[Samba] Samba Group Mapping

Gaiseric Vandal gaiseric.vandal at gmail.com
Mon Jan 11 07:59:22 MST 2010 

On 01/11/10 06:48, Brajesh Shrivastava wrote:
> Hi All
>
> I have Samba 3.2.11 installed on Suse (sles 10) machine. I am playing 
> around the group mapping functionality. When I map a linux group to nt 
> group. I can see that groups is visible on windows client. But, if I 
> restart the smbd daemon (while changing the scurity mode for ads to 
> user or vice versa), I can no more see the mapped group to the the 
> Windows client. Though, I was able to see the mapping in the output of 
> 'net groupmap list' command. I will request you to please let me know 
> the answer of following questions:
>
> 1. Is there any way to see the mapped group to the windows client even 
> after changing the security mode or restarting the samba server?
>
> 2. Does  samba store the group mapping in group_mapping.ldb file. Will 
> it be enough to copy this file to other node to get cluster wise 
> solution for group mapping or do I need to follow any other steps.
>
> 3. Can I map built-in domain group like "Domain Admins", "Domain 
> Users" etc to the Unix group? If yes, should I need to keep SID fixed 
> by specifying rid value?
>
> 4. If I want to do the manual mapping, do I need to specify parameter 
> 'add group script' in smb.conf? When is this option called?
>
>
> Thanks a lot in advance.

Group mappings should be persistent in either the local TDB file or the 
LDAP backend, depending on how you are configuring your machine.    
There are some group mappings that you must have.

I have found that I can copy a TBD file for group mapping between 
machines BUT your group mapping requirements may be a little different 
for a domain controller vs a member server.    It is probably safer to 
reenter the commands on the other machines.


The member server may need the local "Administrators" and "Users" groups 
defined (see below) that I don't think you need on the domain 
controllers.    The rid values for these well known groups is defined by 
Microsoft and available in the Samba docn.

e.g

net groupmap add ntgroup="Domain Admins" unixgroup=10512 rid=512

net groupmap add ntgroup="Domain Users" unixgroup=10513 rid=513

net groupmap add ntgroup="Domain Guests" unixgroup=10514 rid=514

net groupmap add ntgroup="Domain Controllers" unixgroup=10516  rid=516

net groupmap add ntgroup="Domain Computers" unixgroup=10515  rid=515


net groupmap add ntgroup="Administrators" unixgroup=10544 rid=544 type=local

net groupmap add ntgroup="Users" unixgroup=10545 rid=545 type=local

net groupmap add ntgroup="Guests" unixgroup=nobody rid=546 type=local

More information about the samba mailing list