<title>Features and Benefits</title>
<para>
- Stuff goes here.
+ Samba allows the administrator to create MS Windows NT4 / 200x group accounts and to
+ arbitrarily associate them with Unix/Linux group accounts.
+ </para>
+
+ <para>
+ Group accounts can be managed using the MS Windows NT4 or MS Windows 200x MMC tools
+ so long as appropriate interface scripts have been provided to &smb.conf;
+ </para>
+
+ <para>
+ Administrators should be aware that where &smb.conf; group interface scripts make
+ direct calls to the Unix/Linux system tools (eg: the shadow utilities, <command>groupadd,
+ groupdel, groupmod</command>) then the resulting Unix/Linux group names will be subject
+ to any limits imposed by these tools. If the tool does NOT allow upper case characters
+ or space characters, then the creation of an MS Windows NT4 / 200x style group of
+ <parameter>Engineering Managers</parameter> will attempt to create an identically named
+ Unix/Linux group, an attempt that will of course fail!
+ </para>
+
+ <para>
+ There are several possible work-arounds for the operating system tools limitation. One
+ method is to use a script that generates a name for the Unix/Linux system group that
+ fits the operating system limits, and that then just passes the Unix/Linux group id (GID)
+ back to the calling samba interface. This will provide a dynamic work-around solution.
+ </para>
+
+ <para>
+ Another work-around is to manually create a Unix/Linux group, then manually create the
+ MS Windows NT4 / 200x group on the Samba server and then use the <command>net groupmap</command>
+ tool to connect the two to each other.
</para>
</sect1>
(ie: prepared by someone else for general use).
</para>
+ <sect2>
+ <title>Sample &smb.conf; <emphasis><parameter>add group script</parameter></emphasis></title>
+
+ <para>
+ A script to great complying group names for use by the samba group interfaces:
+ </para>
+
+<para>
+<screen>
+Script name: smbgrpadd.sh
+
+#!/bin/bash
+
+# Add the group using normal system groupadd tool.
+groupadd smbtmpgrp00
+
+thegid=`cat /etc/group | grep smbtmpgrp00 | cut -d ":" -f3`
+
+# Now change the name to what we want for the MS Windows networking end
+cat /etc/group | sed s/smbtmpgrp00/$1/g > /etc/group
+
+# Now return the GID as would normally happen.
+echo $thegid
+exit 0
+</screen>
+</para>
+
+ <para>
+ The &smb.conf; entry for the above script would look like:
+ <screen>
+ add group script = /path_to_tool/smbgrpadd.sh %g
+ </screen>
+ </para>
+
+ </sect2>
+
+ <sect2>
+ <title>Script to configure Group Mapping</title>
+
+ <para>
+ In our example we have created a Unix/Linux group called <parameter>ntadmin</parameter>.
+ Our script will create the additional groups <parameter>Engineers, Marketoids, Gnomes</parameter>:
+ </para>
+
+<para>
+<screen>
+#!/bin/bash
+
+net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmin
+net groupmap modify ntgroup="Domain Users" unixgroup=users
+net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
+net groupmap modify ntgroup="Administrators" unixgroup=root
+net groupmap modify ntgroup="Users" unixgroup=users
+net groupmap modify ntgroup="Guests" unixgroup=nobody
+net groupmap modify ntgroup="System Operators" unixgroup=sys
+net groupmap modify ntgroup="Account Operators" unixgroup=root
+net groupmap modify ntgroup="Backup Operators" unixgroup=bin
+net groupmap modify ntgroup="Print Operators" unixgroup=lp
+net groupmap modify ntgroup="Replicators" unixgroup=daemon
+net groupmap modify ntgroup="Power Users" unixgroup=sys
+
+#groupadd Engineers
+#groupadd Marketoids
+#groupadd Gnomes
+
+#net groupmap add ntgroup="Engineers" unixgroup=Engineers type=d
+#net groupmap add ntgroup="Marketoids" unixgroup=Marketoids type=d
+#net groupmap add ntgroup="Gnomes" unixgroup=Gnomes type=d
+</screen>
+</para>
+
+ <para>
+ Of course it is expected that the admininstrator will modify this to suit local needs.
+ For information regarding the use of the <command>net groupmap</command> tool please
+ refer to the man page.
+ </para>
+
+ </sect2>
+
</sect1>
<sect1>
</sect3>
+ <sect3>
+ <title>Initialise the LDAP database</title>
+
+ <para>
+ Before you can add accounts to the LDAP database you must create the account containers
+ that they will be stored in. The following LDIF file should be modified to match your
+ needs (ie: Your DNS entries, etc.).
+ </para>
+
+<para>
+<screen>
+# Organization for Samba Base
+dn: dc=plainjoe,dc=org
+objectclass: dbObject
+objectclass: organization
+dc: plainjoe
+o: Terpstra Org Network
+description: The Samba-3 Network LDAP Example
+
+# Organizational Role for Directory Management
+db: cn=Manager,dc=plainjoe,dc=org
+objectclass: organizationalRole
+cn: Manager
+description: Directory Manager
+
+# Setting up container for users
+dn: ou=People,dc=plainjoe,dc=org
+objectclass: top
+objectclass: organizationalUnit
+ou: People
+
+# Setting up admin handle for People OU
+dn: cn=admin,ou=People,dc=plainjoe,dc=org
+cn: admin
+objectclass: top
+objectclass: organizationalRole
+objectclass: simpleSecurityObject
+userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
+</screen>
+</para>
+
+ <para>
+ The userPassword shown above should be generated using <command>slappasswd</command>.
+ </para>
+
+ <para>
+ The following command will then load the contents of the LDIF file into the LDAP
+ database.
+ </para>
+
+<para>
+<screen>
+slapadd -v -l initldap.dif
+</screen>
+</para>
+
+ <para>
+ Do not forget to secure your LDAP server with an adequate access control list,
+ as well as an admin password.
+ </para>
+
+ <note>
+ <para>
+ Before Samba can access the LDAP server you need to stoe the LDAP admin password
+ into the Samba-3 <filename>secrets.tdb</filename> database by:
+ <screen>
+ &rootprompt; <command>smbpasswd -w secret</command>
+ </screen>
+ </para>
+ </note>
+
+ </sect3>
+
<sect3>
<title>Configuring Samba</title>
git.samba.org / kai / samba.git / commitdiff