[Samba] Q about net groupmap examples on samba.org

Michael Lueck mlueck at lueckdatasystems.com
Tue Jul 6 20:30:00 GMT 2004 

Considering the following page...

http://us3.samba.org/samba/docs/man/guide/small.html

First of, my compliments to John for some great examples to study.

In my mind I see three levels of security:
1) Linux - such as SSH'ing into the Linux server, Linux accounts and groups come into play here
2) Samba PDC - "Domain Admins"  "Domain Users" come into play here. Examples would be a specific domain account being logged into on a Win2K client which has joined the domain, and then domain related 
functions being run on that Win2K client.
3) Windows Security - Local Groups specifying what permissions that domain account user has on the local Win2K box while they are logged in.

So I created some groups in /etc/group as follows:

domadmin:x:2000:pianoman
domusers:x:2001:
domguest:x:2002:
ntadmins:x:2010:pianoman
ntpwrusr:x:2011:
ntusers:x:2012:
ntguests:x:2013:

Then I built my own initGrps.sh as follows:

#!/bin/bash
#
# initGrps.sh
#

# Map Windows Domain Groups to UNIX groups
net groupmap modify ntgroup="Domain Admins"  unixgroup=domadmin
net groupmap modify ntgroup="Domain Users"   unixgroup=domusers
net groupmap modify ntgroup="Domain Guests"  unixgroup=domguest

# Map Windows NT machine local groups to local UNIX groups
net groupmap modify ntgroup="Administrators" unixgroup=ntadmins
net groupmap modify ntgroup="Power Users"    unixgroup=ntpwrusr
net groupmap modify ntgroup="Users"          unixgroup=ntusers
net groupmap modify ntgroup="Guests"         unixgroup=ntguests

My thought on these dom* and nt* groups is they are for mapping permissions only, we won't assign local Linux security through these groups, we will use other groups such as the default groups Linux 
comes with. We will add user ID's (such as the pianoman example above) out behind the group names to manage permissions to the domain and to the Win2K client OS.

Anyway... My questions now that you have the background of the configuration:

1) Where does the net groupmap command store these mappings? The Domain Admins is working for example, but I sure don't see where the settings were stored on disk.
2) Running "net user pianoman /domain" on the Win2K client side shows the Domain Group membership, but not the local group. Since DOMAINNAME\Domain Admins is made a member of the localgroup 
administrators I have the admin permissions, but I did not get it via the ntadmins mapping I did above. Did I miss something in this example that was the key to making it work?

-- 
Michael Lueck
Lueck Data Systems

Remove the upper case letters NOSPAM to contact me directly.

More information about the samba mailing list