USRMGR.EXE and SAMBA (main branch NOT SAMBA_2_0)

Luke Kenneth Casson Leighton lkcl at
Wed Dec 2 22:56:53 GMT 1998

usrmgr.exe now successfully shows:

- users and what local and domain groups they are in

- domain groups and what domain users are in them

- local groups and what local groups, domain groups or domain users are
  in them.

this is managed with three new options:

"domain group map"
"domain user map"
"local group map"

which are documented in smb.conf.  they make unix "look" like NT, while
still maintaining uid/gid and NT SID integrity on both sides.

"add", "delete" and "change" are next on the list of things to do, as is
inter-domain trust relationships.

i have had unix groups explained to me by mike warfield: apparently the
unix user primary group need _not_ appear in /etc/group, the user will
_still_ be in that group: initgroup() takes the primary group as its
second argument, it adds it to the list of groups returned.

so, the users' primary group will be missing unless explicitly mentioned
in /etc/group, until i fix this (two, three days?)

other issues: NT groups can own files.  why?  because a SID is a SID.

this implies that if we want the same functionality in Samba that a unix
userid needs to be created with the same name as a unix group, with no
unix shell or password.  then this "user", which will represent an NT
group, will be able to own a file / directory.  samba does not break the
unix security model, even when it breaks windows as a result: we're not
about to start, now.

will keep you all informed.


More information about the samba-ntdom mailing list