1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
|
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
<chapter id="NetCommand">
<chapterinfo>
&author.jht;
<pubdate>May 9, 2005</pubdate>
</chapterinfo>
<title>Remote and Local Management &smbmdash; The Net Command</title>
<para>
The <command>net</command> command is one of the new features of Samba-3 and is an attempt to provide a useful
tool into which the majority of remote management operations necessary for common tasks. The
<command>net</command> tool is flexible by design and is intended for command line use as well as for scripted
control application.
</para>
<para>
Originally introduced with the intent to mimick the Microsoft Windows command that has the same name, the
<command>net</command> command has morphed into a very powerful instrument that has become an essential part
of the Samba network administrator's toolbox. The Samba Team have introduced tools, such as
<command>smbgroupedit, rpcclient</command> from which really useful have been integrated into the
<command>net</command>. The <command>smbgroupedit</command> command was absorbed entirely into the
<command>net</command>, while only some features of the <command>rpcclient</command> command have been
ported to it. Anyone who finds older references to these utilities and to the functionality they provided
should look at the <command>net</command> command before searching elsewhere.
</para>
<para>
A Samba-3 administrator can not afford to gloss over this chapter because to do so will almost certainly cause
the infliction of self induced pain, agony and desperation. Be warned, this is an important chapter.
</para>
<sect1>
<title>Self-Defense Overview</title>
<para>
The tasks that follow the installation of a Samba-3 server, whether Stand-Alone, Domain Member, of a
Domain Controller (PDC or BDC) begins with the need to create administrative rights. Of course, the
creation of user and group accounts is essential for both a Stand-Alone server as well as for a PDC.
In the case of a BDC or a Domain Member server (DMS) Domain user and group accounts are obtained from
the central domain authentication backend.
</para>
<para>
Regardless of the type of server being installed, local UNIX groups must be mapped to the Windows
networking domain global group accounts. Do you ask, why? Because Samba always limits its access to
the resources of the host server by way of traditional UNIX UID/GID controls. This means that local
groups must be mapped to domain global groups so that domain users who are members of the domain
global groups can be given access rights based on UIDs and GIDs local to the server that is hosting
Samba. Such mappings are implemented using the <command>net</command> command.
</para>
<para>
UNIX systems that are hosting a Samba-3 server that is running as a member (PDC, BDC, or DMS) must have
a machine security account in the domain authentication database (or directory). The creation of such
security (or trust) accounts is also handled using the <command>net</command> command.
</para>
<para>
The establishment of interdomain trusts is achieved using the <command>net</command> command also, as
may a plethora of typical administrative duties such as: user management, group management, share and
printer management, file and printer migration, security identifier management, and so on.
</para>
<para>
The over-all picture should be clear now, the <command>net</command> command plays a central role
on the Samba-3 stage. This role will continue to be developed. The inclusion of this chapter is
evidence of its importance, one that has grown in complexity to the point that it is no longer considered
prudent to cover its use fully in the on-line UNIX man pages.
</para>
</sect1>
<sect1>
<title>Administrative Tasks And Methods</title>
<para>
Stuff goes here - this is a work in progress.
</para>
<sect2>
<title>UNIX and Windows Group Management</title>
<para>
More stuff.
</para>
<sect3>
<title>Adding, Renaming, or Deletion of Group Accounts</title>
<sect4>
<title>Adding or Creating a New Group</title>
<para>
Before attempting to add a Windows group account the currently available groups can be listed as shown
here:
<screen>
&rootprompt; net rpc group list -Uroot%not24get
Password:
Domain Admins
Domain Users
Domain Guests
Print Operators
Backup Operators
Replicator
Domain Computers
Engineers
</screen>
A Windows group account called <quote>SupportEngrs</quote> can be added by executing the following
command:
<screen>
&rootprompt; net rpc group add "SupportEngrs" -Uroot%not24get
</screen>
The addition will result in immediate availability of the new group account as validated by executing the
this command:
<screen>
&rootprompt; net rpc group list -Uroot%not24get
Password:
Domain Admins
Domain Users
Domain Guests
Print Operators
Backup Operators
Replicator
Domain Computers
Engineers
SupportEngrs
</screen>
</para>
<para>
The following demonstrates that the POSIX (UNIX/Linux system account) group has been created by calling
the <smbconfoption name="add group script">/opt/IDEALX/sbin/smbldap-groupadd -p "%g"</smbconfoption> interface
script:
<screen>
&rootprompt; getent group
...
Domain Admins:x:512:root
Domain Users:x:513:jht,lct,ajt,met
Domain Guests:x:514:
Print Operators:x:550:
Backup Operators:x:551:
Replicator:x:552:
Domain Computers:x:553:
Engineers:x:1002:jht
SupportEngrs:x:1003:
</screen>
The following demonstrates that the use of the <command>net</command> command to add a group account
results in immediate mapping of the POSIX group that has been created to the Windows group account as whown
here:
<screen>
merlin:~ # net groupmap list
Domain Admins (S-1-5-21-72630-4128915-11681869-512) -> Domain Admins
Domain Users (S-1-5-21-72630-4128915-11681869-513) -> Domain Users
Domain Guests (S-1-5-21-72630-4128915-11681869-514) -> Domain Guests
Print Operators (S-1-5-21-72630-4128915-11681869-550) -> Print Operators
Backup Operators (S-1-5-21-72630-4128915-11681869-551) -> Backup Operators
Replicator (S-1-5-21-72630-4128915-11681869-552) -> Replicator
Domain Computers (S-1-5-21-72630-4128915-11681869-553) -> Domain Computers
Engineers (S-1-5-21-72630-4128915-11681869-3005) -> Engineers
SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -> SupportEngrs
</screen>
</para>
</sect4>
<sect4>
<title>Mapping Windows Groups to UNIX Groups</title>
<para>
Windows groups must be mapped to UNIX system (POSIX) groups so that file system access controls
can be asserted in a manner that is consistent with the methods appropriate to the operating
system that is hosting the Samba server.
</para>
<para>
Samba depends on default mappings for the <constant>Domain Admins, Domain Users</constant> and
<constant>Domain Guests</constant> global groups. Additional groups may be added as shown in the
examples just given. There are times when it is necessary to map an existing UNIX group account
to a Windows group. This operation, in effect, creates a Windows group account as a consequence
of creation of the mapping.
</para>
<para>
The operations that are permitted includes: <constant>add, modify, delete</constant>. An example
of each operation is shown here.
</para>
<para>
An existing UNIX group may be mapped to an existing Windows group by this example:
<screen>
&rootprompt; net groupmap modify ntgroup="Domain Users" unixgroup=users
</screen>
An existing UNIX group may be mapped to a new Windows group as shown here:
<screen>
&rootprompt; net groupmap add ntgroup="EliteEngrs" unixgroup=Engineers type=d
</screen>
A Windows group may be deleted while preserving the UNIX group using this command:
<screen>
&rootprompt; net groupmap modify ntgroup=EngineDrivers unixgroup=Engineers type=d
</screen>
</para>
<para>
The reason for using the <constant>modify</constant> method is to avoid any attempt to create a new
UNIX group, the default operation of the <constant>add</constant> method. The <constant>add</constant>
method creates a new group and then maps it to the Windows group name. It is the mapping that creates
the Windows group; the <constant>modify</constant> method performs only the mapping and avoids the
creation of the POSIX group account.
</para>
</sect4>
<sect4>
<title>Deleting a Group Account</title>
<para>
A group account may be deleted by executing the following command:
<screen>
&rootprompt; net rpc group delete SupportEngineers -Uroot%not24get
</screen>
</para>
<para>
Validation of the deletion is advisable. The same commands may be executed as shown above.
</para>
</sect4>
<sect4>
<title>How to Rename a Group Account</title>
<note><para>
This command is not documented in the man pages, it is implemented in the source code, but it does not
work. The example given documents (from the source code) how it should work. Watch the release notes
of a future release to see when this may have been be fixed.
</para></note>
<para>
Sometimes it is necessary to rename a group account. Good administrators know how painful some managers
demands can be if this simple request is ignored. The following command demonstrates how the Windows group
<quote>SupportEngrs</quote> can be renamed to <quote>CustomerSupport</quote>:
<screen>
&rootprompt; net rpc group rename SupportEngrs \
CustomerSupport -Uroot%not24get
</screen>
</para>
</sect4>
</sect3>
<sect3>
<title>Manipulating Group Memberships</title>
<para>
</para>
</sect3>
</sect2>
<sect2>
<title>UNIX and Windows User Management</title>
<para>
</para>
</sect2>
<sect2>
<title>Administering User Rights and Privileges</title>
<para>
<screen>
&rootprompt; net rpc rights list accounts -U root%not24get
BUILTIN\Print Operators
No privileges assigned
BUILTIN\Account Operators
No privileges assigned
BUILTIN\Backup Operators
No privileges assigned
BUILTIN\Server Operators
No privileges assigned
BUILTIN\Administrators
No privileges assigned
Everyone
No privileges assigned
&rootprompt; net rpc rights list -U root%not24get
SeMachineAccountPrivilege Add machines to domain
SePrintOperatorPrivilege Manage printers
SeAddUsersPrivilege Add users and groups to the domain
SeRemoteShutdownPrivilege Force shutdown from a remote system
SeDiskOperatorPrivilege Manage disk shares
&rootprompt; net rpc rights grant "MIDEARTH\Domain Admins" \
SeMachineAccountPrivilege SePrintOperatorPrivilege \
SeAddUsersPrivilege SeRemoteShutdownPrivilege \
SeDiskOperatorPrivilege -U root%not24get
Successfully granted rights.
&rootprompt; net rpc rights grant "MIDEARTH\jht" \
SeMachineAccountPrivilege SePrintOperatorPrivilege \
SeAddUsersPrivilege SeDiskOperatorPrivilege \
-U root%not24get
Successfully granted rights.
&rootprompt; net rpc rights list accounts -U root%not24get
MIDEARTH\jht
SeMachineAccountPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
BUILTIN\Print Operators
No privileges assigned
BUILTIN\Account Operators
No privileges assigned
BUILTIN\Backup Operators
No privileges assigned
BUILTIN\Server Operators
No privileges assigned
BUILTIN\Administrators
No privileges assigned
Everyone
No privileges assigned
MIDEARTH\Domain Admins
SeMachineAccountPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeRemoteShutdownPrivilege
SeDiskOperatorPrivilege
&rootprompt;
</screen>
</para>
</sect2>
<sect2>
<title>Managing Trust Relationships</title>
<para>
</para>
<sect3>
<title>Machine Trust Accounts</title>
<para>
<screen>
&rootprompt; net rpc testjoin
Join to 'MIDEARTH' is OK
</screen>
</para>
</sect3>
<sect3>
<title>Inter-Domain Trusts</title>
<para>
</para>
</sect3>
</sect2>
<sect2>
<title>Managing Security Identifiers (SIDS)</title>
<para>
</para>
</sect2>
<sect2>
<title>Share Management</title>
<para>
</para>
<sect3>
<title>Creating, Editing, and Removing Shares</title>
<para>
</para>
</sect3>
<sect3>
<title>Creating and Changing Share ACLs</title>
<para>
</para>
</sect3>
<sect3>
<title>Migration of Files Across Servers</title>
<para>
</para>
</sect3>
</sect2>
<sect2>
<title>Controlling Open Files</title>
<para>
</para>
</sect2>
<sect2>
<title>Session and Connection Management</title>
<para>
</para>
</sect2>
<sect2>
<title>Printers and ADS</title>
<para>
</para>
</sect2>
<sect2>
<title>Manipulating the Samba Cache</title>
<para>
</para>
</sect2>
<sect2>
<title>Other Miscellaneous Operations</title>
<para>
<screen>
&rootprompt; net rpc info
Domain Name: MIDEARTH
Domain SID: S-1-5-21-726309263-4128913605-1168186429
Sequence number: 1115878548
Num users: 5
Num domain groups: 8
Num local groups: 0
</screen>
</para>
</sect2>
</sect1>
</chapter>
|
