From dece1b9f141edaa7dd61f0125e6e7177fdde500c Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Wed, 22 Jun 2005 06:43:16 +0000 Subject: Another update. (This used to be commit 32c764343daa5ae8dd7af79982e7d914491b86aa) --- docs/Samba3-HOWTO/TOSHARG-TheNetCommand.xml | 43 ++++++++++++++++++++++++++++- 1 file changed, 42 insertions(+), 1 deletion(-) diff --git a/docs/Samba3-HOWTO/TOSHARG-TheNetCommand.xml b/docs/Samba3-HOWTO/TOSHARG-TheNetCommand.xml index 807a3c84a2..b097e05cd0 100644 --- a/docs/Samba3-HOWTO/TOSHARG-TheNetCommand.xml +++ b/docs/Samba3-HOWTO/TOSHARG-TheNetCommand.xml @@ -178,6 +178,32 @@ the infliction of self-induced pain, agony, and desperation. Be warned: this is Adding, Renaming, or Deletion of Group Accounts + + Samba provides file and print services to Windows clients. The file system resources it makes available + to the Windows environment must, of necessity, be provided in a manner that is compatible with the + Windows networking environment. UNIX groups are created and deleted as required to serve operational + needs in the UNIX operating system and its file systems. + + + + In order to make available to the Windows environment Samba has a facility by which UNIX groups can + be mapped to a logical entity, called a Windows (or domain) group. Samba supports two types of Windows + groups, local and global. Global groups can contain as members, global users. This membership is + affected in the normal UNIX manner, but adding UNIX users to UNIX groups. Windows user accounts consist + of a mapping between a user SambaSAMAccount (logical entity) and a UNIX user account. Therefore, + a UNIX user is mapped to a Windows user (i.e., is given a Windows user account and password) and the + UNIX groups to which that user belongs, is mapped to a Windows group account. The result is that in + the Windows account environment that user is also a member of the Windows group account by virtue + of UNIX group memberships. + + + + The following sub-sections that deal with management of Windows groups demonstrates the relationship + between the UNIX group account and its members to the respective Windows group accounts. It goes on to + show how UNIX group members automatically pass-through to Windows group membership as soon as a logical + mapping has been created. + + Adding or Creating a New Group @@ -185,6 +211,7 @@ the infliction of self-induced pain, agony, and desperation. Be warned: this is Before attempting to add a Windows group account, the currently available groups can be listed as shown here: netrpcgroup +netrpcgroup list &rootprompt; net rpc group list -Uroot%not24get Password: @@ -199,6 +226,7 @@ Engineers A Windows group account called SupportEngrs can be added by executing the following command: +netrpcgroup add &rootprompt; net rpc group add "SupportEngrs" -Uroot%not24get @@ -316,11 +344,17 @@ SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -> SupportEngrs &rootprompt; net groupmap add ntgroup="EliteEngrs" unixgroup=Engineers type=d + Supported mapping types are 'd' (domain global) and 'l' (domain local). A Windows group may be deleted, and then a new Windows group can be mapped to the UNIX group by executing these commands: &rootprompt; net groupmap delete ntgroup=Engineers &rootprompt; net groupmap add ntgroup=EngineDrivers unixgroup=Engineers type=d + The deletion and addition operations affected only the logical entities known as Windows groups, or domain + groups. These operations are inert to UNIX system groups, meaning that they neither delete nor create UNIX + system groups. The mapping of a UNIX group to a Windows group makes the UNIX group available as Windows + groups so that files and folders on domain member clients (workstations and servers) can be given + domain-wide access controls for domain users and groups. @@ -331,7 +365,9 @@ SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -> SupportEngrs &rootprompt; net groupmap add ntgroup=Pixies unixgroup=pixies type=l - Local groups can be used with Samba to enable multiple nested group support. + Supported mapping types are 'd' (domain global) and 'l' (domain local), a domain local group is Samba is + treated as local to the individual Samba serverr. Local groups can be used with Samba to enable multiple + nested group support. @@ -958,6 +994,11 @@ SeDiskOperatorPrivilege Machine Trust Accounts + + The net command looks in the &smb.conf; file to obtain its own configuration settings. Thus, the following + command 'know' which domain to join from the &smb.conf; file. + + A Samba server domain trust account can be validated as shown in this example: netrpctestjoin -- cgit