2025-01-14 19:24:43 +03:00 · 2005-06-22 04:47:55 +00:00 · 2005-06-22 04:47:55 +00:00 · d943f4384b
commit d943f4384b
parent 7dac3aa65d
6 changed files with 152 additions and 36 deletions
--- a/docs/Samba3-HOWTO/TOSHARG-Group-Mapping.xml
+++ b/docs/Samba3-HOWTO/TOSHARG-Group-Mapping.xml
@ -13,12 +13,19 @@

 	<para>
 <indexterm significance="preferred"><primary>groups</primary><secondary>mapping</secondary></indexterm>
+<indexterm><primary>SID</primary></indexterm>
+<indexterm><primary>associations</primary></indexterm>
+<indexterm><primary>UNIX groups</primary></indexterm>
+<indexterm><primary>groupmap</primary></indexterm>
+<indexterm><primary>net</primary></indexterm>
 	Starting with Samba-3, new group mapping functionality is available to create associations
 	between Windows group SIDs and UNIX groups. The <command>groupmap</command> subcommand
 	included with the &net; tool can be used to manage these associations.
 	</para>

 	<para>
+<indexterm><primary>group mapping</primary></indexterm>
+<indexterm><primary>domain groups</primary></indexterm>
 	The new facility for mapping NT groups to UNIX system groups allows the administrator to decide
 	which NT domain groups are to be exposed to MS Windows clients. Only those NT groups that map
 	to a UNIX group that has a value other than the default (<constant>-1</constant>) will be exposed
@ -28,6 +35,7 @@
 	<warning>
 	<para>
 	<indexterm><primary>domain admin group</primary></indexterm>
+<indexterm><primary>Windows group</primary></indexterm>
 	The <parameter>domain admin group</parameter> parameter has been removed in Samba-3 and should no longer
 	be specified in &smb.conf;. In Samba-2.2.x, this parameter was used to give the listed users membership in the
 	<constant>Domain Admins</constant> Windows group, which gave local admin rights on their workstations
@ -47,6 +55,10 @@
 	<indexterm><primary>UID</primary></indexterm>
 	<indexterm><primary>GID</primary></indexterm>
 	<indexterm><primary>idmap uid</primary></indexterm>
+<indexterm><primary>MMC</primary></indexterm>
+<indexterm><primary>winbindd</primary></indexterm>
+<indexterm><primary>ID range</primary></indexterm>
+<indexterm><primary>group accounts</primary></indexterm>
 	Group accounts can be managed using the MS Windows NT4 or MS Windows 200x/XP Professional MMC tools.
 	Appropriate interface scripts should be provided in &smb.conf; if it is desired that UNIX/Linux system
 	accounts should be automatically created when these tools are used. In the absence of these scripts, and
@ -68,6 +80,9 @@

 	<para>
 	<indexterm><primary>IDMAP</primary></indexterm>
+<indexterm><primary>SID-to-GID</primary></indexterm>
+<indexterm><primary>net</primary><secondary>groupmap</secondary></indexterm>
+<indexterm><primary>group mappings</primary></indexterm>
 	In both cases, when winbindd is not running, only locally resolvable groups can be recognized. Please refer to
 	<link linkend="idmap-sid2gid">IDMAP: Group SID-to-GID Resolution</link> and <link
 	linkend="idmap-gid2sid">IDMAP: GID Resolution to Matching SID</link>.  The <command>net groupmap</command> is
@ -83,6 +98,8 @@
 	<para>
 	<indexterm><primary>groupadd</primary></indexterm>
 	<indexterm><primary>groupdel</primary></indexterm>
+<indexterm><primary>shadow utilities</primary></indexterm>
+<indexterm><primary>groupmod</primary></indexterm>
 	Administrators should be aware that where &smb.conf; group interface scripts make
 	direct calls to the UNIX/Linux system tools (the shadow utilities, <command>groupadd</command>,
 	<command>groupdel</command>, and <command>groupmod</command>), the resulting UNIX/Linux group names will be subject
@ -102,6 +119,7 @@
 	</para>

 	<para>
+<indexterm><primary>net</primary><secondary>groupmap</secondary></indexterm>
 	Another workaround is to manually create a UNIX/Linux group, then manually create the
 	MS Windows NT4/200x group on the Samba server, and then use the <command>net groupmap</command>
 	tool to connect the two to each other.
@ -113,6 +131,8 @@
 <title>Discussion</title>

 	<para>
+<indexterm><primary>Windows NT4/200x</primary></indexterm>
+<indexterm><primary>group privileges</primary></indexterm>
 	When you install <application>MS Windows NT4/200x</application> on a computer, the installation
 	program creates default users and groups, notably the <constant>Administrators</constant> group,
 	and gives that group privileges necessary to perform essential system tasks,
@ -129,13 +149,19 @@
 	</para>

 	<para>
+<indexterm><primary>domain member</primary></indexterm>
+<indexterm><primary>Domain Admins</primary></indexterm>
+<indexterm><primary>inherits rights</primary></indexterm>
+<indexterm><primary>PDC</primary></indexterm>
 	When an MS Windows NT4/200x/XP machine is made a domain member, the <quote>Domain Admins</quote> group of the
 	PDC is added to the local <constant>Administrators</constant> group of the workstation. Every member of the
-	<constant>Domain Administrators</constant> group inherits the rights of the local <constant>Administrators</constant> group when
+	<constant>Domain Admins</constant> group inherits the rights of the local <constant>Administrators</constant> group when
 	logging on the workstation.
 	</para>

 	<para>
+<indexterm><primary>Domain Admins</primary></indexterm>
+<indexterm><primary>PDC</primary></indexterm>
 	The following steps describe how to make Samba PDC users members of the <constant>Domain Admins</constant> group.
 	</para>

@ -145,6 +171,7 @@
 		</para></listitem>

 		<listitem><para>
+<indexterm><primary>/etc/group</primary></indexterm>
 		Add to this group the users that must be <quote>Administrators</quote>. For example,
 		if you want <constant>joe, john</constant>, and <constant>mary</constant> to be administrators,
 		your entry in <filename>/etc/group</filename> will look like this:
@ -160,10 +187,10 @@
 		</para>

 		<para>
-	<screen>
-	&rootprompt;<userinput>net groupmap add ntgroup="Domain Admins" unixgroup=domadm</userinput>
-	</screen>
-	</para>
+<screen>
+&rootprompt;<userinput>net groupmap add ntgroup="Domain Admins" unixgroup=domadm</userinput>
+</screen>
+		</para>
 		
 		<para>
 		<indexterm><primary>Domain Admins group</primary></indexterm>
@ -188,9 +215,13 @@
 <screen>
 &rootprompt;<userinput>net groupmap add rid=1000 ntgroup="Accounting" unixgroup=acct</userinput>
 </screen>
+	The <literal>ntgroup</literal> value must be quotes if it contains space characters to prevent
+	the space from being interpreted as a command delimiter.
 	</para>

 	<para>
+<indexterm><primary>RID</primary></indexterm>
+<indexterm><primary>assigned RID</primary></indexterm>
 	Be aware that the RID parameter is an unsigned 32-bit integer that should
 	normally start at 1000. However, this RID must not overlap with any RID assigned
 	to a user. Verification for this is done differently depending on the passdb backend
@ -202,6 +233,9 @@
 	<title>Warning: User Private Group Problems</title>

 	<para>
+<indexterm><primary>group accounts</primary></indexterm>
+<indexterm><primary>Red Hat Linux</primary></indexterm>
+<indexterm><primary>private groups</primary></indexterm>
 	Windows does not permit user and group accounts to have the same name.
 	This has serious implications for all sites that use private group accounts.
 	A private group account is an administrative practice whereby users are each
@ -210,6 +244,8 @@
 	</para>

 	<para>
+<indexterm><primary>UNIX/Linux group</primary></indexterm>
+<indexterm><primary>Windows group</primary></indexterm>
 	When mapping a UNIX/Linux group to a Windows group account, all conflict can
 	be avoided by assuring that the Windows domain group name does not overlap
 	with any user account name.
@ -223,17 +259,26 @@
 	<indexterm><primary>groups</primary><secondary>nested</secondary></indexterm>

 	<para>
+<indexterm><primary>nested groups</primary></indexterm>
 	This functionality is known as <constant>nested groups</constant> and was first added to
 	Samba-3.0.3.
 	</para>

 	<para>
+<indexterm><primary>nested groups</primary></indexterm>
 	All MS Windows products since the release of Windows NT 3.10 support the use of nested groups.
 	Many Windows network administrators depend on this capability because it greatly simplifies security
 	administration.
 	</para>

 	<para>
+<indexterm><primary>nested group</primary></indexterm>
+<indexterm><primary>group membership</primary></indexterm>
+<indexterm><primary>domain security</primary></indexterm>
+<indexterm><primary>domain member server</primary></indexterm>
+<indexterm><primary>local groups</primary></indexterm>
+<indexterm><primary>domain global groups</primary></indexterm>
+<indexterm><primary>domain global users</primary></indexterm>
 	The nested group architecture was designed with the premise that day-to-day user and group membership
 	management should be performed on the domain security database. The application of group security
 	should be implemented on domain member servers using only local groups. On the domain member server,
@ -242,6 +287,9 @@
 	</para>

 	<para>
+<indexterm><primary>individual domain user</primary></indexterm>
+<indexterm><primary>domain group settings</primary></indexterm>
+<indexterm><primary>Account Unknown</primary></indexterm>
 	You may ask, What are the benefits of this arrangement? The answer is obvious to those who have plumbed
 	the dark depths of Windows networking architecture. Consider for a moment a server on which are stored
 	200,000 files, each with individual domain user and domain group settings. The company that owns the
@ -251,6 +299,10 @@
 	</para>

 	<para>
+<indexterm><primary>directory access control</primary></indexterm>
+<indexterm><primary>local groups</primary></indexterm>
+<indexterm><primary>ACL</primary></indexterm>
+<indexterm><primary>Account Unknown</primary></indexterm>
 	Unraveling the file ownership mess is an unenviable administrative task that can be avoided simply
 	by using local groups to control all file and directory access control. In this case, only the members
 	of the local groups will have been lost. The files and directories in the storage subsystem will still
@ -260,10 +312,17 @@
 	</para>

 	<para>
+<indexterm><primary>nested groups</primary></indexterm>
+<indexterm><primary>administrative privileges</primary></indexterm>
+<indexterm><primary>domain member workstations</primary></indexterm>
+<indexterm><primary>domain member servers</primary></indexterm>
+<indexterm><primary>member machine</primary></indexterm>
+<indexterm><primary>full rights</primary></indexterm>
+<indexterm><primary>Domain Admins</primary></indexterm>
+<indexterm><primary>local administrative privileges</primary></indexterm>
 	Another prominent example of the use of nested groups involves implementation of administrative privileges
 	on domain member workstations and servers. Administrative privileges are given to all members of the
-	built-in
-	local group <constant>Administrators</constant> on each domain member machine. To ensure that all domain
+	built-in local group <constant>Administrators</constant> on each domain member machine. To ensure that all domain
 	administrators have full rights on the member server or workstation, on joining the domain, the
 	<constant>Domain Admins</constant> group is added to the local Administrators group. Thus everyone who is
 	logged into the domain as a member of the Domain Admins group is also granted local administrative
@ -271,6 +330,10 @@
 	</para>

 	<para>
+<indexterm><primary>nested groups</primary></indexterm>
+<indexterm><primary>auxiliary members</primary></indexterm>
+<indexterm><primary>/etc/group</primary></indexterm>
+<indexterm><primary>winbind</primary></indexterm>
 	UNIX/Linux has no concept of support for nested groups, and thus Samba has for a long time not supported
 	them either. The problem is that you would have to enter UNIX groups as auxiliary members of a group in
 	<filename>/etc/group</filename>. This does not work because it was not a design requirement at the time
@ -278,7 +341,13 @@
 	<filename>/etc/group</filename> entries on demand by obtaining user and group information from the domain
 	controller that the Samba server is a member of.
 	</para>
+
 	<para>
+<indexterm><primary>/etc/group</primary></indexterm>
+<indexterm><primary>libnss_winbind</primary></indexterm>
+<indexterm><primary>local groups</primary></indexterm>
+<indexterm><primary>Domain Users</primary></indexterm>
+<indexterm><primary>alias group</primary></indexterm>
 	In effect, Samba supplements the <filename>/etc/group</filename> data via the dynamic
 	<command>libnss_winbind</command> mechanism. Beginning with Samba-3.0.3, this facility is used to provide
 	local groups in the same manner as Windows does it. It works by expanding the local groups on the
@ -290,6 +359,13 @@
 	</para>

 	<para>
+<indexterm><primary>nested groups</primary></indexterm>
+<indexterm><primary>winbindd</primary></indexterm>
+<indexterm><primary>NSS</primary></indexterm>
+<indexterm><primary>winbind</primary></indexterm>
+<indexterm><primary>local groups</primary></indexterm>
+<indexterm><primary>Domain User Manager</primary></indexterm>
+<indexterm><primary>net</primary><secondary>rpc</secondary><tertiary>group</tertiary></indexterm>
 	To enable the use of nested groups, <command>winbindd</command> must be used with NSS winbind.
 	Creation and administration of the local groups is done best via the Windows Domain User Manager or its
 	Samba equivalent, the utility <command>net rpc group</command>. Creating the local group
@ -297,21 +373,27 @@
 	<screen>
 	&rootprompt; net rpc group add demo -L -Uroot%not24get
 	</screen>
+<indexterm><primary>addmem</primary></indexterm>
+<indexterm><primary>delmem</primary></indexterm>
 	Here the -L switch means that you want to create a local group. It may be necessary to add -S and -U
 	switches for accessing the correct host with appropriate user or root privileges. Adding and removing
-	group
-	members can be done via the <constant>addmem</constant> and <constant>delmem</constant> subcommands of
+	group members can be done via the <constant>addmem</constant> and <constant>delmem</constant> subcommands of
 	<command>net rpc group</command> command. For example, addition of <quote>DOM\Domain Users</quote> to the
-	local
-	group <constant>demo</constant> is done by executing:
+	local group <constant>demo</constant> is done by executing:
 	<screen>
 	net rpc group addmem demo "DOM\Domain Users"
 	</screen>
+<indexterm><primary>getent group demo</primary></indexterm>
+<indexterm><primary>trusted domain</primary></indexterm>
+<indexterm><primary>foreign domain</primary></indexterm>
+<indexterm><primary>local access permissions</primary></indexterm>
 	Having completed these two steps, the execution of <command>getent group demo</command> will show demo
 	members of the global <constant>Domain Users</constant> group as members of  the group
 	<constant>demo</constant>.  This also works with any local or domain user. In case the domain DOM trusts
 	another domain, it is also possible to add global users and groups of the trusted domain as members of
-	<constant>demo</constant>.
+	<constant>demo</constant>. The users from the foreign domain who are members of the group that has been
+	added to the <constant>demo</constant> group now have the same local access permissions as local domain
+	users have. 
 	</para>

 	</sect2>
@ -324,25 +406,32 @@
 	</para>

 	<orderedlist>
-		<listitem><para>For Samba-3 domain controllers and 
-				domain member servers/clients.</para></listitem>
+		<listitem><para>For Samba-3 domain controllers and domain member servers/clients.</para></listitem>
 		<listitem><para>To manage domain member Windows workstations.</para></listitem>
 	</orderedlist>

 	<para>
+<indexterm><primary>rights and privileges</primary></indexterm>
+<indexterm><primary>domain member client</primary></indexterm>
+<indexterm><primary>group account</primary></indexterm>
 	Versions of Samba up to and including 3.0.10 do not provide a means for assigning rights and privileges
-	that are necessary for system administration tasks from a Windows domain Member client machine, so
+	that are necessary for system administration tasks from a Windows domain member client machine, so
 	domain administration tasks such as adding, deleting, and changing user and group account information, and
 	managing workstation domain membership accounts, can be handled by any account other than root.
 	</para>

 	<para>
+<indexterm><primary>privilege management</primary></indexterm>
+<indexterm><primary>delegated</primary></indexterm>
+<indexterm><primary>Administrator</primary></indexterm>
 	Samba-3.0.11 introduced a new privilege management interface (see <link linkend="rights">User Rights and Privileges</link>)
 	that permits these tasks to be delegated to non-root (i.e., accounts other than the equivalent of the
 	MS Windows Administrator) accounts.
 	</para>

 	<para>
+<indexterm><primary>mapped</primary></indexterm>
+<indexterm><primary>Domain Admins</primary></indexterm>
 	Administrative tasks on a Windows domain member workstation can be done by anyone who is a member of the
 	<constant>Domain Admins</constant> group. This group can be mapped to any convenient UNIX group.
 	</para>
@ -351,18 +440,27 @@
 	<title>Applicable Only to Versions Earlier than 3.0.11</title>

 	<para>
+<indexterm><primary>privilege</primary></indexterm>
 	Administrative tasks on UNIX/Linux systems, such as adding users or groups, requires
 	<constant>root</constant>-level privilege. The addition of a Windows client to a Samba domain involves the
 	addition of a user account for the Windows client.
 	</para>

 	<para>
+<indexterm><primary>system security</primary></indexterm>
+<indexterm><primary>privileges</primary></indexterm>
 	Many UNIX administrators continue to request that the Samba Team make it possible to add Windows workstations, or 
 	the ability to add, delete, or modify user accounts, without requiring <constant>root</constant> privileges. 
 	Such a request violates every understanding of basic UNIX system security.
 	</para>

 	<para>
+<indexterm><primary>privileges</primary></indexterm>
+<indexterm><primary>/etc/passwd</primary></indexterm>
+<indexterm><primary>Domain Server Manager</primary></indexterm>
+<indexterm><primary>Domain User Manager</primary></indexterm>
+<indexterm><primary>manage share-level ACL</primary></indexterm>
+<indexterm><primary>share-level ACLs</primary></indexterm>
 	There is no safe way to provide access on a UNIX/Linux system without providing
 	<constant>root</constant>-level privilege. Provision of <constant>root</constant> privileges can be done
 	either by logging onto the Domain as the user <constant>root</constant> or by permitting particular users to
@ -382,6 +480,12 @@
 	<para>
 	<indexterm><primary>Relative Identifier</primary><see>RID</see></indexterm>
 	<indexterm><primary>RID</primary></indexterm>
+<indexterm><primary>Windows NT4/200x/XP</primary></indexterm>
+<indexterm><primary>well-known RID</primary></indexterm>
+<indexterm><primary>domain groups</primary></indexterm>
+<indexterm><primary>tdbsam</primary></indexterm>
+<indexterm><primary>LDAP</primary></indexterm>
+<indexterm><primary>NT groups</primary></indexterm>
 	When first installed, Windows NT4/200x/XP are preconfigured with certain user, group, and
 	alias entities. Each has a well-known RID. These must be preserved for continued
 	integrity of operation. Samba must be provisioned with certain essential domain groups that require
@ -391,16 +495,27 @@
 	</para>

 	<para>
+<indexterm><primary>default users</primary></indexterm>
+<indexterm><primary>default groups</primary></indexterm>
+<indexterm><primary>default aliases</primary></indexterm>
+<indexterm><primary>RID</primary></indexterm>
 	Each essential domain group must be assigned its respective well-known RID. The default users, groups,
 	aliases, and RIDs are shown in <link linkend="WKURIDS">Well-Known User Default RIDs</link>.
 	</para>

 	<note><para>
+<indexterm><primary>passdb backend</primary></indexterm>
+<indexterm><primary>LDAP</primary></indexterm>
+<indexterm><primary>ldapsam</primary></indexterm>
+<indexterm><primary>domain groups</primary></indexterm>
+<indexterm><primary>RID</primary></indexterm>
 	When the <parameter>passdb backend</parameter> uses LDAP (<constant>ldapsam</constant>), it is the
 	administrator's responsibility to create the essential domain groups and to assign each its default RID.
 	</para></note>

 	<para>
+<indexterm><primary>domain groups</primary></indexterm>
+<indexterm><primary>RID</primary></indexterm>
 	It is permissible to create any domain group that may be necessary; just make certain that the essential
 	domain groups (well known) have been created and assigned their default RIDs. Other groups you create may
 	be assigned any arbitrary RID you care to use.
@ -571,13 +686,13 @@
 	<title>Example Configuration</title>

 		<para>
+<indexterm><primary>net</primary><secondary>groupmap</secondary><tertiary>list</tertiary></indexterm>
 		You can list the various groups in the mapping database by executing
 		<command>net groupmap list</command>. Here is an example:
 		</para>

-<indexterm><primary>net</primary><secondary>groupmap</secondary></indexterm>
-
 		<para>
+<indexterm><primary>net</primary><secondary>groupmap</secondary></indexterm>
 <screen>
 &rootprompt; <userinput>net groupmap list</userinput>
 Domain Admins (S-1-5-21-2547222302-1596225915-2414751004-512) -> domadmin
@ -608,20 +723,18 @@ Domain Guests (S-1-5-21-2547222302-1596225915-2414751004-514) -> domguest
 		<para>
 		<indexterm><primary>smbgrpadd.sh</primary></indexterm>
 		<indexterm><primary>groupadd limitations</primary></indexterm>
+		<indexterm><primary>smbgrpadd.sh</primary></indexterm>
+<indexterm><primary>/etc/group</primary></indexterm>
+<indexterm><primary>groupadd</primary></indexterm>
 		A script to create complying group names for use by the Samba group interfaces
 		is provided in <link linkend="smbgrpadd.sh">smbgrpadd.sh</link>. This script
 		adds a temporary entry in the <filename>/etc/group</filename> file and then renames
 		it to the desired name. This is an example of a method to get around operating
 		system maintenance tool limitations such as those present in some version of the
 		<command>groupadd</command> tool.
-		</para>
-
-<indexterm><primary>smbgrpadd.sh</primary></indexterm>
-		<para>
 <example id="smbgrpadd.sh">
-	<title>smbgrpadd.sh</title>
+<title>smbgrpadd.sh</title>
 <programlisting>
-
 #!/bin/bash

 # Add the group using normal system groupadd tool.
@ -632,6 +745,7 @@ thegid=`cat /etc/group | grep ^smbtmpgrp00 | cut -d ":" -f3`
 # Now change the name to what we want for the MS Windows networking end
 cp /etc/group /etc/group.bak
 cat /etc/group.bak | sed "s/^smbtmpgrp00/$1/g" > /etc/group
+rm /etc/group.bak

 # Now return the GID as would normally happen.
 echo $thegid
@ -641,7 +755,8 @@ exit 0
 </para>

 		<para>
-		The &smb.conf; entry for the above script would be something like that in <link linkend="smbgrpadd">"smbgrpadd"</link>.
+		The &smb.conf; entry for the above script shown in <link linkend="smbgrpadd">the configuration of
+		&smb.conf; for the add group Script</link> demonstrates how it may be used.

 <example id="smbgrpadd">
 <title>Configuration of &smb.conf; for the add group Script</title>
@ -658,17 +773,15 @@ exit 0
 	<title>Script to Configure Group Mapping</title>

 	<para>
-		In our example we have created a UNIX/Linux group called <literal>ntadmin</literal>.
-		Our script will create the additional groups <literal>Orks</literal>, <literal>Elves</literal>, and <literal>Gnomes</literal>.
-		It is a good idea to save this shell script for later use just in case you ever need to rebuild your mapping database.
-		For the sake of convenience we elect to save this script as a file called <filename>initGroups.sh</filename>.
-		This script is given in <link linkend="set-group-map">intGroups.sh</link>.
-	</para>
-
-<para>
+<indexterm><primary>initGroups.sh</primary></indexterm>
+	In our example we have created a UNIX/Linux group called <literal>ntadmin</literal>.
+	Our script will create the additional groups <literal>Orks</literal>, <literal>Elves</literal>, and <literal>Gnomes</literal>.
+	It is a good idea to save this shell script for later use just in case you ever need to rebuild your mapping database.
+	For the sake of convenience we elect to save this script as a file called <filename>initGroups.sh</filename>.
+	This script is given in <link linkend="set-group-map">intGroups.sh</link>.
 <indexterm><primary>initGroups.sh</primary></indexterm>
 <example id="set-group-map">
-	<title>Script to Set Group Mapping</title>
+<title>Script to Set Group Mapping</title>
 <programlisting>
 #!/bin/bash

@ -685,7 +798,7 @@ net groupmap add ntgroup="Elves"  unixgroup=Elves  type=d
 net groupmap add ntgroup="Gnomes" unixgroup=Gnomes type=d
 </programlisting>
 </example>
-</para>
+	</para>

 	<para>
 	Of course it is expected that the administrator will modify this to suit local needs.
@ -710,17 +823,21 @@ manually before putting it into active service.
 	<title>Adding Groups Fails</title>

 		<para>
+<indexterm><primary>groupadd</primary></indexterm>
 		This is a common problem when the <command>groupadd</command> is called directly
 		by the Samba interface script for the <smbconfoption name="add group script"/> in
 		the &smb.conf; file.
 		</para>

 		<para>
+<indexterm><primary>uppercase character</primary></indexterm>
+<indexterm><primary>space character</primary></indexterm>
 		The most common cause of failure is an attempt to add an MS Windows group account
 		that has an uppercase character and/or a space character in it.
 		</para>

 		<para>
+<indexterm><primary>groupadd</primary></indexterm>
 		There are three possible workarounds. First, use only group names that comply
 		with the limitations of the UNIX/Linux <command>groupadd</command> system tool.
 		Second, it involves the use of the script mentioned earlier in this chapter, and
@ -738,9 +855,8 @@ manually before putting it into active service.
 		What must I do to add domain users to the Power Users group?
 		</quote></para>

-<indexterm><primary>Domain Users group</primary></indexterm>
-
 		<para>
+<indexterm><primary>Domain Users group</primary></indexterm>
 		The Power Users group is a group that is local to each Windows 200x/XP Professional workstation.
 		You cannot add the Domain Users group to the Power Users group automatically, it must be done on
 		each workstation by logging in as the local workstation <emphasis>administrator</emphasis> and
--- a/docs/Samba3-HOWTO/images/idmap-gid2sid.dia
+++ b/docs/Samba3-HOWTO/images/idmap-gid2sid.dia
--- a/docs/Samba3-HOWTO/images/idmap-sid2gid.dia
+++ b/docs/Samba3-HOWTO/images/idmap-sid2gid.dia
--- a/docs/Samba3-HOWTO/images/idmap-sid2uid.dia
+++ b/docs/Samba3-HOWTO/images/idmap-sid2uid.dia
--- a/docs/Samba3-HOWTO/images/idmap-store-gid2sid.dia
+++ b/docs/Samba3-HOWTO/images/idmap-store-gid2sid.dia
--- a/docs/Samba3-HOWTO/images/idmap-uid2sid.dia
+++ b/docs/Samba3-HOWTO/images/idmap-uid2sid.dia