From 83a17815a7689f1f6f7ca57161a0e804277c75f9 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sun, 20 Jun 2004 12:43:16 +0000 Subject: New structure for the docs: - Same name for a doc everywhere (howto -> Samba-HOWTO-Collection, etc) - Shorter and more clearly structured Makefile - Make it possible to change the paths for the images (This used to be commit 96f6c05f25acc8a9bb1977b8bd5cc97ce511b6b1) --- docs/Samba-HOWTO-Collection/Group-Mapping.xml | 677 ++++++++++++++++++++++++++ 1 file changed, 677 insertions(+) create mode 100644 docs/Samba-HOWTO-Collection/Group-Mapping.xml (limited to 'docs/Samba-HOWTO-Collection/Group-Mapping.xml') diff --git a/docs/Samba-HOWTO-Collection/Group-Mapping.xml b/docs/Samba-HOWTO-Collection/Group-Mapping.xml new file mode 100644 index 0000000000..7197b12a21 --- /dev/null +++ b/docs/Samba-HOWTO-Collection/Group-Mapping.xml @@ -0,0 +1,677 @@ + + + + %global_entities; + +]> + + + + &author.jht; + + Jean FrançoisMicouleau + + &author.jerry; + +Group Mapping &smbmdash; MS Windows and UNIX + + + +groupsmapping + Starting with Samba-3, new group mapping functionality is available to create associations + between Windows group SIDs and UNIX groups. The groupmap subcommand + included with the &net; tool can be used to manage these associations. + + + + The new facility for mapping NT Groups to UNIX system groups allows the administrator to decide + which NT Domain Groups are to be exposed to MS Windows clients. Only those NT Groups that map + to a UNIX group that has a value other than the default (-1) will be exposed + in group selection lists in tools that access domain users and groups. + + + + + domain admin group + The domain admin group parameter has been removed in Samba-3 and should no longer + be specified in &smb.conf;. In Samba-2.2.x, this parameter was used to give the listed users membership in the + Domain Admins Windows group which gave local admin rights on their workstations + (in default configurations). + + + + +Features and Benefits + + + Samba allows the administrator to create MS Windows NT4/200x group accounts and to + arbitrarily associate them with UNIX/Linux group accounts. + + + +UID +GID + Group accounts can be managed using the MS Windows NT4 or MS Windows 200x/XP Professional MMC tools. + Appropriate interface scripts should be provided in &smb.conf; if it is desired that UNIX/Linux system + accounts should be automatically created when these tools are used. In the absence of these scripts, and + so long as winbindd is running, Samba group accounts that are created using these + tools will be allocated UNIX UIDs/GIDs from the ID range specified by the + idmap uid/idmap gid + parameters in the &smb.conf; file. + + +
IDMAP: group SID to GID resolution. + + + + +
+ +
IDMAP: GID resolution to matching SID. + + + + +
+ + + In both cases, when winbindd is not running, only locally resolvable groups can be recognized. Please refer to + IDMAP: group SID to GID resolution and IDMAP: GID resolution to matching SID. + The net groupmap is + used to establish UNIX group to NT SID mappings as shown in IDMAP: storing group mappings. + + +
IDMAP storing group mappings. + + + + +
+ + + + groupadd + groupdel + Administrators should be aware that where &smb.conf; group interface scripts make + direct calls to the UNIX/Linux system tools (the shadow utilities, groupadd, + groupdel, and groupmod), the resulting UNIX/Linux group names will be subject + to any limits imposed by these tools. If the tool does not allow upper case characters + or space characters, then the creation of an MS Windows NT4/200x style group of + Engineering Managers will attempt to create an identically named + UNIX/Linux group, an attempt that will of course fail. + + + + + + GID + SID + There are several possible work-arounds for the operating system tools limitation. One + method is to use a script that generates a name for the UNIX/Linux system group that + fits the operating system limits, and that then just passes the UNIX/Linux group ID (GID) + back to the calling Samba interface. This will provide a dynamic work-around solution. + + + + Another work-around is to manually create a UNIX/Linux group, then manually create the + MS Windows NT4/200x group on the Samba server and then use the net groupmap + tool to connect the two to each other. + + + + + +Discussion + + + When installing MS Windows NT4/200x on a computer, the installation + program creates default users and groups, notably the Administrators group, + and gives that group privileges necessary privileges to perform essential system tasks, + such as the ability to change the date and time or to kill (or close) any process running on the + local machine. + + + + Administrator + The Administrator user is a member of the Administrators group, and thus inherits + Administrators group privileges. If a joe user is created to be a member of the + Administrators group, joe has exactly the same rights as the user, + Administrator. + + + + When an MS Windows NT4/200x/XP machine is made a Domain Member, the Domain Admins group of the + PDC is added to the local Administrators group of the workstation. Every member of the + Domain Administrators group inherits the rights of the local Administrators group when + logging on the workstation. + + + + The following steps describe how to make Samba PDC users members of the Domain Admins group? + + + + + Create a UNIX group (usually in /etc/group), let's call it domadm. + + + + Add to this group the users that must be Administrators. For example, + if you want joe, john and mary to be administrators, + your entry in /etc/group will look like this: + + + + domadm:x:502:joe,john,mary + + + + + Map this domadm group to the Domain Admins group by running the command: + + + + + &rootprompt;net groupmap add ntgroup=Domain Admins unixgroup=domadm + + + + + Domain Admins group + The quotes around Domain Admins are necessary due to the space in the group name. + Also make sure to leave no white-space surrounding the equal character (=). + + + + + Now joe, john and mary are domain administrators. + + + + groupsdomain + It is possible to map any arbitrary UNIX group to any Windows NT4/200x group as well as + making any UNIX group a Windows domain group. For example, if you wanted to include a + UNIX group (e.g., acct) in an ACL on a local file or printer on a Domain Member machine, + you would flag that group as a domain group by running the following on the Samba PDC: + + + + +&rootprompt;net groupmap add rid=1000 ntgroup="Accounting" unixgroup=acct + + + + + Be aware that the RID parameter is a unsigned 32-bit integer that should + normally start at 1000. However, this RID must not overlap with any RID assigned + to a user. Verification for this is done differently depending on the passdb backend + you are using. Future versions of the tools may perform the verification automatically, + but for now the burden is on you. + + + + Important Administrative Information + + + Administrative rights are necessary in two specific forms: + + + + For Samba-3 Domain Controllers and + Domain Member Servers/Clients. + To manage Domain Member Windows workstations. + + + + Administrative tasks on UNIX/Linux systems, such as adding users or groups, requires root + level privilege. The addition of a Windows client to a Samba Domain involves the addition of a user account + for the Windows client. + + + + Many UNIX administrators continue to request the Samba Team make it possible to add Windows workstations, or + to ability to add/delete or modify user accounts, without requiring root privileges. + Such a request violates every understanding of basic UNIX system security. + + + + There is no safe way to provide access on a UNIX/Linux system without providing root + level privilege. Provision of root privileges can be done either by logging onto + the Domain as the user root, or by permitting particular users to use a UNIX account + that is a member of the UNIX group that has a GID=0 as the primary group in the /etc/passwd + database. Users of such accounts can use tools like the NT4 Domain User Manager, and the NT4 Domain Server + Manager to manage user and group accounts as well as Domain Member server and client accounts. This level + of privilege is also needed to manage share level ACLs. + + + + Administrative tasks on a Windows Domain Member workstation, can be done by anyone who is a member of the + Domain Admins group. This group can be mapped to any convenient UNIX group. + + + + + + Default Users, Groups and Relative Identifiers + + +Relative IdentifierRID +RID + When first installed, Microsoft Windows NT4/200x/XP are pre-configured with certain User, Group, and + Alias entities. Each has a well-known Relative Identifier (RID). These must be preserved for continued + integrity of operation. Samba must be provisioned with certain essential Domain Groups that require + the appropriate RID value. When Samba-3 is configured to use tdbsam the essential + Domain Groups are automatically created. It is the LDAP administrators' responsibility to create + (provision) the default NT Groups. + + + + Each essential Domain Group must be assigned its respective well-known RID. The default Users, Groups, + Aliases, and RIDs are shown in Well-Known User Default RIDs table. + + + + When the passdb backend uses LDAP (ldapsam) it is the + administrators' responsibility to create the essential Domain Groups, and to assign each its default RID. + + + + It is permissible to create any Domain Group that may be necessary, just make certain that the essential + Domain Groups (well known) have been created and assigned its default RID. Other groups you create may + be assigned any arbitrary RID you care to use. + + + + Be sure to map each Domain Group to a UNIX system group. That is the only way to ensure that the group + will be available for use as an NT Domain Group. + + + + + Well-Known User Default RIDs + + + + + + + + Well-Known Entity + RID + Type + Essential + + + + + Domain Administrator + 500 + User + No + + + Domain Guest + 501 + User + No + + + Domain KRBTGT + 502 + User + No + + + Domain Admins + 512 + Group + Yes + + + Domain Users + 513 + Group + Yes + + + Domain Guests + 514 + Group + Yes + + + Domain Computers + 515 + Group + No + + + Domain Controllers + 516 + Group + No + + + Domain Certificate Admins + 517 + Group + No + + + Domain Schema Admins + 518 + Group + No + + + Domain Enterprise Admins + 519 + Group + No + + + Domain Policy Admins + 520 + Group + No + + + Builtin Admins + 544 + Alias + No + + + Builtin users + 545 + Alias + No + + + Builtin Guests + 546 + Alias + No + + + Builtin Power Users + 547 + Alias + No + + + Builtin Account Operators + 548 + Alias + No + + + Builtin System Operators + 549 + Alias + No + + + Builtin Print Operators + 550 + Alias + No + + + Builtin Backup Operators + 551 + Alias + No + + + Builtin Replicator + 552 + Alias + No + + + Builtin RAS Servers + 553 + Alias + No + + + +
+ + + + + + Example Configuration + + + You can list the various groups in the mapping database by executing + net groupmap list. Here is an example: + + +netgroupmap + + + +&rootprompt; net groupmap list +Domain Admins (S-1-5-21-2547222302-1596225915-2414751004-512) -> domadmin +Domain Users (S-1-5-21-2547222302-1596225915-2414751004-513) -> domuser +Domain Guests (S-1-5-21-2547222302-1596225915-2414751004-514) -> domguest + + + + + For complete details on net groupmap, refer to the net(8) man page. + + + + + + + +Configuration Scripts + + + Everyone needs tools. Some of us like to create our own, others prefer to use canned tools + (i.e., prepared by someone else for general use). + + + + Sample &smb.conf; Add Group Script + + + A script to create complying group names for use by the Samba group interfaces + is provided in smbgrpadd.sh. + + +smbgrpadd.sh + + + smbgrpadd.sh + + +#!/bin/bash + +# Add the group using normal system groupadd tool. +groupadd smbtmpgrp00 + +thegid=`cat /etc/group | grep ^smbtmpgrp00 | cut -d ":" -f3` + +# Now change the name to what we want for the MS Windows networking end +cp /etc/group /etc/group.bak +cat /etc/group.bak | sed "s/^smbtmpgrp00/$1/g" > /etc/group + +# Now return the GID as would normally happen. +echo $thegid +exit 0 + + + + + + The &smb.conf; entry for the above script would be something like that in the following example. + +Configuration of &smb.conf; for the add group script. +[global] +... +add group script/path_to_tool/smbgrpadd.sh "%g" +... + + + + + + + Script to Configure Group Mapping + + + In our example we have created a UNIX/Linux group called ntadmin. + Our script will create the additional groups Orks, Elves, and Gnomes. + It is a good idea to save this shell script for later re-use just in case you ever need to rebuild your mapping database. + For the sake of convenience we elect to save this script as a file called initGroups.sh. + This script is given in intGroups.sh. + + + +initGroups.sh + + Script to Set Group Mapping + +#!/bin/bash + +net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmin +net groupmap modify ntgroup="Domain Users" unixgroup=users +net groupmap modify ntgroup="Domain Guests" unixgroup=nobody + +groupadd Orks +groupadd Elves +groupadd Gnomes + +net groupmap add ntgroup="Orks" unixgroup=Orks type=d +net groupmap add ntgroup="Elves" unixgroup=Elves type=d +net groupmap add ntgroup="Gnomes" unixgroup=Gnomes type=d + + + + + + Of course it is expected that the administrator will modify this to suit local needs. + For information regarding the use of the net groupmap tool please + refer to the man page. + + + + + + + +Common Errors + + +At this time there are many little surprises for the unwary administrator. In a real sense +it is imperative that every step of automated control scripts must be carefully tested +manually before putting them into active service. + + + + Adding Groups Fails + + + This is a common problem when the groupadd is called directly + by the Samba interface script for the add group script in + the &smb.conf; file. + + + + The most common cause of failure is an attempt to add an MS Windows group account + that has either an upper case character and/or a space character in it. + + + + There are three possible work-arounds. First, use only group names that comply + with the limitations of the UNIX/Linux groupadd system tool. + Second, it involves the use of the script mentioned earlier in this chapter, and + third is the option is to manually create a UNIX/Linux group account that can substitute + for the MS Windows group name, then use the procedure listed above to map that group + to the MS Windows group. + + + + + + Adding MS Windows Groups to MS Windows Groups Fails + + groupsnested + + + Samba-3 does not support nested groups from the MS Windows control environment. + + + + + + Adding <emphasis>Domain Users</emphasis> to the <emphasis>Power Users</emphasis> Group + + + What must I do to add Domain Users to the Power Users group? + + +Domain Users group + + + The Power Users group is a group that is local to each Windows 200x/XP Professional workstation. + You cannot add the Domain Users group to the Power Users group automatically, it must be done on + each workstation by logging in as the local workstation administrator and + then using the following procedure: + + + + + Click Start -> Control Panel -> Users and Passwords. + + + + Click the Advanced tab. + + + + Click the Advanced button. + + + + Click Groups. + + + + Double click Power Users. This will launch the panel to add users or groups + to the local machine Power Uses group. + + + + Click the Add button. + + + + Select the domain from which the Domain Users group is to be added. + + + + Double click the Domain Users group. + + + + Click the Ok button. If a logon box is presented during this process + please remember to enter the connect as DOMAIN\UserName. i.e., For the + domain MIDEARTH and the user root enter + MIDEARTH\root. + + + + + + + -- cgit