source: branches/samba-3.2.x/docs/htmldocs/Samba3-HOWTO/groupmapping.html

Last change on this file was 335, checked in by Herwig Bauernfeind, 16 years ago

Update 3.2 to 3.2.14 (final)
File size: 43.0 KB
RevLine 
[335]1<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 12. Group Mapping: MS Windows and UNIX</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="passdb.html" title="Chapter 11. Account Information Databases"><link rel="next" href="NetCommand.html" title="Chapter 13. Remote and Local Management: The Net Command"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 12. Group Mapping: MS Windows and UNIX</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="passdb.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="NetCommand.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="groupmapping"></a>Chapter 12. Group Mapping: MS Windows and UNIX</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="orgname">Samba Team</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:[email protected]">[email protected]</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jean François</span> <span class="surname">Micouleau</span></h3></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="orgname">Samba Team</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:[email protected]">[email protected]</a>&gt;</code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="groupmapping.html#id2595891">Features and Benefits</a></span></dt><dt><span class="sect1"><a href="groupmapping.html#id2596307">Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="groupmapping.html#id2596644">Warning: User Private Group Problems</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id2596702">Nested Groups: Adding Windows Domain Groups to Windows Local Groups</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id2597278">Important Administrative Information</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id2597518">Default Users, Groups, and Relative Identifiers</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id2598143">Example Configuration</a></span></dt></dl></dd><dt><span class="sect1"><a href="groupmapping.html#id2598220">Configuration Scripts</a></span></dt><dd><dl><dt><span class="sect2"><a href="groupmapping.html#id2598231">Sample smb.conf Add Group Script</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id2598403">Script to Configure Group Mapping</a></span></dt></dl></dd><dt><span class="sect1"><a href="groupmapping.html#id2598530">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="groupmapping.html#id2598543">Adding Groups Fails</a></span></dt><dt><span class="sect2"><a href="groupmapping.html#id2598630">Adding Domain Users to the Workstation Power Users Group</a></span></dt></dl></dd></dl></div><p>
[272]2<a class="indexterm" name="id2595765"></a>
3<a class="indexterm" name="id2595774"></a>
4<a class="indexterm" name="id2595781"></a>
5<a class="indexterm" name="id2595788"></a>
6<a class="indexterm" name="id2595794"></a>
7<a class="indexterm" name="id2595801"></a>
[204]8 Starting with Samba-3, new group mapping functionality is available to create associations
9 between Windows group SIDs and UNIX group GIDs. The <code class="literal">groupmap</code> subcommand
10 included with the <span class="application">net</span> tool can be used to manage these associations.
11 </p><p>
[272]12<a class="indexterm" name="id2595826"></a>
13<a class="indexterm" name="id2595833"></a>
[204]14 The new facility for mapping NT groups to UNIX system groups allows the administrator to decide
15 which NT domain groups are to be exposed to MS Windows clients. Only those NT groups that map
16 to a UNIX group that has a value other than the default (<code class="constant">-1</code>) will be exposed
17 in group selection lists in tools that access domain users and groups.
18 </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
[272]19 <a class="indexterm" name="id2595855"></a>
20<a class="indexterm" name="id2595862"></a>
[204]21 The <em class="parameter"><code>domain admin group</code></em> parameter has been removed in Samba-3 and should no longer
22 be specified in <code class="filename">smb.conf</code>. In Samba-2.2.x, this parameter was used to give the listed users membership in the
23 <code class="constant">Domain Admins</code> Windows group, which gave local admin rights on their workstations
24 (in default configurations).
[272]25 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2595891"></a>Features and Benefits</h2></div></div></div><p>
[204]26 Samba allows the administrator to create MS Windows NT4/200x group accounts and to
27 arbitrarily associate them with UNIX/Linux group accounts.
28 </p><p>
[272]29 <a class="indexterm" name="id2595905"></a>
[335]30 <a class="indexterm" name="id2595912"></a>
[272]31 <a class="indexterm" name="id2595918"></a>
32<a class="indexterm" name="id2595925"></a>
33<a class="indexterm" name="id2595931"></a>
34<a class="indexterm" name="id2595938"></a>
35<a class="indexterm" name="id2595945"></a>
[204]36 Group accounts can be managed using the MS Windows NT4 or MS Windows 200x/XP Professional MMC tools.
37 Appropriate interface scripts should be provided in <code class="filename">smb.conf</code> if it is desired that UNIX/Linux system
38 accounts should be automatically created when these tools are used. In the absence of these scripts, and
39 so long as <code class="literal">winbindd</code> is running, Samba group accounts that are created using these
40 tools will be allocated UNIX UIDs and GIDs from the ID range specified by the
[231]41 <a class="link" href="smb.conf.5.html#IDMAPUID" target="_top">idmap uid</a>/<a class="link" href="smb.conf.5.html#IDMAPGID" target="_top">idmap gid</a>
[204]42 parameters in the <code class="filename">smb.conf</code> file.
43 </p><div class="figure"><a name="idmap-sid2gid"></a><p class="title"><b>Figure 12.1. IDMAP: Group SID-to-GID Resolution.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/idmap-sid2gid.png" width="270" alt="IDMAP: Group SID-to-GID Resolution."></div></div></div><br class="figure-break"><div class="figure"><a name="idmap-gid2sid"></a><p class="title"><b>Figure 12.2. IDMAP: GID Resolution to Matching SID.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/idmap-gid2sid.png" width="270" alt="IDMAP: GID Resolution to Matching SID."></div></div></div><br class="figure-break"><p>
[272]44 <a class="indexterm" name="id2596088"></a>
45<a class="indexterm" name="id2596095"></a>
[335]46<a class="indexterm" name="id2596102"></a>
[272]47<a class="indexterm" name="id2596110"></a>
[204]48 In both cases, when winbindd is not running, only locally resolvable groups can be recognized. Please refer to
49 <a class="link" href="groupmapping.html#idmap-sid2gid" title="Figure 12.1. IDMAP: Group SID-to-GID Resolution.">IDMAP: Group SID-to-GID Resolution</a> and <a class="link" href="groupmapping.html#idmap-gid2sid" title="Figure 12.2. IDMAP: GID Resolution to Matching SID.">IDMAP: GID Resolution to Matching SID</a>. The <code class="literal">net groupmap</code> is
50 used to establish UNIX group to NT SID mappings as shown in <a class="link" href="groupmapping.html#idmap-store-gid2sid" title="Figure 12.3. IDMAP Storing Group Mappings.">IDMAP: storing
51 group mappings</a>.
52 </p><div class="figure"><a name="idmap-store-gid2sid"></a><p class="title"><b>Figure 12.3. IDMAP Storing Group Mappings.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/idmap-store-gid2sid.png" width="270" alt="IDMAP Storing Group Mappings."></div></div></div><br class="figure-break"><p>
[335]53 <a class="indexterm" name="id2596197"></a>
[272]54 <a class="indexterm" name="id2596203"></a>
55<a class="indexterm" name="id2596210"></a>
56<a class="indexterm" name="id2596217"></a>
[204]57 Administrators should be aware that where <code class="filename">smb.conf</code> group interface scripts make
58 direct calls to the UNIX/Linux system tools (the shadow utilities, <code class="literal">groupadd</code>,
59 <code class="literal">groupdel</code>, and <code class="literal">groupmod</code>), the resulting UNIX/Linux group names will be subject
60 to any limits imposed by these tools. If the tool does not allow uppercase characters
61 or space characters, then the creation of an MS Windows NT4/200x-style group of
62 <code class="literal">Engineering Managers</code> will attempt to create an identically named
63 UNIX/Linux group, an attempt that will of course fail.
64 </p><p>
[272]65 <a class="indexterm" name="id2596265"></a>
66 <a class="indexterm" name="id2596271"></a>
[204]67 There are several possible workarounds for the operating system tools limitation. One
68 method is to use a script that generates a name for the UNIX/Linux system group that
69 fits the operating system limits and that then just passes the UNIX/Linux group ID (GID)
70 back to the calling Samba interface. This will provide a dynamic workaround solution.
71 </p><p>
[272]72<a class="indexterm" name="id2596287"></a>
[204]73 Another workaround is to manually create a UNIX/Linux group, then manually create the
74 MS Windows NT4/200x group on the Samba server, and then use the <code class="literal">net groupmap</code>
75 tool to connect the two to each other.
[272]76 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2596307"></a>Discussion</h2></div></div></div><p>
77<a class="indexterm" name="id2596315"></a>
78<a class="indexterm" name="id2596322"></a>
[204]79 When you install <span class="application">MS Windows NT4/200x</span> on a computer, the installation
80 program creates default users and groups, notably the <code class="constant">Administrators</code> group,
81 and gives that group privileges necessary to perform essential system tasks,
82 such as the ability to change the date and time or to kill (or close) any process running on the
83 local machine.
84 </p><p>
[272]85 <a class="indexterm" name="id2596347"></a>
[204]86 The <code class="constant">Administrator</code> user is a member of the <code class="constant">Administrators</code> group, and thus inherits
87 <code class="constant">Administrators</code> group privileges. If a <code class="constant">joe</code> user is created to be a member of the
88 <code class="constant">Administrators</code> group, <code class="constant">joe</code> has exactly the same rights as the user
89 <code class="constant">Administrator</code>.
90 </p><p>
[272]91<a class="indexterm" name="id2596386"></a>
92<a class="indexterm" name="id2596393"></a>
93<a class="indexterm" name="id2596400"></a>
[335]94<a class="indexterm" name="id2596407"></a>
[204]95 When an MS Windows NT4/200x/XP machine is made a domain member, the &#8220;<span class="quote">Domain Admins</span>&#8221; group of the
96 PDC is added to the local <code class="constant">Administrators</code> group of the workstation. Every member of the
97 <code class="constant">Domain Admins</code> group inherits the rights of the local <code class="constant">Administrators</code> group when
98 logging on the workstation.
99 </p><p>
[272]100<a class="indexterm" name="id2596435"></a>
101<a class="indexterm" name="id2596442"></a>
[204]102 The following steps describe how to make Samba PDC users members of the <code class="constant">Domain Admins</code> group.
103 </p><div class="orderedlist"><ol type="1"><li><p>
104 Create a UNIX group (usually in <code class="filename">/etc/group</code>); let's call it <code class="constant">domadm</code>.
105 </p></li><li><p>
[272]106<a class="indexterm" name="id2596480"></a>
[204]107 Add to this group the users that must be &#8220;<span class="quote">Administrators</span>&#8221;. For example,
108 if you want <code class="constant">joe, john</code>, and <code class="constant">mary</code> to be administrators,
109 your entry in <code class="filename">/etc/group</code> will look like this:
110 </p><pre class="programlisting">
111 domadm:x:502:joe,john,mary
112 </pre><p>
113 </p></li><li><p>
114 Map this domadm group to the &#8220;<span class="quote">Domain Admins</span>&#8221; group by executing the command:
115 </p><p>
116</p><pre class="screen">
117<code class="prompt">root# </code><strong class="userinput"><code>net groupmap add ntgroup="Domain Admins" unixgroup=domadm rid=512 type=d</code></strong>
118</pre><p>
119 </p><p>
[272]120 <a class="indexterm" name="id2596547"></a>
[204]121 The quotes around &#8220;<span class="quote">Domain Admins</span>&#8221; are necessary due to the space in the group name.
122 Also make sure to leave no white space surrounding the equal character (=).
123 </p></li></ol></div><p>
124 Now <code class="constant">joe, john</code>, and <code class="constant">mary</code> are domain administrators.
125 </p><p>
[272]126 <a class="indexterm" name="id2596576"></a>
[204]127 It is possible to map any arbitrary UNIX group to any Windows NT4/200x group as well as
128 to make any UNIX group a Windows domain group. For example, if you wanted to include a
129 UNIX group (e.g., acct) in an ACL on a local file or printer on a Domain Member machine,
130 you would flag that group as a domain group by running the following on the Samba PDC:
131 </p><p>
132</p><pre class="screen">
133<code class="prompt">root# </code><strong class="userinput"><code>net groupmap add rid=1000 ntgroup="Accounting" unixgroup=acct type=d</code></strong>
134</pre><p>
135 The <code class="literal">ntgroup</code> value must be in quotes if it contains space characters to prevent
136 the space from being interpreted as a command delimiter.
137 </p><p>
[272]138<a class="indexterm" name="id2596623"></a>
139<a class="indexterm" name="id2596630"></a>
[204]140 Be aware that the RID parameter is an unsigned 32-bit integer that should
141 normally start at 1000. However, this RID must not overlap with any RID assigned
142 to a user. Verification for this is done differently depending on the passdb backend
143 you are using. Future versions of the tools may perform the verification automatically,
144 but for now the burden is on you.
[272]145 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2596644"></a>Warning: User Private Group Problems</h3></div></div></div><p>
146<a class="indexterm" name="id2596652"></a>
147<a class="indexterm" name="id2596659"></a>
148<a class="indexterm" name="id2596666"></a>
[204]149 Windows does not permit user and group accounts to have the same name.
150 This has serious implications for all sites that use private group accounts.
151 A private group account is an administrative practice whereby users are each
152 given their own group account. Red Hat Linux, as well as several free distributions
153 of Linux, by default create private groups.
154 </p><p>
[272]155<a class="indexterm" name="id2596682"></a>
156<a class="indexterm" name="id2596689"></a>
[204]157 When mapping a UNIX/Linux group to a Windows group account, all conflict can
158 be avoided by assuring that the Windows domain group name does not overlap
159 with any user account name.
[335]160 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2596702"></a>Nested Groups: Adding Windows Domain Groups to Windows Local Groups</h3></div></div></div><a class="indexterm" name="id2596708"></a><p>
[272]161<a class="indexterm" name="id2596719"></a>
[204]162 This functionality is known as <code class="constant">nested groups</code> and was first added to
163 Samba-3.0.3.
164 </p><p>
[335]165<a class="indexterm" name="id2596735"></a>
[204]166 All MS Windows products since the release of Windows NT 3.10 support the use of nested groups.
167 Many Windows network administrators depend on this capability because it greatly simplifies security
168 administration.
169 </p><p>
[272]170<a class="indexterm" name="id2596748"></a>
171<a class="indexterm" name="id2596755"></a>
172<a class="indexterm" name="id2596762"></a>
173<a class="indexterm" name="id2596769"></a>
174<a class="indexterm" name="id2596776"></a>
175<a class="indexterm" name="id2596783"></a>
176<a class="indexterm" name="id2596790"></a>
[204]177 The nested group architecture was designed with the premise that day-to-day user and group membership
178 management should be performed on the domain security database. The application of group security
179 should be implemented on domain member servers using only local groups. On the domain member server,
180 all file system security controls are then limited to use of the local groups, which will contain
181 domain global groups and domain global users.
182 </p><p>
[272]183<a class="indexterm" name="id2596808"></a>
184<a class="indexterm" name="id2596815"></a>
185<a class="indexterm" name="id2596822"></a>
[204]186 You may ask, What are the benefits of this arrangement? The answer is obvious to those who have plumbed
187 the dark depths of Windows networking architecture. Consider for a moment a server on which are stored
188 200,000 files, each with individual domain user and domain group settings. The company that owns the
189 file server is bought by another company, resulting in the server being moved to another location, and then
190 it is made a member of a different domain. Who would you think now owns all the files and directories?
191 Answer: Account Unknown.
192 </p><p>
[272]193<a class="indexterm" name="id2596842"></a>
194<a class="indexterm" name="id2596849"></a>
195<a class="indexterm" name="id2596856"></a>
196<a class="indexterm" name="id2596862"></a>
[204]197 Unraveling the file ownership mess is an unenviable administrative task that can be avoided simply
198 by using local groups to control all file and directory access control. In this case, only the members
199 of the local groups will have been lost. The files and directories in the storage subsystem will still
200 be owned by the local groups. The same goes for all ACLs on them. It is administratively much simpler