diff options
Diffstat (limited to 'docs/htmldocs/groupmapping.html')
-rw-r--r-- | docs/htmldocs/groupmapping.html | 71 |
1 files changed, 36 insertions, 35 deletions
diff --git a/docs/htmldocs/groupmapping.html b/docs/htmldocs/groupmapping.html index 39fb34ce628..aebddeeb085 100644 --- a/docs/htmldocs/groupmapping.html +++ b/docs/htmldocs/groupmapping.html @@ -1,4 +1,5 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 12. Mapping MS Windows and Unix Groups</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="passdb.html" title="Chapter 11. Account Information Databases"><link rel="next" href="AccessControls.html" title="Chapter 13. File, Directory and Share Access Controls"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 12. Mapping MS Windows and Unix Groups</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="passdb.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="AccessControls.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="groupmapping"></a>Chapter 12. Mapping MS Windows and Unix Groups</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jean François</span> <span class="surname">Micouleau</span></h3></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="groupmapping.html#id2921449">Features and Benefits</a></dt><dt><a href="groupmapping.html#id2921551">Discussion</a></dt><dd><dl><dt><a href="groupmapping.html#id2921742">Example Configuration</a></dt></dl></dd><dt><a href="groupmapping.html#id2921806">Configuration Scripts</a></dt><dd><dl><dt><a href="groupmapping.html#id2921820">Sample smb.conf add group script</a></dt><dt><a href="groupmapping.html#id2921889">Script to configure Group Mapping</a></dt></dl></dd><dt><a href="groupmapping.html#id2921981">Common Errors</a></dt><dd><dl><dt><a href="groupmapping.html#id2921997">Adding Groups Fails</a></dt><dt><a href="groupmapping.html#id2922057">Adding MS Windows Groups to MS Windows Groups Fails</a></dt></dl></dd></dl></div><p> +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 12. Mapping MS Windows and Unix Groups</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="passdb.html" title="Chapter 11. Account Information Databases"><link rel="next" href="AccessControls.html" title="Chapter 13. File, Directory and Share Access Controls"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 12. Mapping MS Windows and Unix Groups</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="passdb.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="AccessControls.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="groupmapping"></a>Chapter 12. Mapping MS Windows and Unix Groups</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jean François</span> <span class="surname">Micouleau</span></h3></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="groupmapping.html#id2916467">Features and Benefits</a></dt><dt><a href="groupmapping.html#id2916568">Discussion</a></dt><dd><dl><dt><a href="groupmapping.html#id2916756">Example Configuration</a></dt></dl></dd><dt><a href="groupmapping.html#id2916822">Configuration Scripts</a></dt><dd><dl><dt><a href="groupmapping.html#id2916836">Sample smb.conf add group script</a></dt><dt><a href="groupmapping.html#id2916903">Script to configure Group Mapping</a></dt></dl></dd><dt><a href="groupmapping.html#id2916977">Common Errors</a></dt><dd><dl><dt><a href="groupmapping.html#id2916993">Adding Groups Fails</a></dt><dt><a href="groupmapping.html#id2917053">Adding MS Windows Groups to MS Windows Groups Fails</a></dt></dl></dd></dl></div><p> Starting with Samba-3, new group mapping functionality is available to create associations between Windows group SIDs and UNIX groups. The <i class="parameter"><tt>groupmap</tt></i> subcommand included with the <span class="application">net</span> tool can be used to manage these associations. @@ -8,7 +9,7 @@ be specified in <tt class="filename">smb.conf</tt>. This parameter was used to give the listed users membership in the <tt class="constant">Domain Admins</tt> Windows group which gave local admin rights on their workstations (in default configurations). - </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2921449"></a>Features and Benefits</h2></div></div><div></div></div><p> + </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2916467"></a>Features and Benefits</h2></div></div><div></div></div><p> Samba allows the administrator to create MS Windows NT4 / 200x group accounts and to arbitrarily associate them with Unix/Linux group accounts. </p><p> @@ -31,7 +32,7 @@ Another work-around is to manually create a Unix/Linux group, then manually create the MS Windows NT4 / 200x group on the Samba server and then use the <b class="command">net groupmap</b> tool to connect the two to each other. - </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2921551"></a>Discussion</h2></div></div><div></div></div><p> + </p></div><div xmlns:ns27="" class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2916568"></a>Discussion</h2></div></div><div></div></div><p> When installing <span class="application">MS Windows NT4 / 200x</span> on a computer, the installation program creates default users and groups, notably the <tt class="constant">Administrators</tt> group, and gives that group privileges necessary privileges to perform essential system tasks. @@ -50,19 +51,19 @@ The following steps describe how to make Samba PDC users members of the 'Domain Admins' group? </p><div class="orderedlist"><ol type="1"><li><p> create a unix group (usually in <tt class="filename">/etc/group</tt>), let's call it domadm - </p></li><li><p>add to this group the users that must be Administrators. For example + </p></li><li xmlns:ns25=""><p>add to this group the users that must be Administrators. For example if you want joe, john and mary, your entry in <tt class="filename">/etc/group</tt> will look like: </p><pre class="programlisting"> domadm:x:502:joe,john,mary - </pre><p> - </p></li><li><p> + </pre><ns25:p> + </ns25:p></li><li xmlns:ns26=""><p> Map this domadm group to the "Domain Admins" group by running the command: - </p><p> - </p><pre class="screen"> + </p><ns26:p> + </ns26:p><pre class="screen"> <tt class="prompt">root# </tt><b class="userinput"><tt>net groupmap add ntgroup="Domain Admins" unixgroup=domadm</tt></b> - </pre><p> - </p><p> + </pre><ns26:p> + </ns26:p><p> The quotes around "Domain Admins" are necessary due to the space in the group name. Also make sure to leave no whitespace surrounding the equal character (=). </p></li></ol></div><p> @@ -72,36 +73,36 @@ making any UNIX group a Windows domain group. For example, if you wanted to include a UNIX group (e.g. acct) in a ACL on a local file or printer on a domain member machine, you would flag that group as a domain group by running the following on the Samba PDC: - </p><p> - </p><pre class="screen"> + </p><ns27:p> + </ns27:p><pre class="screen"> <tt class="prompt">root# </tt><b class="userinput"><tt>net groupmap add rid=1000 ntgroup="Accounting" unixgroup=acct</tt></b> - </pre><p> - </p><p> + </pre><ns27:p> + </ns27:p><p> Be aware that the RID parameter is a unsigned 32 bit integer that should normally start at 1000. However, this rid must not overlap with any RID assigned to a user. Verifying this is done differently depending on on the passdb backend you are using. Future versions of the tools may perform the verification automatically, but for now the burden is on you. - </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2921742"></a>Example Configuration</h3></div></div><div></div></div><p> + </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2916756"></a>Example Configuration</h3></div></div><div></div></div><p> You can list the various groups in the mapping database by executing <b class="command">net groupmap list</b>. Here is an example: - </p><p> - </p><pre class="screen"> + </p><ns27:p> + </ns27:p><pre class="screen"> <tt class="prompt">root# </tt> <b class="userinput"><tt>net groupmap list</tt></b> System Administrators (S-1-5-21-2547222302-1596225915-2414751004-1002) -> sysadmin Domain Admins (S-1-5-21-2547222302-1596225915-2414751004-512) -> domadmin Domain Users (S-1-5-21-2547222302-1596225915-2414751004-513) -> domuser Domain Guests (S-1-5-21-2547222302-1596225915-2414751004-514) -> domguest - </pre><p> - </p><p> + </pre><ns27:p> + </ns27:p><p> For complete details on <b class="command">net groupmap</b>, refer to the net(8) man page. - </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2921806"></a>Configuration Scripts</h2></div></div><div></div></div><p> + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2916822"></a>Configuration Scripts</h2></div></div><div></div></div><p> Everyone needs tools. Some of us like to create our own, others prefer to use canned tools (ie: prepared by someone else for general use). - </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2921820"></a>Sample <tt class="filename">smb.conf</tt> add group script</h3></div></div><div></div></div><p> + </p><div xmlns:ns28="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2916836"></a>Sample <tt class="filename">smb.conf</tt> add group script</h3></div></div><div></div></div><p> A script to great complying group names for use by the Samba group interfaces: - </p><p> -</p><div class="example"><a name="id2921843"></a><p class="title"><b>Example 12.1. smbgrpadd.sh</b></p><pre class="programlisting"> + </p><ns28:p> +</ns28:p><div class="example"><a name="id2916858"></a><p class="title"><b>Example 12.1. smbgrpadd.sh</b></p><pre class="programlisting"> #!/bin/bash @@ -117,17 +118,17 @@ cat /etc/group.bak | sed s/smbtmpgrp00/$1/g > /etc/group # Now return the GID as would normally happen. echo $thegid exit 0 -</pre></div><p> -</p><p> +</pre></div><ns28:p> +</ns28:p><ns28:p> The <tt class="filename">smb.conf</tt> entry for the above script would look like: - </p><pre class="programlisting"> + </ns28:p><pre class="programlisting"> add group script = /path_to_tool/smbgrpadd.sh %g - </pre><p> - </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2921889"></a>Script to configure Group Mapping</h3></div></div><div></div></div><p> + </pre><ns28:p> + </ns28:p></div><div xmlns:ns29="" class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2916903"></a>Script to configure Group Mapping</h3></div></div><div></div></div><p> In our example we have created a Unix/Linux group called <i class="parameter"><tt>ntadmin</tt></i>. Our script will create the additional groups <i class="parameter"><tt>Engineers, Marketoids, Gnomes</tt></i>: - </p><p> -</p><pre class="programlisting"> + </p><ns29:p> +</ns29:p><pre class="programlisting"> #!/bin/bash net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmin @@ -150,16 +151,16 @@ net groupmap modify ntgroup="Power Users" unixgroup=sys #net groupmap add ntgroup="Engineers" unixgroup=Engineers type=d #net groupmap add ntgroup="Marketoids" unixgroup=Marketoids type=d #net groupmap add ntgroup="Gnomes" unixgroup=Gnomes type=d -</pre><p> -</p><p> +</pre><ns29:p> +</ns29:p><p> Of course it is expected that the administrator will modify this to suit local needs. For information regarding the use of the <b class="command">net groupmap</b> tool please refer to the man page. - </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2921981"></a>Common Errors</h2></div></div><div></div></div><p> + </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2916977"></a>Common Errors</h2></div></div><div></div></div><p> At this time there are many little surprises for the unwary administrator. In a real sense it is imperative that every step of automated control scripts must be carefully tested manually before putting them into active service. -</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2921997"></a>Adding Groups Fails</h3></div></div><div></div></div><p> +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2916993"></a>Adding Groups Fails</h3></div></div><div></div></div><p> This is a common problem when the <b class="command">groupadd</b> is called directly by the Samba interface script for the <i class="parameter"><tt>add group script</tt></i> in the <tt class="filename">smb.conf</tt> file. @@ -173,6 +174,6 @@ manually before putting them into active service. third option is to manually create a Unix/Linux group account that can substitute for the MS Windows group name, then use the procedure listed above to map that group to the MS Windows group. - </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2922057"></a>Adding MS Windows Groups to MS Windows Groups Fails</h3></div></div><div></div></div><p> + </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2917053"></a>Adding MS Windows Groups to MS Windows Groups Fails</h3></div></div><div></div></div><p> Samba-3 does NOT support nested groups from the MS Windows control environment. </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="passdb.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="AccessControls.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 11. Account Information Databases </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 13. File, Directory and Share Access Controls</td></tr></table></div></body></html> |