From 147e2a82531b68b8964defe0ebd26f62d7531027 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 28 Aug 2002 08:43:04 +0000 Subject: Adding new series of text-to-sgml converted files. Removed OS2-Client-HOWTO and put it into Other-Clients.sgml (This used to be commit 076f34af8e5af7fb2d07b724522ef77f33559c82) --- docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml | 78 +++++++++++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml (limited to 'docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml') diff --git a/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml b/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml new file mode 100644 index 0000000000..6d5a019fcb --- /dev/null +++ b/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml @@ -0,0 +1,78 @@ + + + + Jean FrançoisMicouleau + + + +Group mapping HOWTO + + +Starting with Samba 3.0 alpha 2, a new group mapping function is available. The +current method (likely to change) to manage the groups is a new command called +smbgroupedit. + + + +The first immediate reason to use the group mapping on a PDC, is that +the domain admin group of smb.conf is +now gone. This parameter was used to give the listed users local admin rights +on their workstations. It was some magic stuff that simply worked but didn't +scale very well for complex setups. + + + +Let me explain how it works on NT/W2K, to have this magic fade away. +When installing NT/W2K on a computer, the installer program creates some users +and groups. Notably the 'Administrators' group, and gives to that group some +privileges like the ability to change the date and time or to kill any process +(or close too) running on the local machine. The 'Administrator' user is a +member of the 'Administrators' group, and thus 'inherit' the 'Administrators' +group privileges. If a 'joe' user is created and become a member of the +'Administrator' group, 'joe' has exactly the same rights as 'Administrator'. + + + +When a NT/W2K machine is joined to a domain, during that phase, the "Domain +Administrators' group of the PDC is added to the 'Administrators' group of the +workstation. Every members of the 'Domain Administrators' group 'inherit' the +rights of the 'Administrators' group when logging on the workstation. + + + +You are now wondering how to make some of your samba PDC users members of the +'Domain Administrators' ? That's really easy. + + + +create a unix group (usually in /etc/group), let's call it domadm +add to this group the users that must be Administrators. For example if you want joe,john and mary, your entry in /etc/group will look like: + + +domadm:x:502:joe,john,mary + + + + +Map this domadm group to the domain admins group by running the command: + +smbgroupedit -c "Domain Admins" -u domadm + + + +You're set, joe, john and mary are domain administrators ! + + +Like the Domain Admins group, you can map any arbitrary Unix group to any NT +group. You can also make any Unix group a domain group. For example, on a domain +member machine (an NT/W2K or a samba server running winbind), you would like to +give access to a certain directory to some users who are member of a group on +your samba PDC. Flag that group as a domain group by running: + + +smbgroupedit -a unixgroup -td + +You can list the various groups in the mapping database like this +smbgroupedit -v + + -- cgit