Section 5.3. Group Mapping

5.3. Group Mapping

Remember that Samba exports Unix objects in a means that is palatable to Windows clients. In keeping with this philosophy, Unix groups are handled in a very similar fashion to Unix users. The underlying Unix group must already exist. Samba then associates a SID and name with that group and displays it to Windows. This operation is referred to as group mapping . The additional attributes can be manipulated using the net groupmap command.

The group mapping functionality is provided as part of Samba's passdb API and therefore shares the same storage mechanisms as user accounts. Both the smbpasswd and TDbsam passdb modules use the group_mapping.tdb file (stored in /usr/local/samba/var/locks by default). The ldapsam backend stores mapping entries by adding the sambaGroupMapping auxiliary object class to an existing posixGroup enTRy in the directory service. For all three backends, the actual table entries can be managed using the same Samba command-line tools (as was the case with user accounts).

The group mapping interfaces and internal design have been given a new look starting with the 3.0.23 release. However, the basic concept is the same as in previous releases. Only the tools have changed. The new interface is a command set named net sam, which provides an interface to users, groups, and password policies. At the time of writing, the toolset is not yet complete.

A group mapping entry is primarily an association from a SID to a Unix gid. A current entry can be viewed using the net groupmap list command. Be aware that all of the net groupmap commands must be run as root, because they operate on the passdb storage service directly.

 root# net groupmap list verbose ntgroup="Printer Admins"     Printer Admins    SID       : S-1-5-21-391507597-2097566357-2340928898-3091    Unix group: prtadmin    Group type: Domain Group    Comment   : Domain Unix group 

Printer Admins is the name that will be displayed to Windows clients. The membership of this group is handled by managing the prtadmin Unix group membership. Only those Unix groups that posses a valid group mapping entry are displayed, as illustrated by Figure 5-3. The same is true for users: only those users who have an account in the current passdb backend are displayed in the Windows object picker UI.

Figure 5-3. Displaying users and groups in the Windows object picker

You can view a complete list of current group mappings by omitting the group name when entering net groupmap list. But groups mapped to a value of -1 are placeholder entries created by smbd and are ignored.

 root# net groupmap list  Printer Admins (S-1-5-21-391507597-2097566357-2340928898-3091) -> prtadmin Administrators (S-1-5-32-544) -> -1 Domain Admins (S-1-5-21-391507597-2097566357-2340928898-512) -> -1 Users (S-1-5-32-545) -> -1 Domain Guests (S-1-5-21-391507597-2097566357-2340928898-514) -> -1 Domain Users (S-1-5-21-391507597-2097566357-2340928898-513) -> -1  remaining output deleted 

The placeholder entries are not present when using an ldapsam passdb backend. Future versions of Samba will remove them from the remaining backends for the sake of consistency.

New maps can be added by executing net groupmap add and including the Unix group name and either a SID or simply a Windows group map. It is better to define the ntgroup name value and allow Samba to allocate a SID unless you have a specific group (e.g., Domain Admins) that you require.

 root# net groupmap add ntgroup="System Managers" unixgroup=sysadmin No rid or sid specified, choosing algorithmic mapping Successfully added group Systems Managers to the mapping db 

The associated Unix group and group description can be changed with the modify subcommand:

 root# net groupmap modify ntgroup="System Managers" unixgroup=sysops comment="Server administrators group" Updated mapping entry for System Managers 

The Unix gid is not stored in the map entry and is therefore unaffected by renaming a group in /etc/group. In this example, the sysops and sysadmins groups are entirely different groups on the Unix server.

Finally, you can remove entries using net groupmap delete:

 root# net groupmap delete ntgroup="Systems Managers" Successfully removed Systems Managers from the mapping db 

Table 5-14 gives a brief overview of the net groupmap command-line arguments.

There are more esoteric things that can be done with the net groupmap tool. Most of these are prone to error and are not recommend for normal use. The options covered in this section are the most common and the least likely to change in a future Samba release.

Table 5-14. net groupmap command-line options








Add a new group mapping between a Unix group and a Windows group name or SID.



Remove an existing group mapping entry.




List all or a specific group mapping record. The verbose option includes all map attributes.





Update an existing group mapping record.

Using Samba
Using Samba: A File and Print Server for Linux, Unix & Mac OS X, 3rd Edition
ISBN: 0596007698
EAN: 2147483647
Year: 2004
Pages: 135 © 2008-2017.
If you may any questions please contact us: