Samba 3.0 prealpha guide to group mapping --------------------------------------------------- Jean François Micouleau (jfm@samba.org) Starting with Samba 3.0 alpha 2, a new group mapping function is available. The current method (likely to change) to manage the groups is a new command called smbgroupedit. The first immediate reason to use the group mapping on a PDC, is that the 'domain admin group' of smb.conf is now gone. This parameter was used to give the listed users local admin rights on their workstations. It was some magic stuff that simply worked but didn't scale very well for complex setups. Let me explain how it works on NT/W2K, to have this magic fade away. When installing NT/W2K on a computer, the installer program creates some users and groups. Notably the 'Administrators' group, and gives to that group some privileges like the ability to change the date and time or to kill any process (or close too) running on the local machine. The 'Administrator' user is a member of the 'Administrators' group, and thus 'inherit' the 'Administrators' group privileges. If a 'joe' user is created and become a member of the 'Administrator' group, 'joe' has exactly the same rights as 'Administrator'. When a NT/W2K machine is joined to a domain, during that phase, the "Domain Administrators' group of the PDC is added to the 'Administrators' group of the workstation. Every members of the 'Domain Administrators' group 'inherit' the rights of the 'Administrators' group when logging on the workstation. You are now wondering how to make some of your samba PDC users members of the 'Domain Administrators' ? That's really easy. 1) create a unix group (usually in /etc/group), let's call it domadm 2) add to this group the users that must be Administrators. For example if you want joe,john and mary, your entry in /etc/group will look like: domadm:x:502:joe,john,mary 3) map this domadm group to the 'domain admins' group: 3.1) lists all the mapped groups by running: smbgroupedit -v you will get a list looking like the one below. NT group (SID) -> Unix group System Operators (S-1-5-32-549) -> -1 Replicators (S-1-5-32-552) -> -1 Guests (S-1-5-32-546) -> -1 Power Users (S-1-5-32-547) -> -1 Print Operators (S-1-5-32-550) -> -1 Administrators (S-1-5-32-544) -> -1 Account Operators (S-1-5-32-548) -> -1 Backup Operators (S-1-5-32-551) -> -1 Users (S-1-5-32-545) -> -1 Domain Admins (S-1-5-21-1108995562-3116817432-1375597819-512) -> -1 Domain Guests (S-1-5-21-1108995562-3116817432-1375597819-514) -> -1 Domain Users (S-1-5-21-1108995562-3116817432-1375597819-513) -> -1 3.2) map the unix domadm group to the NT 'Domain Admins' group, by running the command: smbgroupedit -c S-1-5-21-1108995562-3116817432-1375597819-512 -u domadm warning: don't copy and paste this sample, the Domain Admins SID (the S-1-5-21-...-512) is different for every PDC. you're set, joe, john and mary are domain administrators ! Like the Domain Admins group, you can map any arbitrary Unix group to any NT group. You can also make any Unix group a domain group. For example, on a domain member machine (an NT/W2K or a samba server running winbind), you would like to give access to a certain directory to some users who are member of a group on your samba PDC. Flag that group as a domain group by running: smbgroupedit -a unixgroup -td