map "groupname, aliasname, username" issues

Luke Kenneth Casson Leighton lkcl at
Mon Sep 21 21:22:05 GMT 1998

On Mon, 21 Sep 1998, Jeremy Allison wrote:

> Luke Kenneth Casson Leighton wrote:
> > 
> > instead there will be:
> > 
> > map username
> > groupname map
> We haven't had the argument about this one yet.

hee hee
> > alaisname map
> Convince me we need it :-).


1) you want to give someone local admin rights, but not domain admin
rights, how do you do that?  with only "map groupname", you can't.  you
need "map aliasname".

2) complicated-explanation-that-john-t-gave-me-one-day but i'll try and
see if i can get it right.  it may only apply to NT, as you can always do
unix file permission manipulation.

let's say that you want to move some files from one domain to another, and
you are going to shut down the first domain and bring back a second
domain.  this presents a problem: your SIDs are going to become invalid
(as they are in the first domain). 

so, what you do is you create a "local group", and you make all the
"domain users" and "domain groups" of the about-to-be-retired domain a
_member_ of that local group. 

you then add access rights of this "local group" to all the files you're
going to move to the new domain, prior to taking down the old domain.  

if we are going to be a PDC, then we need to be able to allow users the
right to use "local groups", a.k.a "aliases", and add such permissions to
files.  which means that administrators need to be able to create them,
which i envisage should be provided by something identical in
functionality to "map groupname", and i suggest that we call it "map


More information about the samba-technical mailing list