[Samba] Samba Group Mapping
Brajesh Shrivastava
brajeshkumar_shrivas at symantec.com
Mon Jan 11 08:13:53 MST 2010
Gaiseric Vandal wrote:
> On 01/11/10 06:48, Brajesh Shrivastava wrote:
>> Hi All
>>
>> I have Samba 3.2.11 installed on Suse (sles 10) machine. I am playing
>> around the group mapping functionality. When I map a linux group to
>> nt group. I can see that groups is visible on windows client. But, if
>> I restart the smbd daemon (while changing the scurity mode for ads to
>> user or vice versa), I can no more see the mapped group to the the
>> Windows client. Though, I was able to see the mapping in the output
>> of 'net groupmap list' command. I will request you to please let me
>> know the answer of following questions:
>>
>> 1. Is there any way to see the mapped group to the windows client
>> even after changing the security mode or restarting the samba server?
>>
>> 2. Does samba store the group mapping in group_mapping.ldb file.
>> Will it be enough to copy this file to other node to get cluster wise
>> solution for group mapping or do I need to follow any other steps.
>>
>> 3. Can I map built-in domain group like "Domain Admins", "Domain
>> Users" etc to the Unix group? If yes, should I need to keep SID fixed
>> by specifying rid value?
>>
>> 4. If I want to do the manual mapping, do I need to specify parameter
>> 'add group script' in smb.conf? When is this option called?
>>
>>
>> Thanks a lot in advance.
>
> Group mappings should be persistent in either the local TDB file or
> the LDAP backend, depending on how you are configuring your
> machine. There are some group mappings that you must have.
>
> I have found that I can copy a TBD file for group mapping between
> machines BUT your group mapping requirements may be a little different
> for a domain controller vs a member server. It is probably safer to
> reenter the commands on the other machines.
>
>
> The member server may need the local "Administrators" and "Users"
> groups defined (see below) that I don't think you need on the domain
> controllers. The rid values for these well known groups is defined
> by Microsoft and available in the Samba docn.
>
> e.g
>
> net groupmap add ntgroup="Domain Admins" unixgroup=10512 rid=512
>
> net groupmap add ntgroup="Domain Users" unixgroup=10513 rid=513
>
> net groupmap add ntgroup="Domain Guests" unixgroup=10514 rid=514
>
> net groupmap add ntgroup="Domain Controllers" unixgroup=10516 rid=516
>
> net groupmap add ntgroup="Domain Computers" unixgroup=10515 rid=515
>
>
> net groupmap add ntgroup="Administrators" unixgroup=10544 rid=544
> type=local
>
> net groupmap add ntgroup="Users" unixgroup=10545 rid=545 type=local
>
> net groupmap add ntgroup="Guests" unixgroup=nobody rid=546 type=local
>
>
>
>
Hi Gaiseric
Thanks a lot for your prompt reply. Still there are some confusion:
Do I need to specify the uid of the Unix user? I think name should also
work. Let "Domain Admins" SID 512 is mapped with unix group gid 10234.
If, I change group permission on a file to "Domain Admins", what gid
value will be assigned to that file? Will it be 10512 or 10234?
More information about the samba
mailing list