Considering the following page... http://us3.samba.org/samba/docs/man/guide/small.html First of, my compliments to John for some great examples to study. In my mind I see three levels of security: 1) Linux - such as SSH'ing into the Linux server, Linux accounts and groups come into play here 2) Samba PDC - "Domain Admins" "Domain Users" come into play here. Examples would be a specific domain account being logged into on a Win2K client which has joined the domain, and then domain related functions being run on that Win2K client. 3) Windows Security - Local Groups specifying what permissions that domain account user has on the local Win2K box while they are logged in. So I created some groups in /etc/group as follows: domadmin:x:2000:pianoman domusers:x:2001: domguest:x:2002: ntadmins:x:2010:pianoman ntpwrusr:x:2011: ntusers:x:2012: ntguests:x:2013: Then I built my own initGrps.sh as follows: #!/bin/bash # # initGrps.sh # # Map Windows Domain Groups to UNIX groups net groupmap modify ntgroup="Domain Admins" unixgroup=domadmin net groupmap modify ntgroup="Domain Users" unixgroup=domusers net groupmap modify ntgroup="Domain Guests" unixgroup=domguest # Map Windows NT machine local groups to local UNIX groups net groupmap modify ntgroup="Administrators" unixgroup=ntadmins net groupmap modify ntgroup="Power Users" unixgroup=ntpwrusr net groupmap modify ntgroup="Users" unixgroup=ntusers net groupmap modify ntgroup="Guests" unixgroup=ntguests My thought on these dom* and nt* groups is they are for mapping permissions only, we won't assign local Linux security through these groups, we will use other groups such as the default groups Linux comes with. We will add user ID's (such as the pianoman example above) out behind the group names to manage permissions to the domain and to the Win2K client OS. Anyway... My questions now that you have the background of the configuration: 1) Where does the net groupmap command store these mappings? The Domain Admins is working for example, but I sure don't see where the settings were stored on disk. 2) Running "net user pianoman /domain" on the Win2K client side shows the Domain Group membership, but not the local group. Since DOMAINNAME\Domain Admins is made a member of the localgroup administrators I have the admin permissions, but I did not get it via the ntadmins mapping I did above. Did I miss something in this example that was the key to making it work? -- Michael Lueck Lueck Data Systems Remove the upper case letters NOSPAM to contact me directly.
Michael Lueck
2004-Jul-07 01:12 UTC
[Samba] Re: Q about net groupmap examples on samba.org
Well, I am one to keep hacking while I wait and listen to the silence on the email list, so I now have the following tested... Idea: Since domain (global) groups were showing up on the Win2K client, mMake additional domain groups since those were working, and on the clients map domain groups to local groups via a script - easy enough. Implementaiton: To initGrps.sh I added the following: # Create some Domain Groups to administer local security net groupmap add ntgroup=ntadmins unixgroup=ntadmins type=d net groupmap add ntgroup=ntpwrusr unixgroup=ntpwrusr type=d net groupmap add ntgroup=ntusers unixgroup=ntusers type=d net groupmap add ntgroup=ntguests unixgroup=ntguests type=d And on the test client I executed: net localgroup "Administrators" "LDS-SMB\ntadmins" /add net localgroup "Power Users" "LDS-SMB\ntpwrusr" /add net localgroup "Users" "LDS-SMB\ntusers" /add net localgroup "Guests" "LDS-SMB\ntguests" /add So, starting at the top I added pianoman to the ntadmins group in the group file, logged in, sure enough had *ntadmins global group, and admin rights were in effect. Moved on to Power User testing. Moved pianoman down in the group file to ntpwrusr, loged off/on, sure enough had *ntpwrusr global group. Now, changing the local time is allowed by Power Users, as well as adding local printers, both were grayed out, thus I only have user permissions, not power user.. Oh, I forgot to say I had removed the link between Domain Admins and the Administrators localgroup, and the same with Domain Users and the Users localgroup, thus the above mappings is the only way I intended to specify local permissions on the Win2K client. Any ideas, gottchas with these groups, etc... ???? Anyone doing this, or do ya'll just let your Windows users run around with local admin rights all the time? ;-) -- Michael Lueck Lueck Data Systems Remove the upper case letters NOSPAM to contact me directly.