diff options
Diffstat (limited to 'docs/textdocs/GROUP-MAPPING-HOWTO.txt')
-rw-r--r-- | docs/textdocs/GROUP-MAPPING-HOWTO.txt | 60 |
1 files changed, 0 insertions, 60 deletions
diff --git a/docs/textdocs/GROUP-MAPPING-HOWTO.txt b/docs/textdocs/GROUP-MAPPING-HOWTO.txt deleted file mode 100644 index c266f56548..0000000000 --- a/docs/textdocs/GROUP-MAPPING-HOWTO.txt +++ /dev/null @@ -1,60 +0,0 @@ -Samba 3.0 prealpha guide to group mapping ---------------------------------------------------- - -Jean François Micouleau (jfm@samba.org) - -Starting with Samba 3.0 alpha 2, a new group mapping function is available. The -current method (likely to change) to manage the groups is a new command called -smbgroupedit. - -The first immediate reason to use the group mapping on a PDC, is that -the 'domain admin group' of smb.conf is now gone. This parameter was -used to give the listed users local admin rights on their -workstations. It was some magic stuff that simply worked but didn't -scale very well for complex setups. - -Let me explain how it works on NT/W2K, to have this magic fade away. -When installing NT/W2K on a computer, the installer program creates some users -and groups. Notably the 'Administrators' group, and gives to that group some -privileges like the ability to change the date and time or to kill any process -(or close too) running on the local machine. The 'Administrator' user is a -member of the 'Administrators' group, and thus 'inherit' the 'Administrators' -group privileges. If a 'joe' user is created and become a member of the -'Administrator' group, 'joe' has exactly the same rights as 'Administrator'. - -When a NT/W2K machine is joined to a domain, during that phase, the "Domain -Administrators' group of the PDC is added to the 'Administrators' group of the -workstation. Every members of the 'Domain Administrators' group 'inherit' the -rights of the 'Administrators' group when logging on the workstation. - - -You are now wondering how to make some of your samba PDC users members of the -'Domain Administrators' ? That's really easy. - -1) create a unix group (usually in /etc/group), let's call it domadm -2) add to this group the users that must be Administrators. For example if you -want joe,john and mary, your entry in /etc/group will look like: - - domadm:x:502:joe,john,mary - -3) map this domadm group to the 'domain admins' group by running the command: - - smbgroupedit -c "Domain Admins" -u domadm - -you're set, joe, john and mary are domain administrators ! - - - -Like the Domain Admins group, you can map any arbitrary Unix group to any NT -group. You can also make any Unix group a domain group. For example, on a domain -member machine (an NT/W2K or a samba server running winbind), you would like to -give access to a certain directory to some users who are member of a group on -your samba PDC. Flag that group as a domain group by running: - - smbgroupedit -a unixgroup -td - - -You can list the various groups in the mapping database like this - - smbgroupedit -v - |