-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 12. Configuring Group Mapping</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.59.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="unix-permissions.html" title="Chapter 11. UNIX Permission Bits and Windows NT Access Control Lists"><link rel="next" href="printing.html" title="Chapter 13. Printing Support"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 12. Configuring Group Mapping</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="unix-permissions.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="printing.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><h2 class="title"><a name="groupmapping"></a>Chapter 12. Configuring Group Mapping</h2></div><div><div class="author"><h3 class="author">Jean François Micouleau</h3></div></div><div><div class="author"><h3 class="author">Gerald (Jerry) Carter</h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></tt></p></div></div></div></div></div><p>
-Starting with Samba 3.0 alpha 2, new group mapping functionality
-is available to create associations between Windows SIDs and UNIX
-groups. The <i><tt>groupmap</tt></i> subcommand included with
-the <b>net</b> tool can be used to manage these associations.
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 12. Mapping MS Windows and Unix Groups</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="passdb.html" title="Chapter 11. Account Information Databases"><link rel="next" href="AccessControls.html" title="Chapter 13. File, Directory and Share Access Controls"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 12. Mapping MS Windows and Unix Groups</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="passdb.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="AccessControls.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="groupmapping"></a>Chapter 12. Mapping MS Windows and Unix Groups</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jean François</span> <span class="surname">Micouleau</span></h3></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="groupmapping.html#id2921449">Features and Benefits</a></dt><dt><a href="groupmapping.html#id2921551">Discussion</a></dt><dd><dl><dt><a href="groupmapping.html#id2921742">Example Configuration</a></dt></dl></dd><dt><a href="groupmapping.html#id2921806">Configuration Scripts</a></dt><dd><dl><dt><a href="groupmapping.html#id2921820">Sample smb.conf add group script</a></dt><dt><a href="groupmapping.html#id2921889">Script to configure Group Mapping</a></dt></dl></dd><dt><a href="groupmapping.html#id2921981">Common Errors</a></dt><dd><dl><dt><a href="groupmapping.html#id2921997">Adding Groups Fails</a></dt><dt><a href="groupmapping.html#id2922057">Adding MS Windows Groups to MS Windows Groups Fails</a></dt></dl></dd></dl></div><p>
+ Starting with Samba-3, new group mapping functionality is available to create associations
+ between Windows group SIDs and UNIX groups. The <i class="parameter"><tt>groupmap</tt></i> subcommand
+ included with the <span class="application">net</span> tool can be used to manage these associations.
+ </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
+ The first immediate reason to use the group mapping on a Samba PDC, is that
+ the <i class="parameter"><tt>domain admin group</tt></i> has been removed and should no longer
+ be specified in <tt class="filename">smb.conf</tt>. This parameter was used to give the listed users membership
+ in the <tt class="constant">Domain Admins</tt> Windows group which gave local admin rights on their workstations
+ (in default configurations).
+ </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2921449"></a>Features and Benefits</h2></div></div><div></div></div><p>
+ Samba allows the administrator to create MS Windows NT4 / 200x group accounts and to
+ arbitrarily associate them with Unix/Linux group accounts.
+ </p><p>
+ Group accounts can be managed using the MS Windows NT4 or MS Windows 200x MMC tools
+ so long as appropriate interface scripts have been provided to <tt class="filename">smb.conf</tt>.
+ </p><p>
+ Administrators should be aware that where <tt class="filename">smb.conf</tt> group interface scripts make
+ direct calls to the Unix/Linux system tools (eg: the shadow utilities, <b class="command">groupadd</b>,
+ <b class="command">groupdel</b>, <b class="command">groupmod</b>) then the resulting Unix/Linux group names will be subject
+ to any limits imposed by these tools. If the tool does NOT allow upper case characters
+ or space characters, then the creation of an MS Windows NT4 / 200x style group of
+ <i class="parameter"><tt>Engineering Managers</tt></i> will attempt to create an identically named
+ Unix/Linux group, an attempt that will of course fail!
+ </p><p>
+ There are several possible work-arounds for the operating system tools limitation. One
+ method is to use a script that generates a name for the Unix/Linux system group that
+ fits the operating system limits, and that then just passes the Unix/Linux group id (GID)
+ back to the calling Samba interface. This will provide a dynamic work-around solution.
+ </p><p>
+ Another work-around is to manually create a Unix/Linux group, then manually create the
+ MS Windows NT4 / 200x group on the Samba server and then use the <b class="command">net groupmap</b>
+ tool to connect the two to each other.
+ </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2921551"></a>Discussion</h2></div></div><div></div></div><p>
+ When installing <span class="application">MS Windows NT4 / 200x</span> on a computer, the installation
+ program creates default users and groups, notably the <tt class="constant">Administrators</tt> group,
+ and gives that group privileges necessary privileges to perform essential system tasks.
+ eg: Ability to change the date and time or to kill (or close) any process running on the
+ local machine.
+ </p><p>
+ The 'Administrator' user is a member of the 'Administrators' group, and thus inherits
+ 'Administrators' group privileges. If a 'joe' user is created to be a member of the
+ 'Administrator' group, 'joe' has exactly the same rights as 'Administrator'.
+ </p><p>
+ When an MS Windows NT4 / W200x is made a domain member, the "Domain Admins" group of the
+ PDC is added to the local 'Administrators' group of the workstation. Every member of the
+ 'Domain Administrators' group inherits the rights of the local 'Administrators' group when
+ logging on the workstation.
+ </p><p>
+ The following steps describe how to make Samba PDC users members of the 'Domain Admins' group?
+ </p><div class="orderedlist"><ol type="1"><li><p>
+ create a unix group (usually in <tt class="filename">/etc/group</tt>), let's call it domadm
+ </p></li><li><p>add to this group the users that must be Administrators. For example
+ if you want joe, john and mary, your entry in <tt class="filename">/etc/group</tt> will
+ look like:
+ </p><pre class="programlisting">
+ domadm:x:502:joe,john,mary
+ </pre><p>
+ </p></li><li><p>
+ Map this domadm group to the "Domain Admins" group by running the command:
+ </p><p>
+ </p><pre class="screen">
+ <tt class="prompt">root# </tt><b class="userinput"><tt>net groupmap add ntgroup="Domain Admins" unixgroup=domadm</tt></b>
+ </pre><p>
+ </p><p>
+ The quotes around "Domain Admins" are necessary due to the space in the group name.
+ Also make sure to leave no whitespace surrounding the equal character (=).
+ </p></li></ol></div><p>
+ Now joe, john and mary are domain administrators!
+ </p><p>
+ It is possible to map any arbitrary UNIX group to any Windows NT4 / 200x group as well as
+ making any UNIX group a Windows domain group. For example, if you wanted to include a
+ UNIX group (e.g. acct) in a ACL on a local file or printer on a domain member machine,
+ you would flag that group as a domain group by running the following on the Samba PDC:
+ </p><p>
+ </p><pre class="screen">
+ <tt class="prompt">root# </tt><b class="userinput"><tt>net groupmap add rid=1000 ntgroup="Accounting" unixgroup=acct</tt></b>
+ </pre><p>
+ </p><p>
+ Be aware that the RID parameter is a unsigned 32 bit integer that should
+ normally start at 1000. However, this rid must not overlap with any RID assigned
+ to a user. Verifying this is done differently depending on on the passdb backend
+ you are using. Future versions of the tools may perform the verification automatically,
+ but for now the burden is on you.
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2921742"></a>Example Configuration</h3></div></div><div></div></div><p>
+ You can list the various groups in the mapping database by executing
+ <b class="command">net groupmap list</b>. Here is an example:
+ </p><p>
+ </p><pre class="screen">
+ <tt class="prompt">root# </tt> <b class="userinput"><tt>net groupmap list</tt></b>
+ System Administrators (S-1-5-21-2547222302-1596225915-2414751004-1002) -> sysadmin
+ Domain Admins (S-1-5-21-2547222302-1596225915-2414751004-512) -> domadmin
+ Domain Users (S-1-5-21-2547222302-1596225915-2414751004-513) -> domuser
+ Domain Guests (S-1-5-21-2547222302-1596225915-2414751004-514) -> domguest
+ </pre><p>
+ </p><p>
+ For complete details on <b class="command">net groupmap</b>, refer to the net(8) man page.
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2921806"></a>Configuration Scripts</h2></div></div><div></div></div><p>
+ Everyone needs tools. Some of us like to create our own, others prefer to use canned tools
+ (ie: prepared by someone else for general use).
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2921820"></a>Sample <tt class="filename">smb.conf</tt> add group script</h3></div></div><div></div></div><p>
+ A script to great complying group names for use by the Samba group interfaces:
+ </p><p>
+</p><div class="example"><a name="id2921843"></a><p class="title"><b>Example 12.1. smbgrpadd.sh</b></p><pre class="programlisting">
+
+#!/bin/bash
+
+# Add the group using normal system groupadd tool.
+groupadd smbtmpgrp00
+
+thegid=`cat /etc/group | grep smbtmpgrp00 | cut -d ":" -f3`
+
+# Now change the name to what we want for the MS Windows networking end
+cp /etc/group /etc/group.bak
+cat /etc/group.bak | sed s/smbtmpgrp00/$1/g > /etc/group
+
+# Now return the GID as would normally happen.
+echo $thegid
+exit 0
+</pre></div><p>
</p><p>
-The first immediate reason to use the group mapping on a Samba PDC, is that
-the <i><tt>domain admin group</tt></i> <tt>smb.conf</tt> has been removed.
-This parameter was used to give the listed users membership in the "Domain Admins"
-Windows group which gave local admin rights on their workstations (in
-default configurations).
+ The <tt class="filename">smb.conf</tt> entry for the above script would look like:
+ </p><pre class="programlisting">
+ add group script = /path_to_tool/smbgrpadd.sh %g
+ </pre><p>
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2921889"></a>Script to configure Group Mapping</h3></div></div><div></div></div><p>
+ In our example we have created a Unix/Linux group called <i class="parameter"><tt>ntadmin</tt></i>.
+ Our script will create the additional groups <i class="parameter"><tt>Engineers, Marketoids, Gnomes</tt></i>:
+ </p><p>
+</p><pre class="programlisting">
+#!/bin/bash
+
+net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmin
+net groupmap modify ntgroup="Domain Users" unixgroup=users
+net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
+net groupmap modify ntgroup="Administrators" unixgroup=root
+net groupmap modify ntgroup="Users" unixgroup=users
+net groupmap modify ntgroup="Guests" unixgroup=nobody
+net groupmap modify ntgroup="System Operators" unixgroup=sys
+net groupmap modify ntgroup="Account Operators" unixgroup=root
+net groupmap modify ntgroup="Backup Operators" unixgroup=bin
+net groupmap modify ntgroup="Print Operators" unixgroup=lp
+net groupmap modify ntgroup="Replicators" unixgroup=daemon
+net groupmap modify ntgroup="Power Users" unixgroup=sys
+
+#groupadd Engineers
+#groupadd Marketoids
+#groupadd Gnomes
+
+#net groupmap add ntgroup="Engineers" unixgroup=Engineers type=d
+#net groupmap add ntgroup="Marketoids" unixgroup=Marketoids type=d
+#net groupmap add ntgroup="Gnomes" unixgroup=Gnomes type=d
+</pre><p>
</p><p>
-When installing NT/W2K on a computer, the installer program creates some users
-and groups. Notably the 'Administrators' group, and gives to that group some
-privileges like the ability to change the date and time or to kill any process
-(or close too) running on the local machine. The 'Administrator' user is a
-member of the 'Administrators' group, and thus 'inherit' the 'Administrators'
-group privileges. If a 'joe' user is created and become a member of the
-'Administrator' group, 'joe' has exactly the same rights as 'Administrator'.
-</p><p>
-When a NT/W2K machine is joined to a domain, the "Domain Adminis" group of the
-PDC is added to the local 'Administrators' group of the workstation. Every
-member of the 'Domain Administrators' group 'inherit' the
-rights of the local 'Administrators' group when logging on the workstation.
-</p><p>
-The following steps describe how to make samba PDC users members of the
-'Domain Admins' group?
-</p><div class="orderedlist"><ol type="1"><li><p>create a unix group (usually in <tt>/etc/group</tt>),
- let's call it domadm</p></li><li><p>add to this group the users that must be Administrators. For example
- if you want joe,john and mary, your entry in <tt>/etc/group</tt> will
- look like:</p><pre class="programlisting">
- domadm:x:502:joe,john,mary
- </pre></li><li><p>Map this domadm group to the "Domain Admins" group
- by running the command:</p><p><tt>root# </tt><b><tt>net groupmap add ntgroup="Domain Admins" unixgroup=domadm</tt></b></p><p>The quotes around "Domain Admins" are necessary due to the space in the group name. Also make
- sure to leave no whitespace surrounding the equal character (=).</p></li></ol></div><p>Now joe, john and mary are domain administrators!</p><p>
-It is possible to map any arbitrary UNIX group to any Windows NT
-group as well as making any UNIX group a Windows domain group.
-For example, if you wanted to include a UNIX group (e.g. acct) in a ACL on a
-local file or printer on a domain member machine, you would flag
-that group as a domain group by running the following on the Samba PDC:
-</p><p><tt>root# </tt><b><tt>net groupmap add rid=1000 ntgroup="Accounting" unixgroup=acct</tt></b></p><p>Be aware that the rid parmeter is a unsigned 32 bit integer that should
-normally start at 1000. However, this rid must not overlap with any RID assigned
-to a user. Verifying this is done differently depending on on the passdb backend
-you are using. Future versions of the tools may perform the verification automatically,
-but for now the burden in on you.</p><p>You can list the various groups in the mapping database by executing
-<b>net groupmap list</b>. Here is an example:</p><pre class="programlisting"><tt>root# </tt>net groupmap list
-System Administrators (S-1-5-21-2547222302-1596225915-2414751004-1002) -> sysadmin
-Domain Admins (S-1-5-21-2547222302-1596225915-2414751004-512) -> domadmin
-Domain Users (S-1-5-21-2547222302-1596225915-2414751004-513) -> domuser
-Domain Guests (S-1-5-21-2547222302-1596225915-2414751004-514) -> domguest
-</pre><p>For complete details on <b>net groupmap</b>, refer to the
-net(8) man page.</p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="unix-permissions.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="printing.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 11. UNIX Permission Bits and Windows NT Access Control Lists </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 13. Printing Support</td></tr></table></div></body></html>
+ Of course it is expected that the administrator will modify this to suit local needs.
+ For information regarding the use of the <b class="command">net groupmap</b> tool please
+ refer to the man page.
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2921981"></a>Common Errors</h2></div></div><div></div></div><p>
+At this time there are many little surprises for the unwary administrator. In a real sense
+it is imperative that every step of automated control scripts must be carefully tested
+manually before putting them into active service.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2921997"></a>Adding Groups Fails</h3></div></div><div></div></div><p>
+ This is a common problem when the <b class="command">groupadd</b> is called directly
+ by the Samba interface script for the <i class="parameter"><tt>add group script</tt></i> in
+ the <tt class="filename">smb.conf</tt> file.
+ </p><p>
+ The most common cause of failure is an attempt to add an MS Windows group account
+ that has either an upper case character and/or a space character in it.
+ </p><p>
+ There are three possible work-arounds. Firstly, use only group names that comply
+ with the limitations of the Unix/Linux <b class="command">groupadd</b> system tool.
+ The second involves use of the script mentioned earlier in this chapter, and the
+ third option is to manually create a Unix/Linux group account that can substitute
+ for the MS Windows group name, then use the procedure listed above to map that group
+ to the MS Windows group.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2922057"></a>Adding MS Windows Groups to MS Windows Groups Fails</h3></div></div><div></div></div><p>
+ Samba-3 does NOT support nested groups from the MS Windows control environment.
+ </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="passdb.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="AccessControls.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 11. Account Information Databases </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 13. File, Directory and Share Access Controls</td></tr></table></div></body></html>
git.samba.org / abartlet / samba.git / .git / blobdiff