5.3. Group Mapping
Remember that Samba exports Unix objects in a means that is palatable to Windows clients. In keeping with this philosophy, Unix groups are handled in a very similar fashion to Unix users. The underlying Unix group must already exist. Samba then associates a SID and name with that group and displays it to Windows. This operation is referred to as group mapping . The additional attributes can be manipulated using the net groupmap command.
The group mapping functionality is provided as part of Samba's passdb API and therefore shares the same storage mechanisms as user accounts. Both the smbpasswd and TDbsam passdb modules use the group_mapping.tdb file (stored in /usr/local/samba/var/locks by default). The ldapsam backend stores mapping entries by adding the sambaGroupMapping auxiliary object class to an existing posixGroup enTRy in the directory service. For all three backends, the actual table entries can be managed using the same Samba command-line tools (as was the case with user accounts).
A group mapping entry is primarily an association from a SID to a Unix gid. A current entry can be viewed using the net groupmap list command. Be aware that all of the net groupmap commands must be run as root, because they operate on the passdb storage service directly.
root# net groupmap list verbose ntgroup="Printer Admins" Printer Admins SID : S-1-5-21-391507597-2097566357-2340928898-3091 Unix group: prtadmin Group type: Domain Group Comment : Domain Unix group
Printer Admins is the name that will be displayed to Windows clients. The membership of this group is handled by managing the prtadmin Unix group membership. Only those Unix groups that posses a valid group mapping entry are displayed, as illustrated by Figure 5-3. The same is true for users: only those users who have an account in the current passdb backend are displayed in the Windows object picker UI.
Figure 5-3. Displaying users and groups in the Windows object picker
You can view a complete list of current group mappings by omitting the group name when entering net groupmap list. But groups mapped to a value of -1 are placeholder entries created by smbd and are ignored.
root# net groupmap list Printer Admins (S-1-5-21-391507597-2097566357-2340928898-3091) -> prtadmin Administrators (S-1-5-32-544) -> -1 Domain Admins (S-1-5-21-391507597-2097566357-2340928898-512) -> -1 Users (S-1-5-32-545) -> -1 Domain Guests (S-1-5-21-391507597-2097566357-2340928898-514) -> -1 Domain Users (S-1-5-21-391507597-2097566357-2340928898-513) -> -1 remaining output deleted
New maps can be added by executing net groupmap add and including the Unix group name and either a SID or simply a Windows group map. It is better to define the ntgroup name value and allow Samba to allocate a SID unless you have a specific group (e.g., Domain Admins) that you require.
root# net groupmap add ntgroup="System Managers" unixgroup=sysadmin No rid or sid specified, choosing algorithmic mapping Successfully added group Systems Managers to the mapping db
The associated Unix group and group description can be changed with the modify subcommand:
root# net groupmap modify ntgroup="System Managers" unixgroup=sysops comment="Server administrators group" Updated mapping entry for System Managers
The Unix gid is not stored in the map entry and is therefore unaffected by renaming a group in /etc/group. In this example, the sysops and sysadmins groups are entirely different groups on the Unix server.
Finally, you can remove entries using net groupmap delete:
root# net groupmap delete ntgroup="Systems Managers" Successfully removed Systems Managers from the mapping db
Table 5-14 gives a brief overview of the net groupmap command-line arguments.