[Samba] Samba Group Mapping
Hi All I have Samba 3.2.11 installed on Suse (sles 10) machine. I am playing around the group mapping functionality. When I map a linux group to nt group. I can see that groups is visible on windows client. But, if I restart the smbd daemon (while changing the scurity mode for ads to user or vice versa), I can no more see the mapped group to the the Windows client. Though, I was able to see the mapping in the output of 'net groupmap list' command. I will request you to please let me know the answer of following questions: 1. Is there any way to see the mapped group to the windows client even after changing the security mode or restarting the samba server? 2. Does samba store the group mapping in group_mapping.ldb file. Will it be enough to copy this file to other node to get cluster wise solution for group mapping or do I need to follow any other steps. 3. Can I map built-in domain group like Domain Admins, Domain Users etc to the Unix group? If yes, should I need to keep SID fixed by specifying rid value? 4. If I want to do the manual mapping, do I need to specify parameter 'add group script' in smb.conf? When is this option called? Thanks a lot in advance. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Group Mapping
On 01/11/10 06:48, Brajesh Shrivastava wrote: Hi All I have Samba 3.2.11 installed on Suse (sles 10) machine. I am playing around the group mapping functionality. When I map a linux group to nt group. I can see that groups is visible on windows client. But, if I restart the smbd daemon (while changing the scurity mode for ads to user or vice versa), I can no more see the mapped group to the the Windows client. Though, I was able to see the mapping in the output of 'net groupmap list' command. I will request you to please let me know the answer of following questions: 1. Is there any way to see the mapped group to the windows client even after changing the security mode or restarting the samba server? 2. Does samba store the group mapping in group_mapping.ldb file. Will it be enough to copy this file to other node to get cluster wise solution for group mapping or do I need to follow any other steps. 3. Can I map built-in domain group like Domain Admins, Domain Users etc to the Unix group? If yes, should I need to keep SID fixed by specifying rid value? 4. If I want to do the manual mapping, do I need to specify parameter 'add group script' in smb.conf? When is this option called? Thanks a lot in advance. Group mappings should be persistent in either the local TDB file or the LDAP backend, depending on how you are configuring your machine. There are some group mappings that you must have. I have found that I can copy a TBD file for group mapping between machines BUT your group mapping requirements may be a little different for a domain controller vs a member server.It is probably safer to reenter the commands on the other machines. The member server may need the local Administrators and Users groups defined (see below) that I don't think you need on the domain controllers.The rid values for these well known groups is defined by Microsoft and available in the Samba docn. e.g net groupmap add ntgroup=Domain Admins unixgroup=10512 rid=512 net groupmap add ntgroup=Domain Users unixgroup=10513 rid=513 net groupmap add ntgroup=Domain Guests unixgroup=10514 rid=514 net groupmap add ntgroup=Domain Controllers unixgroup=10516 rid=516 net groupmap add ntgroup=Domain Computers unixgroup=10515 rid=515 net groupmap add ntgroup=Administrators unixgroup=10544 rid=544 type=local net groupmap add ntgroup=Users unixgroup=10545 rid=545 type=local net groupmap add ntgroup=Guests unixgroup=nobody rid=546 type=local -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Group Mapping
Gaiseric Vandal wrote: On 01/11/10 06:48, Brajesh Shrivastava wrote: Hi All I have Samba 3.2.11 installed on Suse (sles 10) machine. I am playing around the group mapping functionality. When I map a linux group to nt group. I can see that groups is visible on windows client. But, if I restart the smbd daemon (while changing the scurity mode for ads to user or vice versa), I can no more see the mapped group to the the Windows client. Though, I was able to see the mapping in the output of 'net groupmap list' command. I will request you to please let me know the answer of following questions: 1. Is there any way to see the mapped group to the windows client even after changing the security mode or restarting the samba server? 2. Does samba store the group mapping in group_mapping.ldb file. Will it be enough to copy this file to other node to get cluster wise solution for group mapping or do I need to follow any other steps. 3. Can I map built-in domain group like Domain Admins, Domain Users etc to the Unix group? If yes, should I need to keep SID fixed by specifying rid value? 4. If I want to do the manual mapping, do I need to specify parameter 'add group script' in smb.conf? When is this option called? Thanks a lot in advance. Group mappings should be persistent in either the local TDB file or the LDAP backend, depending on how you are configuring your machine.There are some group mappings that you must have. I have found that I can copy a TBD file for group mapping between machines BUT your group mapping requirements may be a little different for a domain controller vs a member server.It is probably safer to reenter the commands on the other machines. The member server may need the local Administrators and Users groups defined (see below) that I don't think you need on the domain controllers.The rid values for these well known groups is defined by Microsoft and available in the Samba docn. e.g net groupmap add ntgroup=Domain Admins unixgroup=10512 rid=512 net groupmap add ntgroup=Domain Users unixgroup=10513 rid=513 net groupmap add ntgroup=Domain Guests unixgroup=10514 rid=514 net groupmap add ntgroup=Domain Controllers unixgroup=10516 rid=516 net groupmap add ntgroup=Domain Computers unixgroup=10515 rid=515 net groupmap add ntgroup=Administrators unixgroup=10544 rid=544 type=local net groupmap add ntgroup=Users unixgroup=10545 rid=545 type=local net groupmap add ntgroup=Guests unixgroup=nobody rid=546 type=local Hi Gaiseric Thanks a lot for your prompt reply. Still there are some confusion: Do I need to specify the uid of the Unix user? I think name should also work. Let Domain Admins SID 512 is mapped with unix group gid 10234. If, I change group permission on a file to Domain Admins, what gid value will be assigned to that file? Will it be 10512 or 10234? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Group Mapping
On 01/11/10 10:13, Brajesh Shrivastava wrote: Gaiseric Vandal wrote: On 01/11/10 06:48, Brajesh Shrivastava wrote: Hi All I have Samba 3.2.11 installed on Suse (sles 10) machine. I am playing around the group mapping functionality. When I map a linux group to nt group. I can see that groups is visible on windows client. But, if I restart the smbd daemon (while changing the scurity mode for ads to user or vice versa), I can no more see the mapped group to the the Windows client. Though, I was able to see the mapping in the output of 'net groupmap list' command. I will request you to please let me know the answer of following questions: 1. Is there any way to see the mapped group to the windows client even after changing the security mode or restarting the samba server? 2. Does samba store the group mapping in group_mapping.ldb file. Will it be enough to copy this file to other node to get cluster wise solution for group mapping or do I need to follow any other steps. 3. Can I map built-in domain group like Domain Admins, Domain Users etc to the Unix group? If yes, should I need to keep SID fixed by specifying rid value? 4. If I want to do the manual mapping, do I need to specify parameter 'add group script' in smb.conf? When is this option called? Thanks a lot in advance. Group mappings should be persistent in either the local TDB file or the LDAP backend, depending on how you are configuring your machine.There are some group mappings that you must have. I have found that I can copy a TBD file for group mapping between machines BUT your group mapping requirements may be a little different for a domain controller vs a member server.It is probably safer to reenter the commands on the other machines. The member server may need the local Administrators and Users groups defined (see below) that I don't think you need on the domain controllers.The rid values for these well known groups is defined by Microsoft and available in the Samba docn. e.g net groupmap add ntgroup=Domain Admins unixgroup=10512 rid=512 net groupmap add ntgroup=Domain Users unixgroup=10513 rid=513 net groupmap add ntgroup=Domain Guests unixgroup=10514 rid=514 net groupmap add ntgroup=Domain Controllers unixgroup=10516 rid=516 net groupmap add ntgroup=Domain Computers unixgroup=10515 rid=515 net groupmap add ntgroup=Administrators unixgroup=10544 rid=544 type=local net groupmap add ntgroup=Users unixgroup=10545 rid=545 type=local net groupmap add ntgroup=Guests unixgroup=nobody rid=546 type=local Hi Gaiseric Thanks a lot for your prompt reply. Still there are some confusion: Do I need to specify the uid of the Unix user? I think name should also work. Let Domain Admins SID 512 is mapped with unix group gid 10234. If, I change group permission on a file to Domain Admins, what gid value will be assigned to that file? Will it be 10512 or 10234? Yes, you should be able to specify the unix group name rather than the unix group GID. (no user names or uid's are involved.)You must use the predefined RID (e.g. 512) - your local unix GID can be whatever. (10512, 9223, smb_dom_admins, FunGroup1 etc.) I think you will make fewer errors it the unix GID is either the same as the RID (e.g. if RID's are 512 and 513 the GID's are 512 and 513) or at lease there is some obvious pattern (e.g. RID's 512 and 513 map to GID's 10512 and 10513, if you already the the 500 block of Unix GID's used for something else) On the unix level, the group perms shown will be that of the GID not the RID. So if RID 512 maps to GID 10234, the unix level will show 10234. I have an LDAP backend for everything. That seems OK with using Domain Admins as a unix group, despite the space in the names. I don't know if you can do this if you are using NIS or /etc/passwd for the unix accounts. I found that with samba 3.4.x it was easier if the unix group names were the same as the windows group names. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba group mapping mechanism
Hi I would like to use group mapping mechanism in order to map some nt groups to unix groups (like username map) But although I configured a mapping using the net tool, samba doesn't even call to groupmap sid-gid function. As I could see from the code, samba calls to getpwnam which returns passwd struct with already mapped gid (by winbind idmap) The passdb backend has a default value. Thanks in advance for reply Dina Fine -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
