1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
5 >Group mapping HOWTO</TITLE
8 CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK
10 TITLE="SAMBA Project Documentation"
11 HREF="samba-howto-collection.html"><LINK
13 TITLE="Reporting Bugs"
14 HREF="bugreport.html"><LINK
17 HREF="portability.html"></HEAD
28 SUMMARY="Header navigation table"
37 >SAMBA Project Documentation</TH
59 HREF="portability.html"
74 >Chapter 20. Group mapping HOWTO</H1
77 Starting with Samba 3.0 alpha 2, a new group mapping function is available. The
78 current method (likely to change) to manage the groups is a new command called
84 >The first immediate reason to use the group mapping on a PDC, is that
87 >domain admin group</B
92 now gone. This parameter was used to give the listed users local admin rights
93 on their workstations. It was some magic stuff that simply worked but didn't
94 scale very well for complex setups.</P
96 >Let me explain how it works on NT/W2K, to have this magic fade away.
97 When installing NT/W2K on a computer, the installer program creates some users
98 and groups. Notably the 'Administrators' group, and gives to that group some
99 privileges like the ability to change the date and time or to kill any process
100 (or close too) running on the local machine. The 'Administrator' user is a
101 member of the 'Administrators' group, and thus 'inherit' the 'Administrators'
102 group privileges. If a 'joe' user is created and become a member of the
103 'Administrator' group, 'joe' has exactly the same rights as 'Administrator'.</P
105 >When a NT/W2K machine is joined to a domain, during that phase, the "Domain
106 Administrators' group of the PDC is added to the 'Administrators' group of the
107 workstation. Every members of the 'Domain Administrators' group 'inherit' the
108 rights of the 'Administrators' group when logging on the workstation.</P
110 >You are now wondering how to make some of your samba PDC users members of the
111 'Domain Administrators' ? That's really easy.</P
118 >create a unix group (usually in <TT
121 >), let's call it domadm</P
125 >add to this group the users that must be Administrators. For example if you want joe,john and mary, your entry in <TT
131 CLASS="PROGRAMLISTING"
132 >domadm:x:502:joe,john,mary</PRE
137 >Map this domadm group to the <B
140 > group by running the command:</P
144 >smbgroupedit -c "Domain Admins" -u domadm</B
149 >You're set, joe, john and mary are domain administrators !</P
151 >Like the Domain Admins group, you can map any arbitrary Unix group to any NT
152 group. You can also make any Unix group a domain group. For example, on a domain
153 member machine (an NT/W2K or a samba server running winbind), you would like to
154 give access to a certain directory to some users who are member of a group on
155 your samba PDC. Flag that group as a domain group by running:</P
159 >smbgroupedit -a unixgroup -td</B
162 >You can list the various groups in the mapping database like this</P
174 SUMMARY="Footer navigation table"
185 HREF="bugreport.html"
194 HREF="samba-howto-collection.html"
203 HREF="portability.html"