On 01/11/10 10:13, Brajesh Shrivastava wrote:
Gaiseric Vandal wrote:
On 01/11/10 06:48, Brajesh Shrivastava wrote:
Hi All
I have Samba 3.2.11 installed on Suse (sles 10) machine. I am
playing around the group mapping functionality. When I map a linux
group to nt group. I can see that groups is visible on windows
client. But, if I restart the smbd daemon (while changing the
scurity mode for ads to user or vice versa), I can no more see the
mapped group to the the Windows client. Though, I was able to see
the mapping in the output of 'net groupmap list' command. I will
request you to please let me know the answer of following questions:
1. Is there any way to see the mapped group to the windows client
even after changing the security mode or restarting the samba server?
2. Does samba store the group mapping in group_mapping.ldb file.
Will it be enough to copy this file to other node to get cluster
wise solution for group mapping or do I need to follow any other steps.
3. Can I map built-in domain group like "Domain Admins", "Domain
Users" etc to the Unix group? If yes, should I need to keep SID
fixed by specifying rid value?
4. If I want to do the manual mapping, do I need to specify
parameter 'add group script' in smb.conf? When is this option called?
Thanks a lot in advance.
Group mappings should be persistent in either the local TDB file or
the LDAP backend, depending on how you are configuring your
machine. There are some group mappings that you must have.
I have found that I can copy a TBD file for group mapping between
machines BUT your group mapping requirements may be a little
different for a domain controller vs a member server. It is
probably safer to reenter the commands on the other machines.
The member server may need the local "Administrators" and "Users"
groups defined (see below) that I don't think you need on the domain
controllers. The rid values for these well known groups is defined
by Microsoft and available in the Samba docn.
e.g
net groupmap add ntgroup="Domain Admins" unixgroup=10512 rid=512
net groupmap add ntgroup="Domain Users" unixgroup=10513 rid=513
net groupmap add ntgroup="Domain Guests" unixgroup=10514 rid=514
net groupmap add ntgroup="Domain Controllers" unixgroup=10516 rid=516
net groupmap add ntgroup="Domain Computers" unixgroup=10515 rid=515
net groupmap add ntgroup="Administrators" unixgroup=10544 rid=544
type=local
net groupmap add ntgroup="Users" unixgroup=10545 rid=545 type=local
net groupmap add ntgroup="Guests" unixgroup=nobody rid=546 type=local
Hi Gaiseric
Thanks a lot for your prompt reply. Still there are some confusion:
Do I need to specify the uid of the Unix user? I think name should
also work. Let "Domain Admins" SID 512 is mapped with unix group gid
10234. If, I change group permission on a file to "Domain Admins",
what gid value will be assigned to that file? Will it be 10512 or 10234?
Yes, you should be able to specify the unix group name rather than the
unix group GID. (no user names or uid's are involved.) You must use
the predefined RID (e.g. 512) - your local unix GID can be whatever.
(10512, 9223, smb_dom_admins, FunGroup1 etc.) I think you will make
fewer errors it the unix GID is either the same as the RID (e.g. if
RID's are 512 and 513 the GID's are 512 and 513) or at lease there is
some obvious pattern (e.g. RID's 512 and 513 map to GID's 10512 and
10513, if you already the the 500 block of Unix GID's used for something
else)
On the unix level, the group perms shown will be that of the GID not the
RID. So if RID 512 maps to GID 10234, the unix level will show 10234.
I have an LDAP backend for everything. That seems OK with using "Domain
Admins" as a unix group, despite the space in the names. I don't know
if you can do this if you are using NIS or /etc/passwd for the unix
accounts. I found that with samba 3.4.x it was easier if the unix group
names were the same as the windows group names.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
