mirror of
https://github.com/samba-team/samba.git
synced 2025-01-14 19:24:43 +03:00
79 lines
3.3 KiB
Plaintext
79 lines
3.3 KiB
Plaintext
Samba 3.0 prealpha guide to group mapping
|
|
---------------------------------------------------
|
|
|
|
Jean François Micouleau (jfm@samba.org)
|
|
|
|
Starting with Samba 3.0 alpha 2, a new group mapping function is available. The
|
|
current method (likely to change) to manage the groups is a new command called
|
|
smbgroupedit.
|
|
|
|
The first immediate reason to use the group mapping on a PDC, is that
|
|
the 'domain admin group' of smb.conf is now gone. This parameter was
|
|
used to give the listed users local admin rights on their
|
|
workstations. It was some magic stuff that simply worked but didn't
|
|
scale very well for complex setups.
|
|
|
|
Let me explain how it works on NT/W2K, to have this magic fade away.
|
|
When installing NT/W2K on a computer, the installer program creates some users
|
|
and groups. Notably the 'Administrators' group, and gives to that group some
|
|
privileges like the ability to change the date and time or to kill any process
|
|
(or close too) running on the local machine. The 'Administrator' user is a
|
|
member of the 'Administrators' group, and thus 'inherit' the 'Administrators'
|
|
group privileges. If a 'joe' user is created and become a member of the
|
|
'Administrator' group, 'joe' has exactly the same rights as 'Administrator'.
|
|
|
|
When a NT/W2K machine is joined to a domain, during that phase, the "Domain
|
|
Administrators' group of the PDC is added to the 'Administrators' group of the
|
|
workstation. Every members of the 'Domain Administrators' group 'inherit' the
|
|
rights of the 'Administrators' group when logging on the workstation.
|
|
|
|
|
|
You are now wondering how to make some of your samba PDC users members of the
|
|
'Domain Administrators' ? That's really easy.
|
|
|
|
1) create a unix group (usually in /etc/group), let's call it domadm
|
|
2) add to this group the users that must be Administrators. For example if you
|
|
want joe,john and mary, your entry in /etc/group will look like:
|
|
|
|
domadm:x:502:joe,john,mary
|
|
|
|
3) map this domadm group to the 'domain admins' group:
|
|
|
|
3.1) lists all the mapped groups by running: smbgroupedit -v
|
|
you will get a list looking like the one below.
|
|
|
|
NT group (SID) -> Unix group
|
|
System Operators (S-1-5-32-549) -> -1
|
|
Replicators (S-1-5-32-552) -> -1
|
|
Guests (S-1-5-32-546) -> -1
|
|
Power Users (S-1-5-32-547) -> -1
|
|
Print Operators (S-1-5-32-550) -> -1
|
|
Administrators (S-1-5-32-544) -> -1
|
|
Account Operators (S-1-5-32-548) -> -1
|
|
Backup Operators (S-1-5-32-551) -> -1
|
|
Users (S-1-5-32-545) -> -1
|
|
Domain Admins (S-1-5-21-1108995562-3116817432-1375597819-512) -> -1
|
|
Domain Guests (S-1-5-21-1108995562-3116817432-1375597819-514) -> -1
|
|
Domain Users (S-1-5-21-1108995562-3116817432-1375597819-513) -> -1
|
|
|
|
3.2) map the unix domadm group to the NT 'Domain Admins' group, by running the
|
|
command:
|
|
|
|
smbgroupedit -c S-1-5-21-1108995562-3116817432-1375597819-512 -u domadm
|
|
|
|
warning: don't copy and paste this sample, the Domain Admins SID (the
|
|
S-1-5-21-...-512) is different for every PDC.
|
|
|
|
you're set, joe, john and mary are domain administrators !
|
|
|
|
|
|
|
|
Like the Domain Admins group, you can map any arbitrary Unix group to any NT
|
|
group. You can also make any Unix group a domain group. For example, on a domain
|
|
member machine (an NT/W2K or a samba server running winbind), you would like to
|
|
give access to a certain directory to some users who are member of a group on
|
|
your samba PDC. Flag that group as a domain group by running:
|
|
|
|
smbgroupedit -a unixgroup -td
|
|
|