</para>
<para>
- In order to make available to the Windows environment Samba has a facility by which UNIX groups can
+ In order to make available to the Windows environment, Samba has a facility by which UNIX groups can
be mapped to a logical entity, called a Windows (or domain) group. Samba supports two types of Windows
groups, local and global. Global groups can contain as members, global users. This membership is
affected in the normal UNIX manner, but adding UNIX users to UNIX groups. Windows user accounts consist
Domain Computers
Engineers
</screen>
+ </para>
+
+<?latex \newpage ?>
+ <para>
A Windows group account called <quote>SupportEngrs</quote> can be added by executing the following
command:
<indexterm><primary>net</primary><secondary>rpc</secondary><tertiary>group add</tertiary></indexterm>
hosting a Samba server, are implemented using a UID/GID identity tuple. Samba does not in any way override
or replace UNIX file system semantics. Thus it is necessary that all Windows networking operations that
access the file system provide a mechanism that maps a Windows user to a particular UNIX/Linux group
- account. The user account must also map to a locally known UID.
+ account. The user account must also map to a locally known UID. Note that the <command>net</command>
+ command does not call any RPC-functions here but directly accesses the passdb.
</para>
<para>
and <constant>delete</constant>. An example of each operation is shown here.
</para>
+ <note><para>
+ Commencing with Samba-3.0.23 Windows Domain Groups must be explicitly created. By default, all
+ UNIX groups are exposed to Windows networking as Windows local groups.
+ </para></note>
+
<para>
An existing UNIX group may be mapped to an existing Windows group by this example:
<screen>
<screen>
&rootprompt; net groupmap add ntgroup=Pixies unixgroup=pixies type=l
</screen>
- Supported mapping types are 'd' (domain global) and 'l' (domain local), a domain local group is Samba is
- treated as local to the individual Samba serverr. Local groups can be used with Samba to enable multiple
+ Supported mapping types are 'd' (domain global) and 'l' (domain local), a domain local group in Samba is
+ treated as local to the individual Samba server. Local groups can be used with Samba to enable multiple
nested group support.
</para>
<note><para>
This command is not documented in the man pages; it is implemented in the source code, but it does not
- work. The example given documents (from the source code) how it should work. Watch the release notes
- of a future release to see when this may have been fixed.
+ work at this time. The example given documents, from the source code, how it should work. Watch the
+ release notes of a future release to see when this may have been fixed.
</para></note>
<para>
<screen>
#!/bin/bash
-/usr/bin/net rpc group addmem "Power Users" "DOMAIN_NAME\$1" -UAdministrator%secret -S $2
+/usr/bin/net rpc group addmem "Power Users" "DOMAIN_NAME\$1" \
+ -UAdministrator%secret -S $2
exit 0
</screen>
</example>
<step><para>
- Ensure that every Windows workstation Adminsitrator account has the same password that you
+ Ensure that every Windows workstation Administrator account has the same password that you
have used in the script shown in <link linkend="magicnetlogon">the Netlogon Example smb.conf
file</link>
</para></step>
</procedure>
<para>
- This script will be executed every time a user logs onto the network. Therefore every user will
+ This script will be executed every time a user logs on to the network. Therefore every user will
have local Windows workstation management rights. This could of course be assigned using a group,
in which case there is little justification for the use of this procedure. The key justification
for the use of this method is that it will guarantee that all users have appropriate rights on
</screen>
</para>
+ <para>
+ It is also possible to rename user accounts:
+<indexterm><primary>net</primary><secondary>rpc</secondary><tertiary>user rename</tertiary></indexterm>oldusername newusername
+ Note that this operation does not yet work against Samba Servers. It is, however, possible to rename useraccounts on
+ Windows Servers.
+
+ </para>
+
</sect2>
<sect2>
<para>
The net command looks in the &smb.conf; file to obtain its own configuration settings. Thus, the following
- command 'know' which domain to join from the &smb.conf; file.
+ command 'knows' which domain to join from the &smb.conf; file.
</para>
<para>
The target machine may be local or remote and is specified by the -S option. It must be noted
that the addition and deletion of shares using this tool depends on the availability of a suitable
interface script. The interface scripts Sambas <command>smbd</command> uses are called
- <smbconfoption name="add share script"/> and <smbconfoption name="delete share script"/>.
- A set of example scripts are provided in the Samba source code tarball in the directory
- <filename>~samba/examples/scripts</filename>.
+ <smbconfoption name="add share command"/>, <smbconfoption name="delete share command"/> and
+ <smbconfoption name="change share command"/> A set of example scripts are provided in the Samba source
+ code tarball in the directory <filename>~samba/examples/scripts</filename>.
</para>
<para>
<para>
The <command>net rpc share</command> command may be used to migrate shares, directories,
- files, printers, and all relevant data from a Windows server to a Samba server.
+ files, and all relevant data from a Windows server to a Samba server.
</para>
<para>
server is called MESSER, the source Windows NT4 server is called PEPPY, and the target Samba
server is called GONZALES, the machine MESSER can be used to effect the migration of all data
(files and shares) from PEPPY to GONZALES. If the target machine is not specified, the local
- server is assumed by default.
+ server is assumed by default - as net's general rule of thumb .
</para>
<para>
<para>
Transfer of files from one server to another has always been a challenge for MS Windows
- administrators because Windows NT and 200X servers do not include the tools needed. The
- <command>xcopy</command> is not capable of preserving file and directory ACLs. Microsoft does provide a
+ administrators because Windows NT and 200X servers do not always include the tools needed. The
+ <command>xcopy</command> from Windows NT is not capable of preserving file and directory ACLs,
+ it does so only with Windows 200x. Microsoft does provide a
utility that can copy ACLs (security settings) called <command>scopy</command>, but it is provided only
as part of the Windows NT or 200X Server Resource Kit.
</para>
</para>
</sect3>
+
+ <sect3>
+ <title>Share-ACL Migration</title>
+ <para>
+ It is possible to have share-ACLs (security descriptors) that won't allow you, even as Administrator, to
+ copy any files or directories into it. Therefor the migration of the share-ACLs has been put into a separate
+ function:
+<indexterm><primary>net</primary><secondary>rpc</secondary><tertiary>share migrate security</tertiary></indexterm>
+<screen>
+&rootprompt; net rpc share migrate security -S nt4box -U administrator%secret
+</screen>
+ </para>
+
+ <para>
+ This command will only copy the share-ACL of each share on nt4box to your local samba-system.
+ </para>
+ </sect3>
<sect3>
<title>Simultaneous Share and File Migration</title>
<para>
- The operating mode shown here is just a combination of the previous two. It first migrates
- share definitions and then all shared files and directories:
+ The operating mode shown here is just a combination of the previous three. It first migrates
+ share definitions and then all shared files and directories and finally migrates the share-ACLs:
<screen>
net rpc share MIGRATE ALL <share-name> -S <source>
[--exclude=share1, share2] [--acls] [--attrs] [--timestamps] [-v]
<para>
The installation of a new server, as with the migration to a new network environment, often is similar to
building a house; progress is very rapid from the laying of foundations up to the stage at which
- the the house can be locked up, but the finishing off appears to take longer and longer as building
+ the house can be locked up, but the finishing off appears to take longer and longer as building
approaches completion.
</para>
</sect1>
+ <sect1>
+ <title>Managing IDMAP UID/SID Mappings</title>
+
+ <para>
+ The IDMAP UID to SID, and SID to UID, mappings that are created by <command>winbindd</command> can be
+ backed up to a text file. The text file can be manually edited, although it is highly recommended that
+ you attempt this only if you know precisely what you are doing.
+ </para>
+
+ <para>
+ An IDMAP text dump file can be restored (or reloaded). There are two situations that may necessitate
+ this action: a) The existing IDMAP file is corrupt, b) It is necessary to install an editted version
+ of the mapping information.
+ </para>
+
+ <para>
+ Winbind must be shut down to dump the IDMAP file. Before restoring a dump file, shut down
+ <command>winbindd</command> and delete the old <filename>winbindd_idmap.tdb</filename> file.
+ </para>
+
+ <sect2>
+ <title>Creating an IDMAP Database Dump File</title>
+
+ <para>
+ The IDMAP database can be dumped to a text file as shown here:
+<screen>
+net idmap dump <full_path_and_tdb_filename> > dumpfile.txt
+</screen>
+ Where a particular build of Samba the run-time tdb files are stored in the
+ <filename>/var/lib/samba</filename> directory the following commands to create the dump file will suffice:
+<screen>
+net idmap dump /var/lib/samba/winbindd_idmap.tdb > idmap_dump.txt
+</screen>
+ </para>
+
+ </sect2>
+
+ <sect2>
+ <title>Restoring the IDMAP Database Dump File</title>
+
+ <para>
+ The IDMAP dump file can be restored using the following command:
+<screen>
+net idmap restore <full_path_and_tdb_filename> < dumpfile.txt
+</screen>
+ Where the Samba run-time tdb files are stored in the <filename>/var/lib/samba</filename> directory
+ the following command can be used to restore the data to the tdb file:
+<screen>
+net idmap restore /var/lib/samba/winbindd_idmap.tdb < idmap_dump.txt
+</screen>
+ </para>
+
+ </sect2>
+
+ </sect1>
+
<sect1 id="netmisc1">
<title>Other Miscellaneous Operations</title>
git.samba.org / import / samba-docs-svnimport.git / blobdiff