[Samba] The Solution -> Re: Q about net groupmap examples on
samba.org
Michael Lueck
mlueck at lueckdatasystems.com
Wed Jul 7 14:08:54 GMT 2004
Finally, the solution and yet more questions.
First, John was kind enough to respond to my Q's, so I will post his answers as I begin:
<><><><><><><><><><><><>
> 1) Where does the net groupmap command store these mappings? The Domain
> Admins is working for example, but I sure don't see where the settings were
> stored on disk.
In the tdb file called group_mapping.tdb. On SuSE Linux this will be
in /var/lib/samba, on Red Hat Linux it can be in /var/cache/samba on some
systems. The default Samba-Team location is in /usr/local/samba/var/locks.
> 2) Running "net user pianoman /domain" on the Win2K client
> side shows the Domain Group membership, but not the local group. Since
> DOMAINNAME\Domain Admins is made a member of the localgroup administrators
> I have the admin permissions, but I did not get it via the ntadmins mapping
> I did above. Did I miss something in this example that was the key to
> making it work?
How do you expect this to function?
How do you believe this works with MS Windows NT4?
<><><><><><><><><><><><>
First, I guess I should have mentioned I was running Debian unstable with a 2.6.(5?) kernel and Samba 3.0.4. RaiserFS for everything other than /boot which is ext2.
So, yea, I can look for a tbd file now - no more "black hole" of where that data is going.
On the second Q, I'll turn it around and ask yet another question - what purpose do those mappings to local groups serve in the example? As I will outline soon, they were what was breaking mappings in
my environment.
I've lived a sheltered life, first domains were LAN Server, then WarpServer / WarpServer for eBusines. OS/2 clients, then NT4 and now Win2K. IBM had a great client that supported dropping some mapping
rules in the registry (for Windows clients of course) and would map domain group membership to localgroup security upon login. It would even undo additional localgroups you should not be a member of.
Then life with NetWare for 6 years. The Windows support there was to have local accounts - NetWare does not try to be a PDC / M$ style.
So, this is the very first time I have ever tried to use the M$ client for File/Print domain style, scripting, yadda yadda... So, as a req to all involved in the Samba project, please try to not
assume extensive NT4 / PDC expirence. You can have people who are very talented and expirenced dabbling with Samba that avoided NT4 / PDC entirely and are "cutting our teath" on that world via Samba.
Anyway, so the solution to making this work, and yet more questions thrown in as a go along, and sample config files at the end:
First, add some group names to /etc/group
domadmin:x:2000:pianoman
domusers:x:2001:
domguest:x:2002:
ntadmins:x:2010:pianoman
ntpwrusr:x:2011:
ntusers:x:2012:
ntguests:x:2013:
dom* will be used to assign domain permissions, nt* will be used to assign local windows permissions. User names coma separated in the last field I've been told by my Linux engineer.
Next, use the net command to 1) map domain groups to these Linux dom* groups and 2) create / map domain groups for the Linux nt* groups.
#!/bin/bash
#
# initGrps.sh
#
# Map Windows Domain Groups to UNIX groups
net groupmap modify ntgroup="Domain Admins" unixgroup=domadmin
net groupmap modify ntgroup="Domain Users" unixgroup=domusers
net groupmap modify ntgroup="Domain Guests" unixgroup=domguest
# Map Windows NT machine local groups to local UNIX groups
#net groupmap modify ntgroup="Administrators" unixgroup=ntadmins
#net groupmap modify ntgroup="Power Users" unixgroup=ntpwrusr
#net groupmap modify ntgroup="Users" unixgroup=ntusers
#net groupmap modify ntgroup="Guests" unixgroup=ntguests
# Create some Domain Groups to administer local security
net groupmap add ntgroup=ntadmins unixgroup=ntadmins type=d
net groupmap add ntgroup=ntpwrusr unixgroup=ntpwrusr type=d
net groupmap add ntgroup=ntusers unixgroup=ntusers type=d
net groupmap add ntgroup=ntguests unixgroup=ntguests type=d
Note I have left in but commented out ones from John's example, more about those coming up...
This also assumes a smbpasswd back end, and that I have added the pianoman account to that. That process is documented enough other places so I will not here. I guess it also assumes smbd/nmbd are up
in PDC mode, but I am not going to post my smb.conf until the end as I said, so that is assumed to at this point.
Joining the domain. I am using the netdom command which matches Win2K SP4 as that is the SP I am running on the client side. I disable browser and server services (set to manual via registry hack -
manual is critical) but netdom needs the server task running, so net start server to make it happy. Also, a domain admin ID is needed for netdom to do its job (same via the GUI but the server service
is not needed via GUI)
NETDOM.EXE JOIN 'ComputerName' /Domain:'JOINWORKGROUP' /UserD:PianoMan /PasswordD:thepassword
Where ComputerName and JoinWorkGroup have been variablized in my Rexx program.
bing bing, RC=0 and you are in the domain... oops, not quite so fast there, first time won't be a rc=0 if you do the above mappings to get domain admin permissions!
This line in smb.conf is CRITICAL to joining the domain...
admin users = pianoman
which for now I have put in the global section as there is no directory share involved with joining the domain. I guess IPC$ or something is involved and that is actually what needs the admin
permissions for the account, but I have not dug in far enough yet to see how I can / can not secure the account used to add workstations to the domain.
OK, restart services, rerun netdom, and bing bing bing we are in the domain. YEA!!!
Now for the client side group mappings...
'NET LOCALGROUP "Users" "'JOINWORKGROUP'\Domain Users" /DEL'
'NET LOCALGROUP "Administrators" "'JOINWORKGROUP'\Domain Admins" /DEL'
'net localgroup "Administrators" "'JOINWORKGROUP'\ntadmins" /add'
'net localgroup "Power Users" "'JOINWORKGROUP'\ntpwrusr" /add'
'net localgroup "Users" "'JOINWORKGROUP'\ntpwrusr" /add'
'net localgroup "Guests" "'JOINWORKGROUP'\ntguests" /add'
again some puncuation / vars due to this being run via Rexx.
First two, get rid of mapping domain permissions directly to local permissions - I handle them separate. You could have a userID setterupper person who thus needs domain admin, but they do not need
local admin (allowing them to trash their workstation) to get their job done, etc... so I keep these all separate.
Next, map those nt* domain groups through to local groups.
Cool, did that yesterday and two worked, to didn't. Just about pulled my hair out.... finally thought of the good old advice in the computing world - if you don't think you need a setting you put it,
take it back out! So I cranked on backing out the four groupmap commands I had done per John's example and bing bing bing all four of my mappings now work perfectly! (On a side point, guest mapping
also grants local user access which I know guests are at user level so that might not be an issue... and I don't use guest accounts anyway, so I will leave that research for another day)
As for why having John's groupmap suggestions implemented in additon to mine and that breaking two out of four.... ????????
Let's see what else... I guess that is about it. Covered that point about the two groupmap things fighting... oh yes, ifmember /list...
On this point, Domain Admin stuff... ifmember only see's the Domain Admin if I do it via the /etc/group file, Samba only "see's it" (netdom working as a test) if I put in the line in smb.conf... go
figure!!!
All right, my smb.conf as-is, no warranty... and mind you I am going slow settings things up so as not to "do so much" that I don't know what is needed and what is not. So as-is this configuration
allows...
1) Join the domain
2) Log in to Win2K with a domain account
3) Set domain and local permissions via mapping (and a line in the smb.conf)
4) Process a login script - OS specific since I use DOS to image these workstations
5) NET USE to a share, but don't actually work with files on the share - thus no what are they called... them *nin permission mask "thingys" in the shares yet
Thus, I am not the "jump in and hack until it works" type, or "share files as soon as I can" in other words.
Oh, and those blasted romaing profiles.... TURN THEM OFF!
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"LocalProfile"=dword:00000001
Just like that, gpedit.msc is the GUI way to get there, but repeate after me, "Scriptable is a good thing!"
<><><><><><><><><><>
[global]
workgroup = lds-smb
netbios name = LDSTST01
server string = %h server (Samba %v)
; wins support = no
; wins server = w.x.y.z
; dns proxy = no
; name resolve order = lmhosts host wins bcast
log file = /var/log/samba/log.%m
max log size = 1000
; syslog only = no
syslog = 0
panic action = /usr/share/samba/panic-action %d
; obey pam restrictions = yes
; guest account = nobody
invalid users = root
; unix password sync = no
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
; pam password change = no
########## NT Domain Related ##########
admin users = pianoman
security = user
encrypt passwords = true
passdb backend = smbpasswd
domain logons = true
time server = true
add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
logon script = %a.BAT
########## NT Domain Related - Master Browser ##########
browse list = true
domain master = true
local master = true
os level = 33
preferred master = true
########## Printing ##########
; load printers = yes
; printing = bsd
; printcap name = /etc/printcap
; printing = cups
; printcap name = cups
; printer admin = @ntadmin
######## File sharing ########
# Name mangling options
; preserve case = yes
; short preserve case = yes
; include = /home/samba/etc/smb.conf.%m
socket options = TCP_NODELAY
; message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' &
; idmap uid = 10000-20000
; idmap gid = 10000-20000
; template shell = /bin/bash
;[homes]
; comment = Home Directories
; browseable = no
; writable = no
; create mask = 0700
; directory mask = 0700
[netlogon]
comment = Network Logon Service
path = /shares/netlogon
guest ok = no
read only = yes
write list = pianoman
;[printers]
; comment = All Printers
; browseable = no
; path = /tmp
; printable = yes
; public = no
; writable = no
; create mode = 0700
;[print$]
; comment = Printer Drivers
; path = /var/lib/samba/printers
; browseable = yes
; read only = yes
; guest ok = no
; write list = root, @ntadmin
;[cdrom]
; comment = Samba server's CD-ROM
; writable = no
; locking = no
; path = /cdrom
; public = yes
; preexec = /bin/mount /cdrom
; postexec = /bin/umount /cdrom
[stage]
comment = MichaelDist Stager Share
path = /shares/stage
guest ok = no
read only = yes
write list = pianoman
<><><><><><><><>
Cheers! Hope something in all this research helps someone!
--
Michael Lueck
Lueck Data Systems
Remove the upper case letters NOSPAM to contact me directly.
More information about the samba
mailing list