[Samba] Mapping Windows groups to Unix ones on Samba 2.2
pgienger at ae-solutions.com
Thu Jan 13 20:36:39 GMT 2005
>Who can explain the differences ?
I'll take a shot, and feel free to beat me down with better knowledge...
>- username map
Used for making someone, who may not exist in the system, look like
someone else, who definately does.
>- net groupmap
Used to map the unix GID to a SID, that windows will be happy to use.
You'll be hard pressed to assign permissions to anything in windows
without a groupmap. Example: Say I want a share call Bling on my
windows server and only allow CoolPeople to access it. coolguys is a
unix group which has the groupmap to CoolPeople for windows use. (the
names could be the same btw.) Without the SID that will be assigned to
the coolguys group, windows won't be able to apply a permission to the
share allowing CoolPeople in. You'd also have difficulties assigning
I believe that under, say 2.2 without the groupmap, you could end up
with SIDs for users, but I think that was done on the fly, per se.
Groupmap keeps that part of it persistant.
>- idmap for uid and gid
>- wbinfo to show or manipulate mappings
Both of these are used in situations where the unix system is relying on
samba for it's posix user info. If you're joined to a windows (or samba
for that matter) domain, you can use winbind in your nss configuration
and get that info from your joined domain without creating local users
for everyone. The idmap holds the SID -> UID/GID mappings, since you
need UID and GID info under UNIX to apply permissions, the exact reverse
of above. Storing that in LDAP or another network accessable DB would
keep the otherwise somewhat on-the-fly mapping consistant across hosts
so that if you do something like nfs mount between your unix hosts,
which are all joined to a domain the names will line up.
Paul Gienger Office: 701-281-1884
Applied Engineering Inc.
Systems Architect Fax: 701-281-1322
URL: www.ae-solutions.com mailto: pgienger at ae-solutions.com
More information about the samba