<firstname>Jean François</firstname><surname>Micouleau</surname>
</author>
&author.jerry;
+ &author.jht;
</chapterinfo>
+<title>Mapping MS Windows and Unix Groups</title>
-<title>Configuring Group Mapping</title>
+ <para>
+ Starting with Samba-3, new group mapping functionality is available to create associations
+ between Windows group SIDs and UNIX groups. The <parameter>groupmap</parameter> subcommand
+ included with the &net; tool can be used to manage these associations.
+ </para>
-<para>
-Starting with Samba 3.0 alpha 2, new group mapping functionality
-is available to create associations between Windows SIDs and UNIX
-groups. The <parameter>groupmap</parameter> subcommand included with
-the <command>net</command> tool can be used to manage these associations.
-</para>
+ <warning>
+ <para>
+ The first immediate reason to use the group mapping on a Samba PDC, is that
+ the <parameter>domain admin group</parameter> has been removed and should no longer
+ be specified in &smb.conf;. This parameter was used to give the listed users membership
+ in the <constant>Domain Admins</constant> Windows group which gave local admin rights on their workstations
+ (in default configurations).
+ </para>
+ </warning>
-<para>
-The first immediate reason to use the group mapping on a Samba PDC, is that
-the <parameter>domain admin group</parameter> &smb.conf; has been removed.
-This parameter was used to give the listed users membership in the "Domain Admins"
-Windows group which gave local admin rights on their workstations (in
-default configurations).
-</para>
+<sect1>
+<title>Features and Benefits</title>
-<para>
-When installing NT/W2K on a computer, the installer program creates some users
-and groups. Notably the 'Administrators' group, and gives to that group some
-privileges like the ability to change the date and time or to kill any process
-(or close too) running on the local machine. The 'Administrator' user is a
-member of the 'Administrators' group, and thus 'inherit' the 'Administrators'
-group privileges. If a 'joe' user is created and become a member of the
-'Administrator' group, 'joe' has exactly the same rights as 'Administrator'.
-</para>
+ <para>
+ Samba allows the administrator to create MS Windows NT4 / 200x group accounts and to
+ arbitrarily associate them with Unix/Linux group accounts.
+ </para>
-<para>
-When a NT/W2K machine is joined to a domain, the "Domain Adminis" group of the
-PDC is added to the local 'Administrators' group of the workstation. Every
-member of the 'Domain Administrators' group 'inherit' the
-rights of the local 'Administrators' group when logging on the workstation.
+ <para>
+ Group accounts can be managed using the MS Windows NT4 or MS Windows 200x MMC tools
+ so long as appropriate interface scripts have been provided to &smb.conf;.
+ </para>
+
+ <para>
+ Administrators should be aware that where &smb.conf; group interface scripts make
+ direct calls to the Unix/Linux system tools (eg: the shadow utilities, <command>groupadd</command>,
+ <command>groupdel</command>, <command>groupmod</command>) then the resulting Unix/Linux group names will be subject
+ to any limits imposed by these tools. If the tool does NOT allow upper case characters
+ or space characters, then the creation of an MS Windows NT4 / 200x style group of
+ <parameter>Engineering Managers</parameter> will attempt to create an identically named
+ Unix/Linux group, an attempt that will of course fail!
+ </para>
+
+ <para>
+ There are several possible work-arounds for the operating system tools limitation. One
+ method is to use a script that generates a name for the Unix/Linux system group that
+ fits the operating system limits, and that then just passes the Unix/Linux group id (GID)
+ back to the calling Samba interface. This will provide a dynamic work-around solution.
+ </para>
+
+ <para>
+ Another work-around is to manually create a Unix/Linux group, then manually create the
+ MS Windows NT4 / 200x group on the Samba server and then use the <command>net groupmap</command>
+ tool to connect the two to each other.
+ </para>
+
+</sect1>
+
+<sect1>
+<title>Discussion</title>
+
+ <para>
+ When installing <application>MS Windows NT4 / 200x</application> on a computer, the installation
+ program creates default users and groups, notably the <constant>Administrators</constant> group,
+ and gives that group privileges necessary privileges to perform essential system tasks.
+ eg: Ability to change the date and time or to kill (or close) any process running on the
+ local machine.
+ </para>
+
+ <para>
+ The 'Administrator' user is a member of the 'Administrators' group, and thus inherits
+ 'Administrators' group privileges. If a 'joe' user is created to be a member of the
+ 'Administrator' group, 'joe' has exactly the same rights as 'Administrator'.
+ </para>
+
+ <para>
+ When an MS Windows NT4 / W200x is made a domain member, the "Domain Admins" group of the
+ PDC is added to the local 'Administrators' group of the workstation. Every member of the
+ 'Domain Administrators' group inherits the rights of the local 'Administrators' group when
+ logging on the workstation.
+ </para>
+
+ <para>
+ The following steps describe how to make Samba PDC users members of the 'Domain Admins' group?
+ </para>
+
+ <orderedlist>
+ <listitem><para>
+ create a unix group (usually in <filename>/etc/group</filename>), let's call it domadm
+ </para></listitem>
+
+ <listitem><para>add to this group the users that must be Administrators. For example
+ if you want joe, john and mary, your entry in <filename>/etc/group</filename> will
+ look like:
+ </para>
+
+ <para><programlisting>
+ domadm:x:502:joe,john,mary
+ </programlisting>
+ </para></listitem>
+
+ <listitem><para>
+ Map this domadm group to the "Domain Admins" group by running the command:
+ </para>
+
+ <para>
+ <screen>
+ &rootprompt;<userinput>net groupmap add ntgroup="Domain Admins" unixgroup=domadm</userinput>
+ </screen>
+ </para>
+
+ <para>
+ The quotes around "Domain Admins" are necessary due to the space in the group name.
+ Also make sure to leave no whitespace surrounding the equal character (=).
+ </para></listitem>
+ </orderedlist>
+
+ <para>
+ Now joe, john and mary are domain administrators!
+ </para>
+
+ <para>
+ It is possible to map any arbitrary UNIX group to any Windows NT4 / 200x group as well as
+ making any UNIX group a Windows domain group. For example, if you wanted to include a
+ UNIX group (e.g. acct) in a ACL on a local file or printer on a domain member machine,
+ you would flag that group as a domain group by running the following on the Samba PDC:
+ </para>
+
+ <para>
+ <screen>
+ &rootprompt;<userinput>net groupmap add rid=1000 ntgroup="Accounting" unixgroup=acct</userinput>
+ </screen>
+ </para>
+
+ <para>
+ Be aware that the RID parameter is a unsigned 32 bit integer that should
+ normally start at 1000. However, this rid must not overlap with any RID assigned
+ to a user. Verifying this is done differently depending on on the passdb backend
+ you are using. Future versions of the tools may perform the verification automatically,
+ but for now the burden is on you.
+ </para>
+
+ <sect2>
+ <title>Example Configuration</title>
+
+ <para>
+ You can list the various groups in the mapping database by executing
+ <command>net groupmap list</command>. Here is an example:
+ </para>
+
+ <para>
+ <screen>
+ &rootprompt; <userinput>net groupmap list</userinput>
+ System Administrators (S-1-5-21-2547222302-1596225915-2414751004-1002) -> sysadmin
+ Domain Admins (S-1-5-21-2547222302-1596225915-2414751004-512) -> domadmin
+ Domain Users (S-1-5-21-2547222302-1596225915-2414751004-513) -> domuser
+ Domain Guests (S-1-5-21-2547222302-1596225915-2414751004-514) -> domguest
+ </screen>
+ </para>
+
+ <para>
+ For complete details on <command>net groupmap</command>, refer to the net(8) man page.
+ </para>
+
+ </sect2>
+
+</sect1>
+
+<sect1>
+<title>Configuration Scripts</title>
+
+ <para>
+ Everyone needs tools. Some of us like to create our own, others prefer to use canned tools
+ (ie: prepared by someone else for general use).
+ </para>
+
+ <sect2>
+ <title>Sample &smb.conf; add group script</title>
+
+ <para>
+ A script to great complying group names for use by the Samba group interfaces:
+ </para>
+
+ <para>
+<example>
+ <title>smbgrpadd.sh</title>
+<programlisting>
+
+#!/bin/bash
+
+# Add the group using normal system groupadd tool.
+groupadd smbtmpgrp00
+
+thegid=`cat /etc/group | grep smbtmpgrp00 | cut -d ":" -f3`
+
+# Now change the name to what we want for the MS Windows networking end
+cp /etc/group /etc/group.bak
+cat /etc/group.bak | sed s/smbtmpgrp00/$1/g > /etc/group
+
+# Now return the GID as would normally happen.
+echo $thegid
+exit 0
+</programlisting>
+</example>
</para>
+ <para>
+ The &smb.conf; entry for the above script would look like:
+ <programlisting>
+ add group script = /path_to_tool/smbgrpadd.sh %g
+ </programlisting>
+ </para>
+
+ </sect2>
+
+ <sect2>
+ <title>Script to configure Group Mapping</title>
+
+ <para>
+ In our example we have created a Unix/Linux group called <parameter>ntadmin</parameter>.
+ Our script will create the additional groups <parameter>Engineers, Marketoids, Gnomes</parameter>:
+ </para>
+
<para>
-The following steps describe how to make samba PDC users members of the
-'Domain Admins' group?
-</para>
+<programlisting>
+#!/bin/bash
-<orderedlist>
-<listitem><para>create a unix group (usually in <filename>/etc/group</filename>),
- let's call it domadm</para></listitem>
-<listitem><para>add to this group the users that must be Administrators. For example
- if you want joe,john and mary, your entry in <filename>/etc/group</filename> will
- look like:</para>
+net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmin
+net groupmap modify ntgroup="Domain Users" unixgroup=users
+net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
+net groupmap modify ntgroup="Administrators" unixgroup=root
+net groupmap modify ntgroup="Users" unixgroup=users
+net groupmap modify ntgroup="Guests" unixgroup=nobody
+net groupmap modify ntgroup="System Operators" unixgroup=sys
+net groupmap modify ntgroup="Account Operators" unixgroup=root
+net groupmap modify ntgroup="Backup Operators" unixgroup=bin
+net groupmap modify ntgroup="Print Operators" unixgroup=lp
+net groupmap modify ntgroup="Replicators" unixgroup=daemon
+net groupmap modify ntgroup="Power Users" unixgroup=sys
- <para><programlisting>
- domadm:x:502:joe,john,mary
- </programlisting></para>
+#groupadd Engineers
+#groupadd Marketoids
+#groupadd Gnomes
- </listitem>
+#net groupmap add ntgroup="Engineers" unixgroup=Engineers type=d
+#net groupmap add ntgroup="Marketoids" unixgroup=Marketoids type=d
+#net groupmap add ntgroup="Gnomes" unixgroup=Gnomes type=d
+</programlisting>
+</para>
-<listitem><para>Map this domadm group to the "Domain Admins" group
- by running the command:</para>
+ <para>
+ Of course it is expected that the administrator will modify this to suit local needs.
+ For information regarding the use of the <command>net groupmap</command> tool please
+ refer to the man page.
+ </para>
- <para><prompt>root# </prompt><userinput>net groupmap add ntgroup="Domain Admins" unixgroup=domadm</userinput></para>
-
- <para>The quotes around "Domain Admins" are necessary due to the space in the group name. Also make
- sure to leave no whitespace surrounding the equal character (=).</para>
- </listitem>
+ </sect2>
-</orderedlist>
+</sect1>
-<para>Now joe, john and mary are domain administrators!</para>
+<sect1>
+<title>Common Errors</title>
<para>
-It is possible to map any arbitrary UNIX group to any Windows NT
-group as well as making any UNIX group a Windows domain group.
-For example, if you wanted to include a UNIX group (e.g. acct) in a ACL on a
-local file or printer on a domain member machine, you would flag
-that group as a domain group by running the following on the Samba PDC:
+At this time there are many little surprises for the unwary administrator. In a real sense
+it is imperative that every step of automated control scripts must be carefully tested
+manually before putting them into active service.
</para>
-<para><prompt>root# </prompt><userinput>net groupmap add rid=1000 ntgroup="Accounting" unixgroup=acct</userinput></para>
+ <sect2>
+ <title>Adding Groups Fails</title>
+
+ <para>
+ This is a common problem when the <command>groupadd</command> is called directly
+ by the Samba interface script for the <parameter>add group script</parameter> in
+ the &smb.conf; file.
+ </para>
+
+ <para>
+ The most common cause of failure is an attempt to add an MS Windows group account
+ that has either an upper case character and/or a space character in it.
+ </para>
+
+ <para>
+ There are three possible work-arounds. Firstly, use only group names that comply
+ with the limitations of the Unix/Linux <command>groupadd</command> system tool.
+ The second involves use of the script mentioned earlier in this chapter, and the
+ third option is to manually create a Unix/Linux group account that can substitute
+ for the MS Windows group name, then use the procedure listed above to map that group
+ to the MS Windows group.
+ </para>
+
+ </sect2>
-<para>Be aware that the rid parmeter is a unsigned 32 bit integer that should
-normally start at 1000. However, this rid must not overlap with any RID assigned
-to a user. Verifying this is done differently depending on on the passdb backend
-you are using. Future versions of the tools may perform the verification automatically,
-but for now the burden in on you.</para>
+ <sect2>
+ <title>Adding MS Windows Groups to MS Windows Groups Fails</title>
-<para>You can list the various groups in the mapping database by executing
-<command>net groupmap list</command>. Here is an example:</para>
+ <para>
+ Samba-3 does NOT support nested groups from the MS Windows control environment.
+ </para>
-<para><programlisting><prompt>root# </prompt>net groupmap list
-System Administrators (S-1-5-21-2547222302-1596225915-2414751004-1002) -> sysadmin
-Domain Admins (S-1-5-21-2547222302-1596225915-2414751004-512) -> domadmin
-Domain Users (S-1-5-21-2547222302-1596225915-2414751004-513) -> domuser
-Domain Guests (S-1-5-21-2547222302-1596225915-2414751004-514) -> domguest
-</programlisting></para>
+ </sect2>
-<para>For complete details on <command>net groupmap</command>, refer to the
-net(8) man page.</para>
+</sect1>
</chapter>
git.samba.org / samba.git / blobdiff