Samba allows the administrator to create MS Windows NT4/200x group accounts and to arbitrarily associate them with UNIX/Linux group accounts.
Group accounts can be managed using the MS Windows NT4 or MS Windows 200x/XP Professional MMC tools. Appropriate interface scripts should be provided in smb.conf if it is desired that UNIX/Linux system accounts should be automatically created when these tools are used. In the absence of these scripts, and so long as winbindd is running, Samba group accounts that are created using these tools will be allocated UNIX UIDs/GIDs from the ID range specified by the idmap uid / idmap gid parameters in the smb.conf file.
In both cases, when winbindd is not running, only locally resolvable groups can be recognized. Please refer to Figure 11.1 and Figure 11.2. The net groupmap is used to establish UNIX group to NT SID mappings as shown in Figure 11.3
Figure 11.1. IDMAP: group SID to GID resolution.
Figure 11.2. IDMAP: GID resolution to matching SID.
Figure 11.3. IDMAP storing group mappings.
Administrators should be aware that where smb.conf group interface scripts make direct calls to the UNIX/Linux system tools (the shadow utilities, groupadd , groupdel , and groupmod ), the resulting UNIX/Linux group names will be subject to any limits imposed by these tools. If the tool does not allow upper case characters or space characters , then the creation of an MS Windows NT4/200x style group of Engineering Managers will attempt to create an identically named UNIX/Linux group, an attempt that will of course fail.
There are several possible work-arounds for the operating system tools limitation. One method is to use a script that generates a name for the UNIX/Linux system group that fits the operating system limits, and that then just passes the UNIX/Linux group ID (GID) back to the calling Samba interface. This will provide a dynamic work-around solution.
Another work-around is to manually create a UNIX/Linux group, then manually create the MS Windows NT4/200x group on the Samba server and then use the net groupmap tool to connect the two to each other.