From 06131ac5751494f8d022e0e6b5a013e89e666022 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Mon, 16 May 2005 07:11:57 +0000 Subject: Another work in progress commit. (This used to be commit f3f31c5fa49118d79649827d0c5271a527fb5dba) --- .../TOSHARG-TheNetCommand.xml | 438 ++++++++++++++++----- 1 file changed, 336 insertions(+), 102 deletions(-) diff --git a/docs/Samba-HOWTO-Collection/TOSHARG-TheNetCommand.xml b/docs/Samba-HOWTO-Collection/TOSHARG-TheNetCommand.xml index 51bf795aee..e2d8590075 100644 --- a/docs/Samba-HOWTO-Collection/TOSHARG-TheNetCommand.xml +++ b/docs/Samba-HOWTO-Collection/TOSHARG-TheNetCommand.xml @@ -4,6 +4,7 @@ &author.jht; + &author.vl; &author.gd; May 9, 2005 @@ -34,7 +35,7 @@ the infliction of self induced pain, agony and desperation. Be warned, this is a - Self-Defense Overview + Overview The tasks that follow the installation of a Samba-3 server, whether Stand-Alone, Domain Member, of a @@ -73,26 +74,53 @@ the infliction of self induced pain, agony and desperation. Be warned, this is a - Administrative Tasks And Methods - Stuff goes here - this is a work in progress.!!!!! + The basic operations of the net command are documented here. This documentation is not + exhaustive, and thus it is incomplete. Since the primary focus is on migration from Windows servers to + a Samba server the emphasis is on the use of the DCE RPC mode of operation. When used against a server + that is a member of an Active Directory domain it is preferable (and often necessary) to use ADS mode + operations. The net command supports both, but not for every operation. Please refer + to the man page for a more comprehensive overview of the capabilities of this utility. - + + + UNIX and Windows Group Management - More stuff.!!!!!!!!!! + In repetition of what has been said, the focus in most of this chapter is on use of the net + rpc family of operations that are supported by Samba. Most of them are supported by the + net ads mode when used in connection with MS Active Directory. The net + rap operating mode is also supported for some of these operations. RAP protocols are used + by IBM OS/2 and by several earlier SMB servers. - + + Sambas' net tool implements sufficient capability to permit all common adminstrative + tasks to be completed from the command line. In this section each of the essential user and group management + facilities are explored. + + + + Samba-3 recognizes two types of groups: domain groups and local + groups. Domain groups can contain (have as members) only domain user accounts. Local groups + can contain local users, domain users, and domain groups as members. + + + + The purpose of a local group is to permit file permission to be set for a group account that, like the + usual UNIX/Linux group, is persistent across redeployment of a Windows file server. + + + Adding, Renaming, or Deletion of Group Accounts - + Adding or Creating a New Group @@ -166,9 +194,9 @@ SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -> SupportEngrs - + - + Mapping Windows Groups to UNIX Groups @@ -177,6 +205,14 @@ SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -> SupportEngrs system that is hosting the Samba server. + + All file system (file and directory) access controls, within the file system of a UNIX/Linux server that is + hosting a Samba server, is implemented using a UID/GID identity tuple. Samba does not in any way over-ride + or replace UNIX file system semantics. Thus it is necessary that all Windows networking operations that + access the file system must provide a mechanism that maps a Windows user to a particular UNIX/Linux group + account. The user account must also map to a locally known UID. + + Samba depends on default mappings for the Domain Admins, Domain Users and Domain Guests global groups. Additional groups may be added as shown in the @@ -208,15 +244,18 @@ SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -> SupportEngrs - Both the Windows group as well as the UNIX group can be deleted by executing: + Two types of Windows groups can be created: domain (global), and local. + In the above examples the Windows groups created were of type domain, or global. The + following command will create a Windows group of type local. -&rootprompt; net groupmap delete ntgroup= +&rootprompt; net groupmap add ntgroup=Pixies unixgroup=pixies type=l + Local groups can be used with Samba to enable multiple nested group support. - + - + Deleting a Group Account @@ -230,9 +269,10 @@ SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -> SupportEngrs Validation of the deletion is advisable. The same commands may be executed as shown above. - - - How to Rename a Group Account + + + + Rename Group Accounts This command is not documented in the man pages, it is implemented in the source code, but it does not @@ -250,20 +290,124 @@ SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -> SupportEngrs - - - + + + Manipulating Group Memberships - Fix me by adding stuff here!!!!!! + Three operations can be performed in respect of group membership. It is possible to (1) add Windows users + to Windows group, to (2) delete Windows users from Windows groups, and to (3) list the Windows users that are + members of a Windows group. - + + So as to avoid confusion, it makes sense to check group membership before attempting to make and changes. + The getent group will list UNIX/Linux group membership. UNIX/Linux group members are + seen also as members of a Windows group that has been mapped using the net groupmap + command (see ). The following list of UNIX/Linux group membership shows + that the user ajt is a member of the UNIX/Linux group Engineers. + +&rootprompt; getent group +... +Domain Admins:x:512:root +Domain Users:x:513:jht,lct,ajt,met,vlendecke +Domain Guests:x:514: +Print Operators:x:550: +Backup Operators:x:551: +Replicator:x:552: +Domain Computers:x:553: +Engineers:x:1000:jht,ajt + + The UNIX/Linux groups have been mapped to Windows groups, as is shown here: + +&rootprompt; net groupmap list +Domain Admins (S-1-5-21-72630-412605-116429-512) -> Domain Admins +Domain Users (S-1-5-21-72630-412605-116429-513) -> Domain Users +Domain Guests (S-1-5-21-72630-412605-116429-514) -> Domain Guests +Print Operators (S-1-5-21-72630-412605-116429-550) -> Print Operators +Backup Operators (S-1-5-21-72630-412605-116429-551) -> Backup Operators +Replicator (S-1-5-21-72630-412605-116429-552) -> Replicator +Domain Computers (S-1-5-21-72630-412605-116429-553) -> Domain Computers +Engineers (S-1-5-21-72630-412605-116429-3001) -> Engineers + + - + + Given that the user ajt is already a member of the UNIX/Linux group, and via the + group mapping, a member of the Windows group, an attempt to add this account again should fail. This is + demonstrated here: + +merlin:~ # net rpc group addmem "MIDEARTH\Engineers" ajt -Uroot%not24get +Could not add ajt to MIDEARTH\Engineers: NT_STATUS_MEMBER_IN_GROUP + + This showns that the group mapping between UNIX/Linux groups and Windows groups is effective and + transparent. + + + + To permit the user ajt to be added using the net rpc group utility + this account must first be removed. The removal, and confirmation of its effect is shown here: + +&rootprompt; net rpc group delmem "MIDEARTH\Engineers" ajt -Uroot%not24get +&rootprompt; getent group Engineers +Engineers:x:1000:jht +&rootprompt; net rpc group members Engineers -Uroot%not24get +MIDEARTH\jht + + In this example both at the UNIX/Linux system level, the group no longer has the ajt + as a member. The above also shows this to be the case for Windows group membership. + + + + The account is now added again, using the net rpc group utility: + +&rootprompt; net rpc group addmem "MIDEARTH\Engineers" ajt -Uroot%not24get +&rootprompt; getent group Engineers +Engineers:x:1000:jht,ajt +&rootprompt; net rpc group members Engineers -Uroot%not24get +MIDEARTH\jht +MIDEARTH\ajt + + + + + In this example the members of the Windows Domain Users account is validated using + the net rpc group utility. Note that this contents of the UNIX/Linux group was shown + 4 paragraphs earlier. The Windows (domain) group membership is shown here: + +&rootprompt; net rpc group members "Domain Users" -Uroot%not24get +MIDEARTH\jht +MIDEARTH\lct +MIDEARTH\ajt +MIDEARTH\met +MIDEARTH\vlendecke + + The example shown here is an express example that Windows group names are treated by Samba (as with + MS Windows) in a case insensitive manner: + +&rootprompt; net rpc group members "DomAiN USerS" -Uroot%not24get +MIDEARTH\jht +MIDEARTH\lct +MIDEARTH\ajt +MIDEARTH\met +MIDEARTH\vlendecke + + + + + An attempt to specify the group name as MIDEARTH\Domain Users in place of + just simply Domain Users will fail. The default behavior of the net rpc group + is to direct the command at the local machine. The Windows group is treated as being local to the machine. + If it is necessary to query another machine, its name can be specified using the -S + servername parameter to the net command. + + + + + Nested Group Support @@ -300,26 +444,69 @@ DOM\jht - Nest group members can be removed (deleted) as shown here: + Nested group members can be removed (deleted) as shown here: &rootprompt; net rpc group delmem demo "DOM\jht" -Uroot%not24get - + + + + + + UNIX and Windows User Management + + + Every Windows network user account must be translated to a UNIX/Linux user account. In actual fact, + the only account information the UNIX/Linux Samba server needs is a UID. The UID is available either + from a system (POSIX) account, or from a pool (range) of UID numbers that is set aside for the purpose + of being allocated for use by Windows user accounts. In the case of the UID pool, the UID for a + particular user will be allocated by windbindd. + + + + Although this is not the appropriate place to discuss the facility, + this interface is an important method of mapping a Windows user account to a UNIX account that has a + different name. Refer to the man page for the &smb.conf; file for more information regarding this + facility. User name mappings can not be managed usinf the net utility. + + + + Adding User Accounts + + + - UNIX and Windows User Management + Deletion of User Accounts - Put somethings useful here man!!!!!! + Modification of User Accounts + + + + + + + + User Mapping + + + + + + + + + Administering User Rights and Privileges @@ -396,16 +583,16 @@ SeDiskOperatorPrivilege - + - + Managing Trust Relationships Document how to set up trusts here!!!!!!!!!!! - + Machine Trust Accounts @@ -415,36 +602,36 @@ Join to 'MIDEARTH' is OK - + - + Inter-Domain Trusts Document how to set up trusts here!!!!!!!!!!! - - - + + + Managing Security Identifiers (SIDS) Document how to set up trusts here!!!!!!!!!!! - + - + Share Management Document how to set up trusts here!!!!!!!!!!! - + Creating, Editing, and Removing Shares @@ -501,17 +688,17 @@ kyocera - + - + Creating and Changing Share ACLs - + - + Share, Directory and File Migration @@ -553,7 +740,23 @@ kyocera server (or domain) as well as the processes on which the migration is critically dependant. - + + There are two known limitations to the migration process: + + + + + The net command requires that the user credentials provided exist both + on the migration source and the migration target. + + + + Printer settings may not be fully or incorrectly migrated. This might in particular happen + when migrating a Windows 2003 print server to Samba. + + + + Share Migration @@ -608,9 +811,9 @@ net rpc share MIGRATE SHARES <sharename> -S <source> are not migrated by the steps covered up to this point. - + - + File and Directory Migration @@ -691,9 +894,9 @@ net rpc share MIGRATE FILES <sharename> -S <source> will be owned by the user account administrator. - + - + Simultaneous Share and File Migration @@ -713,111 +916,144 @@ net rpc share MIGRATE ALL <sharename> -S <source> This will generate a complete server clone of the w2k3server server. - - - + + + Printer Migration - - -Migrating printers ------------------------------------------------------------ + + The installation of a new server, as with the migration to a new network environment, often has similarity + to the building of a house; progress is very rapid from the laying of foundations up to the stage at which + the the house can be locked-up, but the finishing off appears to take longer and longer as building + approaches completion. + -net rpc printer MIGRATE PRINTERS [printer] [misc. options] [targets] - migrates printers from remote to local server + + Printing needs vary greatly depending on the network environment, and may be very simple or complex. If + the need is very simple the best solution to the implementation of printing support may well be to + re-install everything from a clean slate instead of migrating older configurations. On the other hand, + a complex network that is integrated with many international offices and a multiplexity of local branch + offices, each of which form an inter-twined maze of printing possibilities, the ability to migrate all + printer configurations is decidedly beneficial. To manually re-establish a complex printing network + will take much time and frustration. Often-times it will not be possible to find driver files that are + currently in use thus necessitating the installation of newer drivers. Newer drivers often implement + printing features that will necessitate a change in the printer usage. Additionally, with very complex + printer configurations it becomes almost impossible to re-create the same environment - not matter + how extensivly it has been documented. + + + The migration of an existing printing architecture involves the following: + -Migrating printer-drivers ------------------------------------------------------------ + + Establishment of print queues. -net rpc printer MIGRATE DRIVERS [printer] [misc. options] [targets] - migrates printer-drivers from remote to local server + Installation of printer drivers (both for the print server and for Windows clients. + Configuration of printing forms. -Migrating printer-forms ------------------------------------------------------------ + Implementation of security settings. -net rpc printer MIGRATE FORMS [printer] [misc. options] [targets] - migrates printer-forms from remote to local server + Configuration of printer settings. + + + The Samba net utility permits printer migration from one Windows print server + to another. When this tool is used to migrate printers to a Samba server smbd, + the application the receives the network requests to create the necessary services, must call-out + to the operating system in order to create the underlying printers. The call-out is implemented + by way of an interface script that can be specified by the &smb.conf; file parameter + . This script is essential to the migration process. + A suitable example script may be obtained from the $SAMBA_SOURCES/examples/scripts + directory. Take note that this script must be customized to suit the operating system environment + and may use its tools to create a print queue. + -Migrating printer security-settings ------------------------------------------------------------ + + Each of the components listed above can be completed separately, or they can be completed as part of an + automated operation. Many network administrators prefer to deal with migration issues in a manner that + gives them the most control, particularly when things go wrong. The syntax for each operation will now + be briefly described. + + + Printer migration from a Windows print server (NT4 or 200X) is shown. This instruction causes the + printer share to be created together with the underlying print queue: + +net rpc printer MIGRATE PRINTERS [printer] [misc. options] [targets] + + Printer drivers can be migrated from the Windows print server to the Samba server using this + command line instruction: + +net rpc printer MIGRATE DRIVERS [printer] [misc. options] [targets] + + Printer forms can be migrated with the following operation: + +net rpc printer MIGRATE FORMS [printer] [misc. options] [targets] + + Printer security settings (ACLs) can be migrated from the Windows server to the Samba server using this command: + net rpc printer MIGRATE SECURITY [printer] [misc. options] [targets] - migrates printer-ACLs from remote to local server - - -Migrating printer-settings ------------------------------------------------------------ - + + Printer configuration settings include factors such as paper size, default paper orientation, etc. + These can be migrated from the Windows print server to the Samba server with this command: + net rpc printer MIGRATE SETTINGS [printer] [misc. options] [targets] - migrates printer-settings from remote to local server - - -Migrating printers including all the above mentioned sets of information ------------------------------------------------------------ + + + + Migration of printers including all the above mentioned sets of information may be completed + with a single command using this syntax: + net rpc printer MIGRATE ALL [printer] [misc. options] [targets] - migrates drivers, forms, queues, settings and acls from - remote to local print-server - - - -Known Limitations ------------------------------------------------------------ - -* net requires that the given credentials exist both on the migration source - and the migration target. - -* printer-settings may not be fully or incorrectly migrated. This might in - particular happen when migrating a Windows 2003 print-server to Samba. - - - + + + Controlling Open Files Document how to set up trusts here!!!!!!!!!!! - + - + Session and Connection Management Document how to set up trusts here!!!!!!!!!!! - + - + Printers and ADS Document how to set up trusts here!!!!!!!!!!! - + - + Manipulating the Samba Cache Document how to set up trusts here!!!!!!!!!!! - + - + Other Miscellaneous Operations @@ -832,8 +1068,6 @@ Num local groups: 0 - - -- cgit