1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
5 >Group mapping HOWTO</TITLE
8 CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK
10 TITLE="SAMBA Project Documentation"
11 HREF="samba-howto-collection.html"><LINK
13 TITLE="Optional configuration"
14 HREF="optional.html"><LINK
16 TITLE="HOWTO Access Samba source code via CVS"
17 HREF="cvs-access.html"><LINK
19 TITLE="Samba performance issues"
20 HREF="speed.html"></HEAD
31 SUMMARY="Header navigation table"
40 >SAMBA Project Documentation</TH
48 HREF="cvs-access.html"
77 >Chapter 22. Group mapping HOWTO</H1
80 Starting with Samba 3.0 alpha 2, a new group mapping function is available. The
81 current method (likely to change) to manage the groups is a new command called
87 >The first immediate reason to use the group mapping on a PDC, is that
90 >domain admin group</B
95 now gone. This parameter was used to give the listed users local admin rights
96 on their workstations. It was some magic stuff that simply worked but didn't
97 scale very well for complex setups.</P
99 >Let me explain how it works on NT/W2K, to have this magic fade away.
100 When installing NT/W2K on a computer, the installer program creates some users
101 and groups. Notably the 'Administrators' group, and gives to that group some
102 privileges like the ability to change the date and time or to kill any process
103 (or close too) running on the local machine. The 'Administrator' user is a
104 member of the 'Administrators' group, and thus 'inherit' the 'Administrators'
105 group privileges. If a 'joe' user is created and become a member of the
106 'Administrator' group, 'joe' has exactly the same rights as 'Administrator'.</P
108 >When a NT/W2K machine is joined to a domain, during that phase, the "Domain
109 Administrators' group of the PDC is added to the 'Administrators' group of the
110 workstation. Every members of the 'Domain Administrators' group 'inherit' the
111 rights of the 'Administrators' group when logging on the workstation.</P
113 >You are now wondering how to make some of your samba PDC users members of the
114 'Domain Administrators' ? That's really easy.</P
121 >create a unix group (usually in <TT
124 >), let's call it domadm</P
128 >add to this group the users that must be Administrators. For example if you want joe,john and mary, your entry in <TT
134 CLASS="PROGRAMLISTING"
135 >domadm:x:502:joe,john,mary</PRE
140 >Map this domadm group to the <B
143 > group by running the command:</P
147 >smbgroupedit -c "Domain Admins" -u domadm</B
152 >You're set, joe, john and mary are domain administrators !</P
154 >Like the Domain Admins group, you can map any arbitrary Unix group to any NT
155 group. You can also make any Unix group a domain group. For example, on a domain
156 member machine (an NT/W2K or a samba server running winbind), you would like to
157 give access to a certain directory to some users who are member of a group on
158 your samba PDC. Flag that group as a domain group by running:</P
162 >smbgroupedit -a unixgroup -td</B
165 >You can list the various groups in the mapping database like this</P
177 SUMMARY="Footer navigation table"
188 HREF="cvs-access.html"
197 HREF="samba-howto-collection.html"
216 >HOWTO Access Samba source code via CVS</TD
230 >Samba performance issues</TD