1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
|
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
<chapter id="NetCommand">
<chapterinfo>
&author.jht;
&author.vl;
&author.gd;
<pubdate>May 9, 2005</pubdate>
</chapterinfo>
<title>Remote and Local Management &smbmdash; The Net Command</title>
<para>
The <command>net</command> command is one of the new features of Samba-3 and is an attempt to provide a useful
tool into which the majority of remote management operations necessary for common tasks. The
<command>net</command> tool is flexible by design and is intended for command line use as well as for scripted
control application.
</para>
<para>
Originally introduced with the intent to mimick the Microsoft Windows command that has the same name, the
<command>net</command> command has morphed into a very powerful instrument that has become an essential part
of the Samba network administrator's toolbox. The Samba Team have introduced tools, such as
<command>smbgroupedit, rpcclient</command> from which really useful have been integrated into the
<command>net</command>. The <command>smbgroupedit</command> command was absorbed entirely into the
<command>net</command>, while only some features of the <command>rpcclient</command> command have been
ported to it. Anyone who finds older references to these utilities and to the functionality they provided
should look at the <command>net</command> command before searching elsewhere.
</para>
<para>
A Samba-3 administrator can not afford to gloss over this chapter because to do so will almost certainly cause
the infliction of self induced pain, agony and desperation. Be warned, this is an important chapter.
</para>
<sect1>
<title>Overview</title>
<para>
The tasks that follow the installation of a Samba-3 server, whether Stand-Alone, Domain Member, of a
Domain Controller (PDC or BDC) begins with the need to create administrative rights. Of course, the
creation of user and group accounts is essential for both a Stand-Alone server as well as for a PDC.
In the case of a BDC or a Domain Member server (DMS) Domain user and group accounts are obtained from
the central domain authentication backend.
</para>
<para>
Regardless of the type of server being installed, local UNIX groups must be mapped to the Windows
networking domain global group accounts. Do you ask, why? Because Samba always limits its access to
the resources of the host server by way of traditional UNIX UID/GID controls. This means that local
groups must be mapped to domain global groups so that domain users who are members of the domain
global groups can be given access rights based on UIDs and GIDs local to the server that is hosting
Samba. Such mappings are implemented using the <command>net</command> command.
</para>
<para>
UNIX systems that are hosting a Samba-3 server that is running as a member (PDC, BDC, or DMS) must have
a machine security account in the domain authentication database (or directory). The creation of such
security (or trust) accounts is also handled using the <command>net</command> command.
</para>
<para>
The establishment of interdomain trusts is achieved using the <command>net</command> command also, as
may a plethora of typical administrative duties such as: user management, group management, share and
printer management, file and printer migration, security identifier management, and so on.
</para>
<para>
The over-all picture should be clear now, the <command>net</command> command plays a central role
on the Samba-3 stage. This role will continue to be developed. The inclusion of this chapter is
evidence of its importance, one that has grown in complexity to the point that it is no longer considered
prudent to cover its use fully in the on-line UNIX man pages.
</para>
</sect1>
<sect1>
<title>Administrative Tasks And Methods</title>
<para>
The basic operations of the <command>net</command> command are documented here. This documentation is not
exhaustive, and thus it is incomplete. Since the primary focus is on migration from Windows servers to
a Samba server the emphasis is on the use of the DCE RPC mode of operation. When used against a server
that is a member of an Active Directory domain it is preferable (and often necessary) to use ADS mode
operations. The <command>net</command> command supports both, but not for every operation. Please refer
to the man page for a more comprehensive overview of the capabilities of this utility.
</para>
</sect1>
<sect1>
<title>UNIX and Windows Group Management</title>
<para>
In repetition of what has been said, the focus in most of this chapter is on use of the <command>net
rpc</command> family of operations that are supported by Samba. Most of them are supported by the
<command>net ads</command> mode when used in connection with MS Active Directory. The <command>net
rap</command> operating mode is also supported for some of these operations. RAP protocols are used
by IBM OS/2 and by several earlier SMB servers.
</para>
<para>
Sambas' <command>net</command> tool implements sufficient capability to permit all common adminstrative
tasks to be completed from the command line. In this section each of the essential user and group management
facilities are explored.
</para>
<para>
Samba-3 recognizes two types of groups: <emphasis>domain groups</emphasis> and <emphasis>local
groups</emphasis>. Domain groups can contain (have as members) only domain user accounts. Local groups
can contain local users, domain users, and domain groups as members.
</para>
<para>
The purpose of a local group is to permit file permission to be set for a group account that, like the
usual UNIX/Linux group, is persistent across redeployment of a Windows file server.
</para>
<sect2>
<title>Adding, Renaming, or Deletion of Group Accounts</title>
<sect3>
<title>Adding or Creating a New Group</title>
<para>
Before attempting to add a Windows group account the currently available groups can be listed as shown
here:
<screen>
&rootprompt; net rpc group list -Uroot%not24get
Password:
Domain Admins
Domain Users
Domain Guests
Print Operators
Backup Operators
Replicator
Domain Computers
Engineers
</screen>
A Windows group account called <quote>SupportEngrs</quote> can be added by executing the following
command:
<screen>
&rootprompt; net rpc group add "SupportEngrs" -Uroot%not24get
</screen>
The addition will result in immediate availability of the new group account as validated by executing the
this command:
<screen>
&rootprompt; net rpc group list -Uroot%not24get
Password:
Domain Admins
Domain Users
Domain Guests
Print Operators
Backup Operators
Replicator
Domain Computers
Engineers
SupportEngrs
</screen>
</para>
<para>
The following demonstrates that the POSIX (UNIX/Linux system account) group has been created by calling
the <smbconfoption name="add group script">/opt/IDEALX/sbin/smbldap-groupadd -p "%g"</smbconfoption> interface
script:
<screen>
&rootprompt; getent group
...
Domain Admins:x:512:root
Domain Users:x:513:jht,lct,ajt,met
Domain Guests:x:514:
Print Operators:x:550:
Backup Operators:x:551:
Replicator:x:552:
Domain Computers:x:553:
Engineers:x:1002:jht
SupportEngrs:x:1003:
</screen>
The following demonstrates that the use of the <command>net</command> command to add a group account
results in immediate mapping of the POSIX group that has been created to the Windows group account as whown
here:
<screen>
merlin:~ # net groupmap list
Domain Admins (S-1-5-21-72630-4128915-11681869-512) -> Domain Admins
Domain Users (S-1-5-21-72630-4128915-11681869-513) -> Domain Users
Domain Guests (S-1-5-21-72630-4128915-11681869-514) -> Domain Guests
Print Operators (S-1-5-21-72630-4128915-11681869-550) -> Print Operators
Backup Operators (S-1-5-21-72630-4128915-11681869-551) -> Backup Operators
Replicator (S-1-5-21-72630-4128915-11681869-552) -> Replicator
Domain Computers (S-1-5-21-72630-4128915-11681869-553) -> Domain Computers
Engineers (S-1-5-21-72630-4128915-11681869-3005) -> Engineers
SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -> SupportEngrs
</screen>
</para>
</sect3>
<sect3>
<title>Mapping Windows Groups to UNIX Groups</title>
<para>
Windows groups must be mapped to UNIX system (POSIX) groups so that file system access controls
can be asserted in a manner that is consistent with the methods appropriate to the operating
system that is hosting the Samba server.
</para>
<para>
All file system (file and directory) access controls, within the file system of a UNIX/Linux server that is
hosting a Samba server, is implemented using a UID/GID identity tuple. Samba does not in any way over-ride
or replace UNIX file system semantics. Thus it is necessary that all Windows networking operations that
access the file system must provide a mechanism that maps a Windows user to a particular UNIX/Linux group
account. The user account must also map to a locally known UID.
</para>
<para>
Samba depends on default mappings for the <constant>Domain Admins, Domain Users</constant> and
<constant>Domain Guests</constant> global groups. Additional groups may be added as shown in the
examples just given. There are times when it is necessary to map an existing UNIX group account
to a Windows group. This operation, in effect, creates a Windows group account as a consequence
of creation of the mapping.
</para>
<para>
The operations that are permitted includes: <constant>add, modify, delete</constant>. An example
of each operation is shown here.
</para>
<para>
An existing UNIX group may be mapped to an existing Windows group by this example:
<screen>
&rootprompt; net groupmap modify ntgroup="Domain Users" unixgroup=users
</screen>
An existing UNIX group may be mapped to a new Windows group as shown here:
<screen>
&rootprompt; net groupmap add ntgroup="EliteEngrs" unixgroup=Engineers type=d
</screen>
A Windows group may be deleted, and then a new Windows group can be mapped to the UNIX group by
executing these commands:
<screen>
&rootprompt; net groupmap delete ntgroup=Engineers
&rootprompt; net groupmap add ntgroup=EngineDrivers unixgroup=Engineers type=d
</screen>
</para>
<para>
Two types of Windows groups can be created: <constant>domain (global),</constant> and <constant>local</constant>.
In the above examples the Windows groups created were of type <constant>domain</constant>, or global. The
following command will create a Windows group of type <constant>local</constant>.
<screen>
&rootprompt; net groupmap add ntgroup=Pixies unixgroup=pixies type=l
</screen>
Local groups can be used with Samba to enable multiple nested group support.
</para>
</sect3>
<sect3>
<title>Deleting a Group Account</title>
<para>
A group account may be deleted by executing the following command:
<screen>
&rootprompt; net rpc group delete SupportEngineers -Uroot%not24get
</screen>
</para>
<para>
Validation of the deletion is advisable. The same commands may be executed as shown above.
</para>
</sect3>
<sect3>
<title>Rename Group Accounts</title>
<note><para>
This command is not documented in the man pages, it is implemented in the source code, but it does not
work. The example given documents (from the source code) how it should work. Watch the release notes
of a future release to see when this may have been be fixed.
</para></note>
<para>
Sometimes it is necessary to rename a group account. Good administrators know how painful some managers
demands can be if this simple request is ignored. The following command demonstrates how the Windows group
<quote>SupportEngrs</quote> can be renamed to <quote>CustomerSupport</quote>:
<screen>
&rootprompt; net rpc group rename SupportEngrs \
CustomerSupport -Uroot%not24get
</screen>
</para>
</sect3>
</sect2>
<sect2>
<title>Manipulating Group Memberships</title>
<para>
Three operations can be performed in respect of group membership. It is possible to (1) add Windows users
to Windows group, to (2) delete Windows users from Windows groups, and to (3) list the Windows users that are
members of a Windows group.
</para>
<para>
So as to avoid confusion, it makes sense to check group membership before attempting to make and changes.
The <command>getent group</command> will list UNIX/Linux group membership. UNIX/Linux group members are
seen also as members of a Windows group that has been mapped using the <command>net groupmap</command>
command (see <link linkend="groupmapping"/>). The following list of UNIX/Linux group membership shows
that the user <constant>ajt</constant> is a member of the UNIX/Linux group <constant>Engineers</constant>.
<screen>
&rootprompt; getent group
...
Domain Admins:x:512:root
Domain Users:x:513:jht,lct,ajt,met,vlendecke
Domain Guests:x:514:
Print Operators:x:550:
Backup Operators:x:551:
Replicator:x:552:
Domain Computers:x:553:
Engineers:x:1000:jht,ajt
</screen>
The UNIX/Linux groups have been mapped to Windows groups, as is shown here:
<screen>
&rootprompt; net groupmap list
Domain Admins (S-1-5-21-72630-412605-116429-512) -> Domain Admins
Domain Users (S-1-5-21-72630-412605-116429-513) -> Domain Users
Domain Guests (S-1-5-21-72630-412605-116429-514) -> Domain Guests
Print Operators (S-1-5-21-72630-412605-116429-550) -> Print Operators
Backup Operators (S-1-5-21-72630-412605-116429-551) -> Backup Operators
Replicator (S-1-5-21-72630-412605-116429-552) -> Replicator
Domain Computers (S-1-5-21-72630-412605-116429-553) -> Domain Computers
Engineers (S-1-5-21-72630-412605-116429-3001) -> Engineers
</screen>
</para>
<para>
Given that the user <constant>ajt</constant> is already a member of the UNIX/Linux group, and via the
group mapping, a member of the Windows group, an attempt to add this account again should fail. This is
demonstrated here:
<screen>
merlin:~ # net rpc group addmem "MIDEARTH\Engineers" ajt -Uroot%not24get
Could not add ajt to MIDEARTH\Engineers: NT_STATUS_MEMBER_IN_GROUP
</screen>
This showns that the group mapping between UNIX/Linux groups and Windows groups is effective and
transparent.
</para>
<para>
To permit the user <constant>ajt</constant> to be added using the <command>net rpc group</command> utility
this account must first be removed. The removal, and confirmation of its effect is shown here:
<screen>
&rootprompt; net rpc group delmem "MIDEARTH\Engineers" ajt -Uroot%not24get
&rootprompt; getent group Engineers
Engineers:x:1000:jht
&rootprompt; net rpc group members Engineers -Uroot%not24get
MIDEARTH\jht
</screen>
In this example both at the UNIX/Linux system level, the group no longer has the <constant>ajt</constant>
as a member. The above also shows this to be the case for Windows group membership.
</para>
<para>
The account is now added again, using the <command>net rpc group</command> utility:
<screen>
&rootprompt; net rpc group addmem "MIDEARTH\Engineers" ajt -Uroot%not24get
&rootprompt; getent group Engineers
Engineers:x:1000:jht,ajt
&rootprompt; net rpc group members Engineers -Uroot%not24get
MIDEARTH\jht
MIDEARTH\ajt
</screen>
</para>
<para>
In this example the members of the Windows <constant>Domain Users</constant> account is validated using
the <command>net rpc group</command> utility. Note that this contents of the UNIX/Linux group was shown
4 paragraphs earlier. The Windows (domain) group membership is shown here:
<screen>
&rootprompt; net rpc group members "Domain Users" -Uroot%not24get
MIDEARTH\jht
MIDEARTH\lct
MIDEARTH\ajt
MIDEARTH\met
MIDEARTH\vlendecke
</screen>
The example shown here is an express example that Windows group names are treated by Samba (as with
MS Windows) in a case insensitive manner:
<screen>
&rootprompt; net rpc group members "DomAiN USerS" -Uroot%not24get
MIDEARTH\jht
MIDEARTH\lct
MIDEARTH\ajt
MIDEARTH\met
MIDEARTH\vlendecke
</screen>
</para>
<note><para>
An attempt to specify the group name as <constant>MIDEARTH\Domain Users</constant> in place of
just simply <constant>Domain Users</constant> will fail. The default behavior of the net rpc group
is to direct the command at the local machine. The Windows group is treated as being local to the machine.
If it is necessary to query another machine, its name can be specified using the <constant>-S
servername</constant> parameter to the <command>net</command> command.
</para></note>
</sect2>
<sect2>
<title>Nested Group Support</title>
<para>
It is possible in Windows (and now in Samba also) to great a local group that has members (contains)
domain users and domain global groups. Creation of the local group <constant>demo</constant> is
achieved by executing:
<screen>
&rootprompt; net rpc group add demo -L -Uroot%not24get
</screen>
The -L switch means create a local group. Use the -S argument to direct the operation to a particular
server. The parameters to the -U argument should be for a user who has appropriate administrative right
and privileges on the machine.
</para>
<para>
Addition and removal of group members can be achieved using the <constant>addmem</constant> and
<constant>delmem</constant> subcommands of <command>net rpc group</command> command. For example,
addition of <quote>DOM\Domain Users</quote> to the local group <constant>demo</constant> would be
done by executing:
<screen>
&rootprompt; net rpc group addmem demo "DOM\Domain Users" -Uroot%not24get
</screen>
</para>
<para>
The members of a nested group can be listed by executing the following:
<screen>
&rootprompt; net rpc group members demo -Uroot%not24get
DOM\Domain Users
DOM\Engineers
DOM\jamesf
DOM\jht
</screen>
</para>
<para>
Nested group members can be removed (deleted) as shown here:
<screen>
&rootprompt; net rpc group delmem demo "DOM\jht" -Uroot%not24get
</screen>
</para>
</sect2>
</sect1>
<sect1>
<title>UNIX and Windows User Management</title>
<para>
Every Windows network user account must be translated to a UNIX/Linux user account. In actual fact,
the only account information the UNIX/Linux Samba server needs is a UID. The UID is available either
from a system (POSIX) account, or from a pool (range) of UID numbers that is set aside for the purpose
of being allocated for use by Windows user accounts. In the case of the UID pool, the UID for a
particular user will be allocated by <command>windbindd</command>.
</para>
<para>
Although this is not the appropriate place to discuss the <smbconfoption name="username map"/> facility,
this interface is an important method of mapping a Windows user account to a UNIX account that has a
different name. Refer to the man page for the &smb.conf; file for more information regarding this
facility. User name mappings can not be managed usinf the <command>net<command> utility.
</para>
<sect2>
<title>Adding User Accounts</title>
<para>
</para>
</sect2>
<sect2>
<title>Deletion of User Accounts</title>
<para>
</para>
</sect2>
<sect2>
<title>Modification of User Accounts</title>
<para>
</para>
</sect2>
<sect2>
<title>User Mapping</title>
<para>
</para>
</sect2>
</sect1>
<sect1>
<title>Administering User Rights and Privileges</title>
<para>
<screen>
&rootprompt; net rpc rights list accounts -U root%not24get
BUILTIN\Print Operators
No privileges assigned
BUILTIN\Account Operators
No privileges assigned
BUILTIN\Backup Operators
No privileges assigned
BUILTIN\Server Operators
No privileges assigned
BUILTIN\Administrators
No privileges assigned
Everyone
No privileges assigned
&rootprompt; net rpc rights list -U root%not24get
SeMachineAccountPrivilege Add machines to domain
SePrintOperatorPrivilege Manage printers
SeAddUsersPrivilege Add users and groups to the domain
SeRemoteShutdownPrivilege Force shutdown from a remote system
SeDiskOperatorPrivilege Manage disk shares
&rootprompt; net rpc rights grant "MIDEARTH\Domain Admins" \
SeMachineAccountPrivilege SePrintOperatorPrivilege \
SeAddUsersPrivilege SeRemoteShutdownPrivilege \
SeDiskOperatorPrivilege -U root%not24get
Successfully granted rights.
&rootprompt; net rpc rights grant "MIDEARTH\jht" \
SeMachineAccountPrivilege SePrintOperatorPrivilege \
SeAddUsersPrivilege SeDiskOperatorPrivilege \
-U root%not24get
Successfully granted rights.
&rootprompt; net rpc rights list accounts -U root%not24get
MIDEARTH\jht
SeMachineAccountPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
BUILTIN\Print Operators
No privileges assigned
BUILTIN\Account Operators
No privileges assigned
BUILTIN\Backup Operators
No privileges assigned
BUILTIN\Server Operators
No privileges assigned
BUILTIN\Administrators
No privileges assigned
Everyone
No privileges assigned
MIDEARTH\Domain Admins
SeMachineAccountPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeRemoteShutdownPrivilege
SeDiskOperatorPrivilege
</screen>
</para>
</sect1>
<sect1>
<title>Managing Trust Relationships</title>
<para>
Document how to set up trusts here!!!!!!!!!!!
</para>
<sect2>
<title>Machine Trust Accounts</title>
<para>
<screen>
&rootprompt; net rpc testjoin
Join to 'MIDEARTH' is OK
</screen>
</para>
</sect2>
<sect2>
<title>Inter-Domain Trusts</title>
<para>
Document how to set up trusts here!!!!!!!!!!!
</para>
</sect2>
</sect1>
<sect1>
<title>Managing Security Identifiers (SIDS)</title>
<para>
Document how to set up trusts here!!!!!!!!!!!
</para>
</sect1>
<sect1>
<title>Share Management</title>
<para>
Document how to set up trusts here!!!!!!!!!!!
</para>
<sect2>
<title>Creating, Editing, and Removing Shares</title>
<para>
A share can be added using the <command>net rpc share</command> command capabilities.
The target machine may be local or remote and is specified by the -S option. It must be noted
that the addition and deletion of shares using this tool depends on the availability of a suitable
interface script. The interface scripts Samba's <command>smbd</command> uses are called:
<smbconfoption name="add share script"/> and <smbconfoption name="delete share script"/>.
A set of example scripts are provided in the Samba source code tarball in the directory
<filename>~samba/examples/scripts</filename>.
</para>
<para>
The following steps demonstrate the use of the share management capabilities of the <command>net</command>
utility. In the first step a share called <constant>Bulge</constant> is added. The share-point within the
file system is the directory <filename>/data</filename>. The command that can be executed to perform the
addition of this share is shown here:
<screen>
&rootprompt; net rpc share add Bulge=/data -S merlin -Uroot%not24get
</screen>
Validation is an important process, and by executing the command <command>net rpc share</command>
with no other operators a listing of available shares is shown here:
<screen>
&rootprompt; net rpc share -S merlin -Uroot%not24get
profdata
archive
Bulge <--- This one was added
print$
netlogon
profiles
IPC$
kyocera
ADMIN$
</screen>
</para>
<para>
Often times it is desirable also to permit a share to be removed using a command-line tool.
The following step permits the share that was previously added to be removed:
<screen>
&rootprompt; net rpc share delete Bulge -S merlin -Uroot%not24get
</screen>
A simple validation shown here demonstrates that the share has been removed:
<screen>
&rootprompt; net rpc share -S merlin -Uroot%not24get
profdata
archive
print$
netlogon
profiles
IPC$
ADMIN$
kyocera
</screen>
</para>
</sect2>
<sect2>
<title>Creating and Changing Share ACLs</title>
<para>
</para>
</sect2>
<sect2>
<title>Share, Directory and File Migration</title>
<para>
Shares and files can be migrated in the same manner as user, machine and group accounts.
It is possible to preserve access control settings (ACLs) as well as security settings
throughout the migration process. The <command>net rpc vampire</command> facility is used
to migrate accounts from a Windows NT4 (or later) domain to a Samba server. This process
preserves passwords and account security settings and is a precursor to the migration
of shares and files.
</para>
<para>
The <command>net rpc share</command> command may be used to migrate shares, directories
files, printers, and all relevant data from a Windows server to a Samba server.
</para>
<para>
A set of command-line switches permit the creation of almost direct clones of Windows file
servers. For example, when migrating a file-server, file ACLs and DOS file attributes from
the Windows server can be included in the migration process and will reappear, almost identicaly
on the Samba server when the migration has been completed.
</para>
<para>
The migration process can be completed only with the Samba server already being fully operational.
This means that the user and group accounts must be migrated before attempting to migrate data
share, files, and printers. The migration of files and printer configurations involves the use
of both SMB and MS DCE RPC services. The benefit of the manner in which the migration process has
been implemented, the possibility now exists to use a Samba server as a man-in-middle migration
service that affects a transfer of data from one server to another. For example, if the Samba
server is called MESSER, the source Windows NT4 server is called PEPPY, and the target Samba
server is called GONZALES, the machien MESSER can be used to affect the migration of all data
(files and shares) from PEPPY to GONZALES. If the target machine is not specified, the local
server is assumed by default.
</para>
<para>
The success of server migration requires a firm understanding of the structure of ther source
server (or domain) as well as the processes on which the migration is critically dependant.
</para>
<para>
There are two known limitations to the migration process:
</para>
<orderedlist>
<listitem><para>
The <command>net</command> command requires that the user credentials provided exist both
on the migration source and the migration target.
</para></listitem>
<listitem><para>
Printer settings may not be fully or incorrectly migrated. This might in particular happen
when migrating a Windows 2003 print server to Samba.
</para></listitem>
</orderedlist>
<sect3>
<title>Share Migration</title>
<para>
The <command>net rpc share migrate</command> command operation permits the migration of plain
share stanzas. A stanza contains the parameters within which a file or print share are defined.
The use of this migration method will create share stanzas that have as parameters the file
system directory path, an optional description, and simple security settings that permit write
access to files. One of the first steps necessary following migration is to review the share
stanzas to ensure that the settings are suitable for use.
</para>
<para>
The shares are created on-the-fly as part of the migration process. The <command>smbd</command>
application does this by calling on the operating system to execute the script specified by the
&smb.conf; parameter <parameter>add share command</parameter>.
</para>
<para>
There is a suitable example script for the <parameter>add share command</parameter> in the
<filename>$SAMBA_SOURCES/examples/scripts</filename> directory. It should be noted that
the account that is used to drive the migration must, of necessity, have appropriate file system
access privileges and have the right to create shares and to set ACLs on them. Such rights are
conferred by these rights: <parameter>SeAddUsersPrivilege, SeDiskOperatorPrivilege</parameter>.
For more information regarding rights and privileges please refer to <link linkend="rights"/>.
</para>
<para>
The syntax of the share migration command is shown here:
<screen>
net rpc share MIGRATE SHARES <sharename> -S <source>
[--destination=localhost] [--exclude=share1,share2] [-v]
</screen>
When the parameter <sharename> is ommited, all shares will be migrated. The potentially
large list of available shares on the system that is being migrated can be limited using the
<parameter>--exclude</parameter> switch. For example:
<screen>
&rootprompt; net rpc share migrate shares myshare\
-S win2k -U administrator%secret"
</screen>
This will migrate the share <constant>myshare</constant> from the server <constant>win2k</constant>
to the Samba Server using the permissions that are tied to the account <constant>administrator</constant>
with the password <constant>secret</constant>. The account that is used must be the same on both the
migration source server, as well as on the target Samba server. The use of the <command>net rpc
vampire</command>, prior to attempting the migration of shares, will ensure that accounts will be
identical on both systems. One precaution worth taking before commencement of migration of shares is
to validate that the migrated accounts (on the Samba server) have the needed rights and privileges.
This can be done as shown here:
<screen>
&rootprompt; net rpc right list accounts -Uroot%not24get
</screen>
The steps taken so far performs only the migration of shares. Directories and directory contents
are not migrated by the steps covered up to this point.
</para>
</sect3>
<sect3>
<title>File and Directory Migration</title>
<para>
Everything covered to this point has been done in preparation for the migration of file and directory
data. For many people preparation is potentially boring and the real excitement only begins when file
data can be used. The next steps demonstrates the techniques that can be used to transfer (migrate)
data files using the <command>net</command> command.
</para>
<para>
Transfer of files from one server to another has always been a challenge for Microsoft Windows
administrators because Windows NT and 200X servers do not include the tools needed. The
<command>xcopy</command> is not capable of preserving file and directory ACLs. Microsoft do provide a
utility that can copy ACLs (security settings) called <command>scopy</command>, but it is provided only
as part of the Windows NT or 200X Server Resource Kit.
</para>
<para>
There are several tools, both commercial and freeware, that can be used from Windows server to copy files
and directories with full preservation of security settings. One of the best known of the free tools is
called <command>robocopy</command>.
</para>
<para>
The <command>net</command> utility can be used to copy files and directories with full preservation of
ACLs as well as DOS file attributes. Note that including ACLs makes sense only where the destination
system will operate within the same security context as the source system. This applies to both a domain
member server (DMS) as well as for domain controllers (DCs) that result from a vampired domain.
Before file and directory migration all shares must already exist.
</para>
<para>
The syntax for the migration commands is shown here:
<screen>
net rpc share MIGRATE FILES <sharename> -S <source>
[--destination=localhost] [--exclude=share1,share2]
[--acls] [--attrs] [--timestamps] [-v]
</screen>
If the <sharename> parameter is ommited, all shares will be migrated. The potentially large
list of shares on the source system can be restricted using the <parameter>--exclude</parameter> command
switch.
</para>
<para>
Where it is necessary to preserve all file ACLs, the <parameter>--acls</parameter> switch should be added
to the above command line. Original file time stamps can be preserved by specifying the
<parameter>--timestamps</parameter> switch, and the DOS file attributs (i.e.: hidden, archive, etc.) cab
be preserved by specifying the <parameter>--attrs</parameter> switch.
</para>
<note><para>
The ability to preserve ACLs depends on appropriate support for ACLs, as well as the general file system
semantics of the host operating system on the target server. A migration from one Windows file server to
another will perfectly preserve all file attributes. Because of the difficulty of mapping Windows ACLs
onto a POSIX ACLs supporting system, there can be no perfect migration of Windows ACLs to a Samba server.
</para></note>
<para>
The ACLs that result on a Samba server will most probably not match the originating ACLs. Windows support
the possibility of files that are owned only by a group. Group-alone file ownership is not possible under
UNIX/Linux. Errors in migrating group-owned files can be avoided by using the &smb.conf; file
<smbconfoption name="force unknown acl user">yes</smbconfoption> parameter. This facility will
automatically convert group-owned files into correctly user-owned files on the Samba server.
</para>
<para>
An example for migration of files from a machine called <constant>nt4box</constant> to the Samba server
from which the process will be handled is shown here:
<screen>
&rootprompt; net rpc share migrate files -S nt4box --acls \
--attrs -U administrator%secret
</screen>
</para>
<para>
The above command will migrate all files and directories from all file shares on the Windows server called
<constant>nt4box</constant> to the Samba server from which migration is initiated. Files that are group-owned
will be owned by the user account <constant>administrator</constant>.
</para>
</sect3>
<sect3>
<title>Simultaneous Share and File Migration</title>
<para>
This operating mode shown here is just a combination of the two above. It first migrates
share-definitions and then all shared files and directories afterwards:
<screen>
net rpc share MIGRATE ALL <sharename> -S <source>
[--exclude=share1, share2] [--acls] [--attrs] [--timestamps] [-v]
</screen>
</para>
<para>
An example of simultaneous migration is shown here:
<screen>
&rootprompt; net rpc share migrate all -S w2k3server -U administrator%secret
</screen>
This will generate a complete server clone of the <parameter>w2k3server</parameter> server.
</para>
</sect3>
</sect2>
<sect2>
<title>Printer Migration</title>
<para>
The installation of a new server, as with the migration to a new network environment, often has similarity
to the building of a house; progress is very rapid from the laying of foundations up to the stage at which
the the house can be locked-up, but the finishing off appears to take longer and longer as building
approaches completion.
</para>
<para>
Printing needs vary greatly depending on the network environment, and may be very simple or complex. If
the need is very simple the best solution to the implementation of printing support may well be to
re-install everything from a clean slate instead of migrating older configurations. On the other hand,
a complex network that is integrated with many international offices and a multiplexity of local branch
offices, each of which form an inter-twined maze of printing possibilities, the ability to migrate all
printer configurations is decidedly beneficial. To manually re-establish a complex printing network
will take much time and frustration. Often-times it will not be possible to find driver files that are
currently in use thus necessitating the installation of newer drivers. Newer drivers often implement
printing features that will necessitate a change in the printer usage. Additionally, with very complex
printer configurations it becomes almost impossible to re-create the same environment - not matter
how extensivly it has been documented.
</para>
<para>
The migration of an existing printing architecture involves the following:
</para>
<itemizedlist>
<listitem><para>Establishment of print queues.</para></listitem>
<listitem><para>Installation of printer drivers (both for the print server and for Windows clients.</para></listitem>
<listitem><para>Configuration of printing forms.</para></listitem>
<listitem><para>Implementation of security settings.</para></listitem>
<listitem><para>Configuration of printer settings.</para></listitem>
</itemizedlist>
<para>
The Samba <command>net</command> utility permits printer migration from one Windows print server
to another. When this tool is used to migrate printers to a Samba server <command>smbd</command>,
the application the receives the network requests to create the necessary services, must call-out
to the operating system in order to create the underlying printers. The call-out is implemented
by way of an interface script that can be specified by the &smb.conf; file parameter
<smbconfoption id="add printer script"/>. This script is essential to the migration process.
A suitable example script may be obtained from the <filename>$SAMBA_SOURCES/examples/scripts</filename>
directory. Take note that this script must be customized to suit the operating system environment
and may use its tools to create a print queue.
</para>
<para>
Each of the components listed above can be completed separately, or they can be completed as part of an
automated operation. Many network administrators prefer to deal with migration issues in a manner that
gives them the most control, particularly when things go wrong. The syntax for each operation will now
be briefly described.
</para>
<para>
Printer migration from a Windows print server (NT4 or 200X) is shown. This instruction causes the
printer share to be created together with the underlying print queue:
<screen>
net rpc printer MIGRATE PRINTERS [printer] [misc. options] [targets]
</screen>
Printer drivers can be migrated from the Windows print server to the Samba server using this
command line instruction:
<screen>
net rpc printer MIGRATE DRIVERS [printer] [misc. options] [targets]
</screen>
Printer forms can be migrated with the following operation:
<screen>
net rpc printer MIGRATE FORMS [printer] [misc. options] [targets]
</screen>
Printer security settings (ACLs) can be migrated from the Windows server to the Samba server using this command:
<screen>
net rpc printer MIGRATE SECURITY [printer] [misc. options] [targets]
</screen>
Printer configuration settings include factors such as paper size, default paper orientation, etc.
These can be migrated from the Windows print server to the Samba server with this command:
<screen>
net rpc printer MIGRATE SETTINGS [printer] [misc. options] [targets]
</screen>
</para>
<para>
Migration of printers including all the above mentioned sets of information may be completed
with a single command using this syntax:
<screen>
net rpc printer MIGRATE ALL [printer] [misc. options] [targets]
</screen>
</para>
</sect2>
</sect1>
<sect1>
<title>Controlling Open Files</title>
<para>
Document how to set up trusts here!!!!!!!!!!!
</para>
</sect1>
<sect1>
<title>Session and Connection Management</title>
<para>
Document how to set up trusts here!!!!!!!!!!!
</para>
</sect1>
<sect1>
<title>Printers and ADS</title>
<para>
Document how to set up trusts here!!!!!!!!!!!
</para>
</sect1>
<sect1>
<title>Manipulating the Samba Cache</title>
<para>
Document how to set up trusts here!!!!!!!!!!!
</para>
</sect1>
<sect1>
<title>Other Miscellaneous Operations</title>
<para>
<screen>
&rootprompt; net rpc info
Domain Name: MIDEARTH
Domain SID: S-1-5-21-726309263-4128913605-1168186429
Sequence number: 1115878548
Num users: 5
Num domain groups: 8
Num local groups: 0
</screen>
</para>
</sect1>
</chapter>
|