Changes in Samba 2.0

Gerald W. Carter cartegw at Eng.Auburn.EDU
Tue Sep 15 12:53:40 GMT 1998

On Tue, 15 Sep 1998, David Collier-Brown wrote:

> Gerald Carter wrote:
> > Not sure I can help, but what do you need to know?
> > All my documentation on the NTDOM stuff is linked
> > off the main samba site under the "NT Domains FAQ"
> 	I've read it, and it diluted my ignorance most 
> 	wonderfully, but I'm primarily looking for a bit 
> 	of information about the semantics of the new options.
> These have been discussed to some extent
>       domain controller = 

Obselete I think

>       domain sid =

Has been replaced.  The MACHINE SID is generated randomly an now stored in
private/MACHINE.SID (this value is obtained from the value of "domain sid
=" if it exists but other than that the parameter is ignored once
MACHINE.SID is created.

>       machine password = 
> 	and
>       security = domain

Instructions for adding to a domain are in the FAQ.  Once Jeremy is
through with it, it will not be necessary to have matching unix accounts
on the Samba box (or use the username map option to map NT RID's to unix
uids )
> These haven't.
>       domain groups = 

List of group RID's to add to the user's info token upon login (i think )
havne't played much with this one.  Haven't found much use yet ( although
combined with the inlude directive, could provide / restrict access to
certain things like dial-up access, etc... )  Will really come in handy
once the RID <-> uid mapping and lsarLookupNames is done.

>       domain admin group = 

Add's the well known group DOMAIN ADMIN group to the user info token which
is sent back during  login.  Takes a list of usernames as a value.

This provides a simple method of creating domain administrative accounts.

>       domain guest group =

Same as domain admin group except it uses the well know GUEST RID.

>       domain admin users = 
>       domain guest users = 

Obselete and soon to be removed.

>       groupname map = 

Works like "username map" except maps NT groups to unix groups ( not in
there yet, is it? )  The idea is to allow mappings such as wheel <->
"Domain Admins", etc...

> Can anyone tell me what the basic intention of these are?
> They're new, and not overly documented: they were
> mentioned here once as a future work item.

Hope that helps.

> A quick look at the sources shows the domain admin group
> lp_domain_admin_group, is used as a user list in api_net_sam_logon
> samr_reply_query_usergroups and get_domain_user_groups,
> which means its some sort of unix-like group, but what did the
> authors **mean*** by it?
> 	0) a group, just like a unix group
> 	1) an nt group, distinct from a unix group
> 	2) a logical merging of the two concepts
> 	or
> 	3) an illogical merging of the two (;-))
> the existance of groupname map implies any of 0-2.
> To put it in the shortest possible terms, I'm
> asking the ``why'' question, because the code answers
> the ``what'' question.

Sorry if I have repeated previous information.  Hope this helps,

                            Gerald ( Jerry ) Carter	
Engineering Network Services                           Auburn University 
jerry at   

       "...a hundred billion castaways looking for a home."
                                  - Sting "Message in a Bottle" ( 1979 )

More information about the samba-technical mailing list