstation. Every member of the + 'Domain Administrators' group inherits the rights of the local 'Administrators' group when + logging on the workstation. + </p><p> + The following steps describe how to make samba PDC users members of the 'Domain Admins' group? + </p><div class="orderedlist"><ol type="1"><li><p> + create a unix group (usually in <tt class="filename">/etc/group</tt>), let's call it domadm + </p></li><li><p>add to this group the users that must be Administrators. For example + if you want joe,john and mary, your entry in <tt class="filename">/etc/group</tt> will + look like: + </p><pre class="programlisting"> + domadm:x:502:joe,john,mary + </pre><p> + </p></li><li><p> + Map this domadm group to the "Domain Admins" group by running the command: + </p><p> + </p><pre class="screen"> + <tt class="prompt">root# </tt><b class="userinput"><tt>net groupmap add ntgroup="Domain Admins" unixgroup=domadm</tt></b> + </pre><p> + </p><p> + The quotes around "Domain Admins" are necessary due to the space in the group name. + Also make sure to leave no whitespace surrounding the equal character (=). + </p></li></ol></div><p> + Now joe, john and mary are domain administrators! + </p><p> + It is possible to map any arbitrary UNIX group to any Windows NT4 / 200x group as well as + making any UNIX group a Windows domain group. For example, if you wanted to include a + UNIX group (e.g. acct) in a ACL on a local file or printer on a domain member machine, + you would flag that group as a domain group by running the following on the Samba PDC: + </p><p> + </p><pre class="screen"> + <tt class="prompt">root# </tt><b class="userinput"><tt>net groupmap add rid=1000 ntgroup="Accounting" unixgroup=acct</tt></b> + </pre><p> + </p><p> + Be aware that the RID parmeter is a unsigned 32 bit integer that should + normally start at 1000. However, this rid must not overlap with any RID assigned + to a user. Verifying this is done differently depending on on the passdb backend + you are using. Future versions of the tools may perform the verification automatically, + but for now the burden is on you. + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2921352"></a>Example Configuration</h3></div></div><div></div></div><p> + You can list the various groups in the mapping database by executing + <b class="command">net groupmap list</b>. Here is an example: + </p><p> + </p><pre class="screen"> + <tt class="prompt">root# </tt> <b class="userinput"><tt>net groupmap list</tt></b> + System Administrators (S-1-5-21-2547222302-1596225915-2414751004-1002) -> sysadmin + Domain Admins (S-1-5-21-2547222302-1596225915-2414751004-512) -> domadmin + Domain Users (S-1-5-21-2547222302-1596225915-2414751004-513) -> domuser + Domain Guests (S-1-5-21-2547222302-1596225915-2414751004-514) -> domguest + </pre><p> + </p><p> + For complete details on <b class="command">net groupmap</b>, refer to the net(8) man page. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2921416"></a>Configuration Scripts</h2></div></div><div></div></div><p> + Everyone needs tools. Some of us like to create our own, others prefer to use canned tools + (ie: prepared by someone else for general use). + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2921430"></a>Sample <tt class="filename">smb.conf</tt> add group script</h3></div></div><div></div></div><p> + A script to great complying group names for use by the samba group interfaces: + </p><p> +</p><div class="example"><a name="id2921453"></a><p class="title"><b>Example 12.1. smbgrpadd.sh</b></p><pre class="programlisting"> + +#!/bin/bash + +# Add the group using normal system groupadd tool. +groupadd smbtmpgrp00 + +thegid=`cat /etc/group | grep smbtmpgrp00 | cut -d ":" -f3` + +# Now change the name to what we want for the MS Windows networking end +cat /etc/group | sed s/smbtmpgrp00/$1/g > /etc/group + +# Now return the GID as would normally happen. +echo $thegid +exit 0 +</pre></div><p> +</p><p> + The <tt class="filename">smb.conf</tt> entry for the above script would look like: + </p><pre class="programlisting"> + add group script = /path_to_tool/smbgrpadd.sh %g + </pre><p> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2921498"></a>Script to configure Group Mapping</h3></div></div><div></div></div><p> + In our example we have created a Unix/Linux group called <i class="parameter"><tt>ntadmin</tt></i>. + Our script will create the additional groups <i class="parameter"><tt>Engineers, Marketoids, Gnomes</tt></i>: + </p><p> +</p><pre class="programlisting"> +#!/bin/bash + +net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmin +net groupmap modify ntgroup="Domain Users" unixgroup=users +net groupmap modify ntgroup="Domain Guests" unixgroup=nobody +net groupmap modify ntgroup="Administrators" unixgroup=root +net groupmap modify ntgroup="Users" unixgroup=users +net groupmap modify ntgroup="Guests" unixgroup=nobody +net groupmap modify ntgroup="System Operators" unixgroup=sys +net groupmap modify ntgroup="Account Operators" unixgroup=root +net groupmap modify ntgroup="Backup Operators" unixgroup=bin +net groupmap modify ntgroup="Print Operators" unixgroup=lp +net groupmap modify ntgroup="Replicators" unixgroup=daemon +net groupmap modify ntgroup="Power Users" unixgroup=sys + +#groupadd Engineers +#groupadd Marketoids +#groupadd Gnomes + +#net groupmap add ntgroup="Engineers" unixgroup=Engineers type=d +#net groupmap add ntgroup="Marketoids" unixgroup=Marketoids type=d +#net groupmap add ntgroup="Gnomes" unixgroup=Gnomes type=d +</pre><p> +</p><p> + Of course it is expected that the admininstrator will modify this to suit local needs. + For information regarding the use of the <b class="command">net groupmap</b> tool please + refer to the man page. + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2921590"></a>Common Errors</h2></div></div><div></div></div><p> +At this time there are many little surprises for the unwary administrator. In a real sense +it is imperative that every step of automated control scripts must be carefully tested +manually before putting them into active service. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2921606"></a>Adding Groups Fails</h3></div></div><div></div></div><p> + This is a common problem when the <b class="command">groupadd</b> is called directly + by the samba interface script for the <i class="parameter"><tt>add group script</tt></i> in + the <tt class="filename">smb.conf</tt> file. + </p><p> + The most common cause of failure is an attempt to add an MS Windows group acocunt + that has either an upper case character and/or a space character in it. + </p><p> + There are three possible work-arounds. Firstly, use only group names that comply + with the limitations of the Unix/Linux <b class="command">groupadd</b> system tool. + The second involves use of the script mentioned earlier in this chapter, and the + third option is to manually create a Unix/Linux group account that can substitute + for the MS Windows group name, then use the procedure listed above to map that group + to the MS Windows group. + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2921666"></a>Adding MS Windows Groups to MS Windows Groups Fails</h3></div></div><div></div></div><p> + Samba-3 does NOT support nested groups from the MS Windows control environment. + </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="passdb.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="AccessControls.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 11. Account Information Databases </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 13. File, Directory and Share Access Controls</td></tr></table></div></body></html> |