search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
set version string
[Samba.git] / docs / htmldocs / groupmapping.html
blob84cf521fc9487f97590d05140c64e09edec7c226
1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
2 <HTML
3 ><HEAD
4 ><TITLE
5 >Group mapping HOWTO</TITLE
6 ><META
7 NAME="GENERATOR"
8 CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
9 "><LINK
10 REL="HOME"
11 TITLE="SAMBA Project Documentation"
12 HREF="samba-howto-collection.html"><LINK
13 REL="UP"
14 TITLE="Optional configuration"
15 HREF="optional.html"><LINK
16 REL="PREVIOUS"
17 TITLE="HOWTO Access Samba source code via CVS"
18 HREF="cvs-access.html"><LINK
19 REL="NEXT"
20 TITLE="Samba performance issues"
21 HREF="speed.html"></HEAD
22 ><BODY
23 CLASS="CHAPTER"
24 BGCOLOR="#FFFFFF"
25 TEXT="#000000"
26 LINK="#0000FF"
27 VLINK="#840084"
28 ALINK="#0000FF"
29 ><DIV
30 CLASS="NAVHEADER"
31 ><TABLE
32 SUMMARY="Header navigation table"
33 WIDTH="100%"
34 BORDER="0"
35 CELLPADDING="0"
36 CELLSPACING="0"
37 ><TR
38 ><TH
39 COLSPAN="3"
40 ALIGN="center"
41 >SAMBA Project Documentation</TH
42 ></TR
43 ><TR
44 ><TD
45 WIDTH="10%"
46 ALIGN="left"
47 VALIGN="bottom"
48 ><A
49 HREF="cvs-access.html"
50 ACCESSKEY="P"
51 >Prev</A
52 ></TD
53 ><TD
54 WIDTH="80%"
55 ALIGN="center"
56 VALIGN="bottom"
57 ></TD
58 ><TD
59 WIDTH="10%"
60 ALIGN="right"
61 VALIGN="bottom"
62 ><A
63 HREF="speed.html"
64 ACCESSKEY="N"
65 >Next</A
66 ></TD
67 ></TR
68 ></TABLE
69 ><HR
70 ALIGN="LEFT"
71 WIDTH="100%"></DIV
72 ><DIV
73 CLASS="CHAPTER"
74 ><H1
75 ><A
76 NAME="GROUPMAPPING">Chapter 21. Group mapping HOWTO</H1
77 ><P
78 >
79 Starting with Samba 3.0 alpha 2, a new group mapping function is available. The
80 current method (likely to change) to manage the groups is a new command called
81 <B
82 CLASS="COMMAND"
83 >smbgroupedit</B
84 >.</P
85 ><P
86 >The first immediate reason to use the group mapping on a PDC, is that
87 the <B
88 CLASS="COMMAND"
89 >domain admin group</B
90 > of <TT
91 CLASS="FILENAME"
92 >smb.conf</TT
93 > is
94 now gone. This parameter was used to give the listed users local admin rights
95 on their workstations. It was some magic stuff that simply worked but didn't
96 scale very well for complex setups.</P
97 ><P
98 >Let me explain how it works on NT/W2K, to have this magic fade away.
99 When installing NT/W2K on a computer, the installer program creates some users
100 and groups. Notably the 'Administrators' group, and gives to that group some
101 privileges like the ability to change the date and time or to kill any process
102 (or close too) running on the local machine. The 'Administrator' user is a
103 member of the 'Administrators' group, and thus 'inherit' the 'Administrators'
104 group privileges. If a 'joe' user is created and become a member of the
105 'Administrator' group, 'joe' has exactly the same rights as 'Administrator'.</P
106 ><P
107 >When a NT/W2K machine is joined to a domain, during that phase, the "Domain
108 Administrators' group of the PDC is added to the 'Administrators' group of the
109 workstation. Every members of the 'Domain Administrators' group 'inherit' the
110 rights of the 'Administrators' group when logging on the workstation.</P
111 ><P
112 >You are now wondering how to make some of your samba PDC users members of the
113 'Domain Administrators' ? That's really easy.</P
114 ><P
115 ></P
116 ><OL
117 TYPE="1"
118 ><LI
119 ><P
120 >create a unix group (usually in <TT
121 CLASS="FILENAME"
122 >/etc/group</TT
123 >), let's call it domadm</P
124 ></LI
125 ><LI
126 ><P
127 >add to this group the users that must be Administrators. For example if you want joe,john and mary, your entry in <TT
128 CLASS="FILENAME"
129 >/etc/group</TT
130 > will look like:</P
131 ><P
132 ><PRE
133 CLASS="PROGRAMLISTING"
134 >domadm:x:502:joe,john,mary</PRE
135 ></P
136 ></LI
137 ><LI
138 ><P
139 >Map this domadm group to the <B
140 CLASS="COMMAND"
141 >domain admins</B
142 > group by running the command:</P
143 ><P
144 ><B
145 CLASS="COMMAND"
146 >smbgroupedit -c "Domain Admins" -u domadm</B
147 ></P
148 ></LI
149 ></OL
150 ><P
151 >You're set, joe, john and mary are domain administrators !</P
152 ><P
153 >Like the Domain Admins group, you can map any arbitrary Unix group to any NT
154 group. You can also make any Unix group a domain group. For example, on a domain
155 member machine (an NT/W2K or a samba server running winbind), you would like to
156 give access to a certain directory to some users who are member of a group on
157 your samba PDC. Flag that group as a domain group by running:</P
158 ><P
159 ><B
160 CLASS="COMMAND"
161 >smbgroupedit -a unixgroup -td</B
162 ></P
163 ><P
164 >You can list the various groups in the mapping database like this</P
165 ><P
166 ><B
167 CLASS="COMMAND"
168 >smbgroupedit -v</B
169 ></P
170 ></DIV
171 ><DIV
172 CLASS="NAVFOOTER"
173 ><HR
174 ALIGN="LEFT"
175 WIDTH="100%"><TABLE
176 SUMMARY="Footer navigation table"
177 WIDTH="100%"
178 BORDER="0"
179 CELLPADDING="0"
180 CELLSPACING="0"
181 ><TR
182 ><TD
183 WIDTH="33%"
184 ALIGN="left"
185 VALIGN="top"
186 ><A
187 HREF="cvs-access.html"
188 ACCESSKEY="P"
189 >Prev</A
190 ></TD
191 ><TD
192 WIDTH="34%"
193 ALIGN="center"
194 VALIGN="top"
195 ><A
196 HREF="samba-howto-collection.html"
197 ACCESSKEY="H"
198 >Home</A
199 ></TD
200 ><TD
201 WIDTH="33%"
202 ALIGN="right"
203 VALIGN="top"
204 ><A
205 HREF="speed.html"
206 ACCESSKEY="N"
207 >Next</A
208 ></TD
209 ></TR
210 ><TR
211 ><TD
212 WIDTH="33%"
213 ALIGN="left"
214 VALIGN="top"
215 >HOWTO Access Samba source code via CVS</TD
216 ><TD
217 WIDTH="34%"
218 ALIGN="center"
219 VALIGN="top"
220 ><A
221 HREF="optional.html"
222 ACCESSKEY="U"
223 >Up</A
224 ></TD
225 ><TD
226 WIDTH="33%"
227 ALIGN="right"
228 VALIGN="top"
229 >Samba performance issues</TD
230 ></TR
231 ></TABLE
232 ></DIV
233 ></BODY
234 ></HTML
235 >
Samba GIT mirror