[Samba] Re: Q about net groupmap examples on samba.org

Michael Lueck mlueck at lueckdatasystems.com
Wed Jul 7 01:12:16 GMT 2004


Well, I am one to keep hacking while I wait and listen to the silence on the email list, so I now have the following tested...

Idea: Since domain (global) groups were showing up on the Win2K client, mMake additional domain groups since those were working, and on the clients map domain groups to local groups via a script - 
easy enough.

Implementaiton:

To initGrps.sh I added the following:

# Create some Domain Groups to administer local security
net groupmap add ntgroup=ntadmins unixgroup=ntadmins type=d
net groupmap add ntgroup=ntpwrusr unixgroup=ntpwrusr type=d
net groupmap add ntgroup=ntusers  unixgroup=ntusers  type=d
net groupmap add ntgroup=ntguests unixgroup=ntguests type=d

And on the test client I executed:

net localgroup "Administrators" "LDS-SMB\ntadmins" /add
net localgroup "Power Users"    "LDS-SMB\ntpwrusr" /add
net localgroup "Users"          "LDS-SMB\ntusers"  /add
net localgroup "Guests"         "LDS-SMB\ntguests" /add

So, starting at the top I added pianoman to the ntadmins group in the group file, logged in, sure enough had *ntadmins global group, and admin rights were in effect.

Moved on to Power User testing. Moved pianoman down in the group file to ntpwrusr, loged off/on, sure enough had *ntpwrusr global group. Now, changing the local time is allowed by Power Users, as well 
as adding local printers, both were grayed out, thus I only have user permissions, not power user..

Oh, I forgot to say I had removed the link between Domain Admins and the Administrators localgroup, and the same with Domain Users and the Users localgroup, thus the above mappings is the only way I 
intended to specify local permissions on the Win2K client.

Any ideas, gottchas with these groups, etc...

????

Anyone doing this, or do ya'll just let your Windows users run around with local admin rights all the time? ;-)

-- 
Michael Lueck
Lueck Data Systems

Remove the upper case letters NOSPAM to contact me directly.



More information about the samba mailing list