[Samba] Re: Nested group support documentation

Gerald (Jerry) Carter jerry at samba.org
Tue May 25 14:49:17 GMT 2004

Hash: SHA1

ww m-pubsyssamba wrote:

| With regards Jerry's comment on nested groups, the how
| to guide included with Samba 3.0.3 source code still says
| nested groups are not supported. Does anyone know where I
| can get some information on the functionality
| which is included for nested groups on 3.0.3 onwards?

Here's a rough draft from Volker.

ciao, jerry

- -------- Original Message --------
Subject: winbind nested groups quick docu
Date: Wed, 21 Apr 2004 14:10:36 +0200
From: Volker.Lendecke at SerNet.DE


Attached find a little preliminary howto entry for nested
groups. I did not look where this would best be included
into the howto. Feel free to add it.


Nested Groups

Windows supports the concept of nested groups to ease
administration. You can create a so-called local group on
any machine and add users and global (domain) groups from
any trusted SAM to it. This way you might be able to reduce
the amount of ACL entries you have to set on any file or
directory. Another prominent example is the use of administrative
privileges on workstations that are domain members. Administrative
privileges are given to all members of the builtin local group
Administrators on each workstation. To make sure that all
domain administrators also have full rights on any workstation,
upon domain join the Domain Admins group is added to the local
Administrators group. Thus anybody logged into the domain as
member of the Domain Admins group is also granted local admin
privileges on each workstation.

Unix does not support the concept of nested groups, and thus Samba
has for a long time not supported them either. The problem is that
you would have to put unix groups as auxiliary members of a group
into /etc/group which is not possible. Since Samba 2.2 winbind is
the daemon that can provide /etc/group entries on demand by asking
the Domain Controller of the domain Samba is a member of on the fly.
So Samba since that time has control over the /etc/group file via
the dynamic libnss_winbind mechanism. Beginning with Samba 3.0.3
this facility is used to provide local groups in the same manner
as Windows does it. It works by expanding the local groups on the
fly while being accessed. So when you put for example the Domain
Users group of your domain as a member of the local alias "all",
whenever asking for the members of "all" winbind asks the DC
for all members of the Domain Users group. By definition it can
only contain user objects which can then be faked to be member of
the Unix group "all".

To be able to use nested groups, you need to run winbindd and
nss_winbind.  Creation and administration of the local groups
is done best via the Windows User Manager for Domains or its
Samba equivalent, the utility "net rpc group". Creating the
local group "all" can be done by

net rpc group add all -L

where the -L switch denotes that you want to create a local group.
Please add -S and -U switches for accessing the correct host via a
user with root priviliges as needed. Adding and removing group
members can be done via the addmem and delmem subcommands of "net
rpc group". For example adding "DOM\Domain Users" to the local
group "all" would be done by

net rpc group addmem all "DOM\Domain Users"

Having done these two steps you will find that "getent group all"
will show all members of the global Domain Users group as members
of  the group "all".  Certainly this also works with any local or
domain user. In case the domain DOM trusts another domain, it is
also possible to add global users and groups of the trusted domain
as members of "all".

Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the samba mailing list