From 6da6af84b7f278830b6bfe990c734d0de8b54f06 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Mon, 26 May 2003 21:34:19 +0000 Subject: An edit in progress. (This used to be commit bbed04b128d57b015fa15e6ba902577500b37160) --- docs/docbook/projdoc/GROUP-MAPPING-HOWTO.xml | 236 +++++++++++++++++---------- 1 file changed, 148 insertions(+), 88 deletions(-) (limited to 'docs/docbook/projdoc') diff --git a/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.xml b/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.xml index af6ddff9bf..480bb3df63 100644 --- a/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.xml +++ b/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.xml @@ -5,100 +5,160 @@ Jean FrançoisMicouleau &author.jerry; + &author.jht; - Configuring Group Mapping - -Starting with Samba 3.0 alpha 2, new group mapping functionality -is available to create associations between Windows SIDs and UNIX -groups. The groupmap subcommand included with -the net tool can be used to manage these associations. - - - -The first immediate reason to use the group mapping on a Samba PDC, is that -the domain admin group &smb.conf; has been removed. -This parameter was used to give the listed users membership in the "Domain Admins" -Windows group which gave local admin rights on their workstations (in -default configurations). - - - -When installing NT/W2K on a computer, the installer program creates some users -and groups. Notably the 'Administrators' group, and gives to that group some -privileges like the ability to change the date and time or to kill any process -(or close too) running on the local machine. The 'Administrator' user is a -member of the 'Administrators' group, and thus 'inherit' the 'Administrators' -group privileges. If a 'joe' user is created and become a member of the -'Administrator' group, 'joe' has exactly the same rights as 'Administrator'. - - - -When a NT/W2K machine is joined to a domain, the "Domain Adminis" group of the -PDC is added to the local 'Administrators' group of the workstation. Every -member of the 'Domain Administrators' group 'inherit' the -rights of the local 'Administrators' group when logging on the workstation. - - - -The following steps describe how to make samba PDC users members of the -'Domain Admins' group? - - - -create a unix group (usually in /etc/group), - let's call it domadm -add to this group the users that must be Administrators. For example - if you want joe,john and mary, your entry in /etc/group will - look like: - - - domadm:x:502:joe,john,mary - - - - -Map this domadm group to the "Domain Admins" group - by running the command: - - root# net groupmap add ntgroup="Domain Admins" unixgroup=domadm - - The quotes around "Domain Admins" are necessary due to the space in the group name. Also make - sure to leave no whitespace surrounding the equal character (=). - - - - -Now joe, john and mary are domain administrators! + + Starting with Samba-3, new group mapping functionality is available to create associations + between Windows group SIDs and UNIX groups. The groupmap subcommand + included with the &net; tool can be used to manage these associations. + + + + + The first immediate reason to use the group mapping on a Samba PDC, is that + the domain admin group has been removed and should no longer + be specified in &smb.conf;. This parameter was used to give the listed users membership + in the "Domain Admins" Windows group which gave local admin rights on their workstations + (in default configurations). + + + + +Features and Benefits + + + Stuff goes here. + + + + + +Discussion + + + When installing MS Windows NT4 / 200x on a computer, the installation program creates default + users and groups. Notably the 'Administrators' group, and gives to that group privileges necessary + privilidges to perform essential system tasks. eg: Ability to change the date and time or to + kill any process (or close too) running on the local machine. + + + + The 'Administrator' user is a member of the 'Administrators' group, and thus inherits + 'Administrators' group privileges. If a 'joe' user is created to be a member of the + 'Administrator' group, 'joe' has exactly the same rights as 'Administrator'. + + + + When an MS Windows NT4 / W200x is made a domain member, the "Domain Adminis" group of the + PDC is added to the local 'Administrators' group of the workstation. Every member of the + 'Domain Administrators' group inherits the rights of the local 'Administrators' group when + logging on the workstation. + + + + The following steps describe how to make samba PDC users members of the 'Domain Admins' group? + + + + + create a unix group (usually in /etc/group), let's call it domadm + + + add to this group the users that must be Administrators. For example + if you want joe,john and mary, your entry in /etc/group will + look like: + + + + domadm:x:502:joe,john,mary + + + + + Map this domadm group to the "Domain Admins" group by running the command: + + + + + &rootprompt;net groupmap add ntgroup="Domain Admins" unixgroup=domadm + + + + + The quotes around "Domain Admins" are necessary due to the space in the group name. + Also make sure to leave no whitespace surrounding the equal character (=). + + + + + Now joe, john and mary are domain administrators! + + + + It is possible to map any arbitrary UNIX group to any Windows NT4 / 200x group as well as + making any UNIX group a Windows domain group. For example, if you wanted to include a + UNIX group (e.g. acct) in a ACL on a local file or printer on a domain member machine, + you would flag that group as a domain group by running the following on the Samba PDC: + + + + + &rootprompt;net groupmap add rid=1000 ntgroup="Accounting" unixgroup=acct + + + + + Be aware that the RID parmeter is a unsigned 32 bit integer that should + normally start at 1000. However, this rid must not overlap with any RID assigned + to a user. Verifying this is done differently depending on on the passdb backend + you are using. Future versions of the tools may perform the verification automatically, + but for now the burden is on you. + + + + Example Configuration + + + You can list the various groups in the mapping database by executing + net groupmap list. Here is an example: + + + + &rootprompt; net groupmap list + System Administrators (S-1-5-21-2547222302-1596225915-2414751004-1002) -> sysadmin + Domain Admins (S-1-5-21-2547222302-1596225915-2414751004-512) -> domadmin + Domain Users (S-1-5-21-2547222302-1596225915-2414751004-513) -> domuser + Domain Guests (S-1-5-21-2547222302-1596225915-2414751004-514) -> domguest + + + + + For complete details on net groupmap, refer to the net(8) man page. + + + + + + + +Configuration Scripts + + + Everyone needs tools. Some of us like to create our own, others prefer to use canned tools + (ie: prepared by someone else for general use). + + + + + +Common Errors -It is possible to map any arbitrary UNIX group to any Windows NT -group as well as making any UNIX group a Windows domain group. -For example, if you wanted to include a UNIX group (e.g. acct) in a ACL on a -local file or printer on a domain member machine, you would flag -that group as a domain group by running the following on the Samba PDC: +There must be some stuff that can go here! -root# net groupmap add rid=1000 ntgroup="Accounting" unixgroup=acct - -Be aware that the rid parmeter is a unsigned 32 bit integer that should -normally start at 1000. However, this rid must not overlap with any RID assigned -to a user. Verifying this is done differently depending on on the passdb backend -you are using. Future versions of the tools may perform the verification automatically, -but for now the burden in on you. - -You can list the various groups in the mapping database by executing -net groupmap list. Here is an example: - -root# net groupmap list -System Administrators (S-1-5-21-2547222302-1596225915-2414751004-1002) -> sysadmin -Domain Admins (S-1-5-21-2547222302-1596225915-2414751004-512) -> domadmin -Domain Users (S-1-5-21-2547222302-1596225915-2414751004-513) -> domuser -Domain Guests (S-1-5-21-2547222302-1596225915-2414751004-514) -> domguest - - -For complete details on net groupmap, refer to the -net(8) man page. + -- cgit