mirror of
https://github.com/samba-team/samba.git
synced 2025-01-15 23:24:37 +03:00
313 lines
10 KiB
XML
313 lines
10 KiB
XML
<?xml version="1.0" encoding="iso8859-1"?>
|
|
<chapter id="groupmapping">
|
|
<chapterinfo>
|
|
<author>
|
|
<firstname>Jean François</firstname><surname>Micouleau</surname>
|
|
</author>
|
|
&author.jerry;
|
|
&author.jht;
|
|
</chapterinfo>
|
|
<title>Mapping MS Windows and Unix Groups</title>
|
|
|
|
<para>
|
|
Starting with Samba-3, new group mapping functionality is available to create associations
|
|
between Windows group SIDs and UNIX groups. The <parameter>groupmap</parameter> subcommand
|
|
included with the &net; tool can be used to manage these associations.
|
|
</para>
|
|
|
|
<warning>
|
|
<para>
|
|
The first immediate reason to use the group mapping on a Samba PDC, is that
|
|
the <parameter>domain admin group</parameter> has been removed and should no longer
|
|
be specified in &smb.conf;. This parameter was used to give the listed users membership
|
|
in the <constant>Domain Admins</constant> Windows group which gave local admin rights on their workstations
|
|
(in default configurations).
|
|
</para>
|
|
</warning>
|
|
|
|
<sect1>
|
|
<title>Features and Benefits</title>
|
|
|
|
<para>
|
|
Samba allows the administrator to create MS Windows NT4 / 200x group accounts and to
|
|
arbitrarily associate them with Unix/Linux group accounts.
|
|
</para>
|
|
|
|
<para>
|
|
Group accounts can be managed using the MS Windows NT4 or MS Windows 200x MMC tools
|
|
so long as appropriate interface scripts have been provided to &smb.conf;
|
|
</para>
|
|
|
|
<para>
|
|
Administrators should be aware that where &smb.conf; group interface scripts make
|
|
direct calls to the Unix/Linux system tools (eg: the shadow utilities, <command>groupadd</command>,
|
|
<command>groupdel</command>, <command>groupmod</command>) then the resulting Unix/Linux group names will be subject
|
|
to any limits imposed by these tools. If the tool does NOT allow upper case characters
|
|
or space characters, then the creation of an MS Windows NT4 / 200x style group of
|
|
<parameter>Engineering Managers</parameter> will attempt to create an identically named
|
|
Unix/Linux group, an attempt that will of course fail!
|
|
</para>
|
|
|
|
<para>
|
|
There are several possible work-arounds for the operating system tools limitation. One
|
|
method is to use a script that generates a name for the Unix/Linux system group that
|
|
fits the operating system limits, and that then just passes the Unix/Linux group id (GID)
|
|
back to the calling samba interface. This will provide a dynamic work-around solution.
|
|
</para>
|
|
|
|
<para>
|
|
Another work-around is to manually create a Unix/Linux group, then manually create the
|
|
MS Windows NT4 / 200x group on the Samba server and then use the <command>net groupmap</command>
|
|
tool to connect the two to each other.
|
|
</para>
|
|
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Discussion</title>
|
|
|
|
<para>
|
|
When installing <application>MS Windows NT4 / 200x</application> on a computer, the installation
|
|
program creates default users and groups. Notably the <constant>Administrators</constant> group,
|
|
and gives to that group privileges necessary privilidges to perform essential system tasks.
|
|
eg: Ability to change the date and time or to kill any process (or close too) running on the
|
|
local machine.
|
|
</para>
|
|
|
|
<para>
|
|
The 'Administrator' user is a member of the 'Administrators' group, and thus inherits
|
|
'Administrators' group privileges. If a 'joe' user is created to be a member of the
|
|
'Administrator' group, 'joe' has exactly the same rights as 'Administrator'.
|
|
</para>
|
|
|
|
<para>
|
|
When an MS Windows NT4 / W200x is made a domain member, the "Domain Adminis" group of the
|
|
PDC is added to the local 'Administrators' group of the workstation. Every member of the
|
|
'Domain Administrators' group inherits the rights of the local 'Administrators' group when
|
|
logging on the workstation.
|
|
</para>
|
|
|
|
<para>
|
|
The following steps describe how to make samba PDC users members of the 'Domain Admins' group?
|
|
</para>
|
|
|
|
<orderedlist>
|
|
<listitem><para>
|
|
create a unix group (usually in <filename>/etc/group</filename>), let's call it domadm
|
|
</para></listitem>
|
|
|
|
<listitem><para>add to this group the users that must be Administrators. For example
|
|
if you want joe,john and mary, your entry in <filename>/etc/group</filename> will
|
|
look like:
|
|
</para>
|
|
|
|
<para><programlisting>
|
|
domadm:x:502:joe,john,mary
|
|
</programlisting>
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
Map this domadm group to the "Domain Admins" group by running the command:
|
|
</para>
|
|
|
|
<para>
|
|
<screen>
|
|
&rootprompt;<userinput>net groupmap add ntgroup="Domain Admins" unixgroup=domadm</userinput>
|
|
</screen>
|
|
</para>
|
|
|
|
<para>
|
|
The quotes around "Domain Admins" are necessary due to the space in the group name.
|
|
Also make sure to leave no whitespace surrounding the equal character (=).
|
|
</para></listitem>
|
|
</orderedlist>
|
|
|
|
<para>
|
|
Now joe, john and mary are domain administrators!
|
|
</para>
|
|
|
|
<para>
|
|
It is possible to map any arbitrary UNIX group to any Windows NT4 / 200x group as well as
|
|
making any UNIX group a Windows domain group. For example, if you wanted to include a
|
|
UNIX group (e.g. acct) in a ACL on a local file or printer on a domain member machine,
|
|
you would flag that group as a domain group by running the following on the Samba PDC:
|
|
</para>
|
|
|
|
<para>
|
|
<screen>
|
|
&rootprompt;<userinput>net groupmap add rid=1000 ntgroup="Accounting" unixgroup=acct</userinput>
|
|
</screen>
|
|
</para>
|
|
|
|
<para>
|
|
Be aware that the RID parmeter is a unsigned 32 bit integer that should
|
|
normally start at 1000. However, this rid must not overlap with any RID assigned
|
|
to a user. Verifying this is done differently depending on on the passdb backend
|
|
you are using. Future versions of the tools may perform the verification automatically,
|
|
but for now the burden is on you.
|
|
</para>
|
|
|
|
<sect2>
|
|
<title>Example Configuration</title>
|
|
|
|
<para>
|
|
You can list the various groups in the mapping database by executing
|
|
<command>net groupmap list</command>. Here is an example:
|
|
</para>
|
|
|
|
<para>
|
|
<screen>
|
|
&rootprompt; <userinput>net groupmap list</userinput>
|
|
System Administrators (S-1-5-21-2547222302-1596225915-2414751004-1002) -> sysadmin
|
|
Domain Admins (S-1-5-21-2547222302-1596225915-2414751004-512) -> domadmin
|
|
Domain Users (S-1-5-21-2547222302-1596225915-2414751004-513) -> domuser
|
|
Domain Guests (S-1-5-21-2547222302-1596225915-2414751004-514) -> domguest
|
|
</screen>
|
|
</para>
|
|
|
|
<para>
|
|
For complete details on <command>net groupmap</command>, refer to the net(8) man page.
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Configuration Scripts</title>
|
|
|
|
<para>
|
|
Everyone needs tools. Some of us like to create our own, others prefer to use canned tools
|
|
(ie: prepared by someone else for general use).
|
|
</para>
|
|
|
|
<sect2>
|
|
<title>Sample &smb.conf; add group script</title>
|
|
|
|
<para>
|
|
A script to great complying group names for use by the samba group interfaces:
|
|
</para>
|
|
|
|
<para>
|
|
<example>
|
|
<title>smbgrpadd.sh</title>
|
|
<programlisting>
|
|
|
|
#!/bin/bash
|
|
|
|
# Add the group using normal system groupadd tool.
|
|
groupadd smbtmpgrp00
|
|
|
|
thegid=`cat /etc/group | grep smbtmpgrp00 | cut -d ":" -f3`
|
|
|
|
# Now change the name to what we want for the MS Windows networking end
|
|
cat /etc/group | sed s/smbtmpgrp00/$1/g > /etc/group
|
|
|
|
# Now return the GID as would normally happen.
|
|
echo $thegid
|
|
exit 0
|
|
</programlisting>
|
|
</example>
|
|
</para>
|
|
|
|
<para>
|
|
The &smb.conf; entry for the above script would look like:
|
|
<programlisting>
|
|
add group script = /path_to_tool/smbgrpadd.sh %g
|
|
</programlisting>
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>Script to configure Group Mapping</title>
|
|
|
|
<para>
|
|
In our example we have created a Unix/Linux group called <parameter>ntadmin</parameter>.
|
|
Our script will create the additional groups <parameter>Engineers, Marketoids, Gnomes</parameter>:
|
|
</para>
|
|
|
|
<para>
|
|
<programlisting>
|
|
#!/bin/bash
|
|
|
|
net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmin
|
|
net groupmap modify ntgroup="Domain Users" unixgroup=users
|
|
net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
|
|
net groupmap modify ntgroup="Administrators" unixgroup=root
|
|
net groupmap modify ntgroup="Users" unixgroup=users
|
|
net groupmap modify ntgroup="Guests" unixgroup=nobody
|
|
net groupmap modify ntgroup="System Operators" unixgroup=sys
|
|
net groupmap modify ntgroup="Account Operators" unixgroup=root
|
|
net groupmap modify ntgroup="Backup Operators" unixgroup=bin
|
|
net groupmap modify ntgroup="Print Operators" unixgroup=lp
|
|
net groupmap modify ntgroup="Replicators" unixgroup=daemon
|
|
net groupmap modify ntgroup="Power Users" unixgroup=sys
|
|
|
|
#groupadd Engineers
|
|
#groupadd Marketoids
|
|
#groupadd Gnomes
|
|
|
|
#net groupmap add ntgroup="Engineers" unixgroup=Engineers type=d
|
|
#net groupmap add ntgroup="Marketoids" unixgroup=Marketoids type=d
|
|
#net groupmap add ntgroup="Gnomes" unixgroup=Gnomes type=d
|
|
</programlisting>
|
|
</para>
|
|
|
|
<para>
|
|
Of course it is expected that the admininstrator will modify this to suit local needs.
|
|
For information regarding the use of the <command>net groupmap</command> tool please
|
|
refer to the man page.
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Common Errors</title>
|
|
|
|
<para>
|
|
At this time there are many little surprises for the unwary administrator. In a real sense
|
|
it is imperative that every step of automated control scripts must be carefully tested
|
|
manually before putting them into active service.
|
|
</para>
|
|
|
|
<sect2>
|
|
<title>Adding Groups Fails</title>
|
|
|
|
<para>
|
|
This is a common problem when the <command>groupadd</command> is called directly
|
|
by the samba interface script for the <parameter>add group script</parameter> in
|
|
the &smb.conf; file.
|
|
</para>
|
|
|
|
<para>
|
|
The most common cause of failure is an attempt to add an MS Windows group acocunt
|
|
that has either an upper case character and/or a space character in it.
|
|
</para>
|
|
|
|
<para>
|
|
There are three possible work-arounds. Firstly, use only group names that comply
|
|
with the limitations of the Unix/Linux <command>groupadd</command> system tool.
|
|
The second involves use of the script mentioned earlier in this chapter, and the
|
|
third option is to manually create a Unix/Linux group account that can substitute
|
|
for the MS Windows group name, then use the procedure listed above to map that group
|
|
to the MS Windows group.
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>Adding MS Windows Groups to MS Windows Groups Fails</title>
|
|
|
|
<para>
|
|
Samba-3 does NOT support nested groups from the MS Windows control environment.
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
</sect1>
|
|
|
|
</chapter>
|