[Samba] Mapping Windows groups to Unix ones on Samba 2.2

Paul Gienger pgienger at ae-solutions.com
Thu Jan 13 20:36:39 GMT 2005 

>Who can explain the differences ?
>  
>
I'll take a shot, and feel free to beat me down with better knowledge...

>- username map
>  
>
Used for making someone, who may not exist in the system, look like 
someone else, who definately does.

>- net groupmap
>  
>
Used to map the unix GID to a SID, that windows will be happy to use.  
You'll be hard pressed to assign permissions to anything in windows 
without a groupmap.  Example: Say I want a share call Bling on my 
windows server and only allow CoolPeople to access it.  coolguys is a 
unix group which has the groupmap to CoolPeople for windows use.  (the 
names could be the same btw.)  Without the SID that will be assigned to 
the coolguys group, windows won't be able to apply a permission to the 
share allowing CoolPeople in.  You'd also have difficulties assigning 
user permissions.

I believe that under, say 2.2 without the groupmap, you could end up 
with SIDs for users, but I think that was done on the fly, per se.  
Groupmap keeps that part of it persistant.

>- idmap for uid  and  gid
>- wbinfo to show or manipulate mappings
>  
>
Both of these are used in situations where the unix system is relying on 
samba for it's posix user info.  If you're joined to a windows (or samba 
for that matter) domain, you can use winbind in your nss configuration 
and get that info from your joined domain without creating local users 
for everyone.  The idmap holds the SID -> UID/GID mappings, since you 
need UID and GID info under UNIX to apply permissions, the exact reverse 
of above.  Storing that in LDAP or another network accessable DB would 
keep the otherwise somewhat on-the-fly mapping consistant across hosts 
so that if you do something like nfs mount between your unix hosts, 
which are all joined to a domain the names will line up.

-- 
--
Paul Gienger                    Office: 701-281-1884
Applied Engineering Inc.
Systems Architect               Fax:    701-281-1322
URL: www.ae-solutions.com       mailto: pgienger at ae-solutions.com

More information about the samba mailing list