1
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter�13.�Remote and Local Management: The Net Command</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="The Official Samba 3.4.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part�III.�Advanced Configuration"><link rel="prev" href="groupmapping.html" title="Chapter�12.�Group Mapping: MS Windows and UNIX"><link rel="next" href="idmapper.html" title="Chapter�14.�Identity Mapping (IDMAP)"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter�13.�Remote and Local Management: The Net Command</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="groupmapping.html">Prev</a>�</td><th width="60%" align="center">Part�III.�Advanced Configuration</th><td width="20%" align="right">�<a accesskey="n" href="idmapper.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="NetCommand"></a>Chapter�13.�Remote and Local Management: The Net Command</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="orgname">Samba Team</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Volker</span> <span class="orgname">Samba Team</span> <span class="surname">Lendecke</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:Volker.Lendecke@SerNet.DE">Volker.Lendecke@SerNet.DE</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Guenther</span> <span class="orgname">SuSE</span> <span class="surname">Deschner</span></h3><div class="affiliation"><span class="orgname">SuSE<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:gd@suse.de">gd@suse.de</a>></code></p></div></div></div></div><div><p class="pubdate">May 9, 2005</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="NetCommand.html#id2599024">Overview</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2599319">Administrative Tasks and Methods</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2599400">UNIX and Windows Group Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2599558">Adding, Renaming, or Deletion of Group Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#grpmemshipchg">Manipulating Group Memberships</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#nestedgrpmgmgt">Nested Group Support</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2600928">UNIX and Windows User Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#sbeuseraddn">Adding User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2601139">Deletion of User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2601187">Managing User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2601256">User Mapping</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2601339">Administering User Rights and Privileges</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2601684">Managing Trust Relationships</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2601699">Machine Trust Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2602068">Interdomain Trusts</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2602302">Managing Security Identifiers (SIDS)</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2602524">Share Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2602569">Creating, Editing, and Removing Shares</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2602757">Creating and Changing Share ACLs</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2602787">Share, Directory, and File Migration</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2603410">Printer Migration</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2603661">Controlling Open Files</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2603680">Session and Connection Management</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2603746">Printers and ADS</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2603862">Manipulating the Samba Cache</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2603879">Managing IDMAP UID/SID Mappings</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2603923">Creating an IDMAP Database Dump File</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2603958">Restoring the IDMAP Database Dump File</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#netmisc1">Other Miscellaneous Operations</a></span></dt></dl></div><p>
2
<a class="indexterm" name="id2598886"></a>
3
<a class="indexterm" name="id2598892"></a>
4
<a class="indexterm" name="id2598899"></a>
5
<a class="indexterm" name="id2598906"></a>
1
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter�13.�Remote and Local Management: The Net Command</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="The Official Samba 3.4.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part�III.�Advanced Configuration"><link rel="prev" href="groupmapping.html" title="Chapter�12.�Group Mapping: MS Windows and UNIX"><link rel="next" href="idmapper.html" title="Chapter�14.�Identity Mapping (IDMAP)"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter�13.�Remote and Local Management: The Net Command</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="groupmapping.html">Prev</a>�</td><th width="60%" align="center">Part�III.�Advanced Configuration</th><td width="20%" align="right">�<a accesskey="n" href="idmapper.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter�13.�Remote and Local Management: The Net Command"><div class="titlepage"><div><div><h2 class="title"><a name="NetCommand"></a>Chapter�13.�Remote and Local Management: The Net Command</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Volker</span> <span class="surname">Lendecke</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:Volker.Lendecke@SerNet.DE">Volker.Lendecke@SerNet.DE</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Guenther</span> <span class="surname">Deschner</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:gd@samba.org">gd@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">May 9, 2005</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="NetCommand.html#id2605091">Overview</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2605385">Administrative Tasks and Methods</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2605466">UNIX and Windows Group Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2605625">Adding, Renaming, or Deletion of Group Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#grpmemshipchg">Manipulating Group Memberships</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#nestedgrpmgmgt">Nested Group Support</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2606994">UNIX and Windows User Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#sbeuseraddn">Adding User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2607206">Deletion of User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2607254">Managing User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2607322">User Mapping</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2607406">Administering User Rights and Privileges</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2607751">Managing Trust Relationships</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2607766">Machine Trust Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2608135">Interdomain Trusts</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2608369">Managing Security Identifiers (SIDS)</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2608591">Share Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2608636">Creating, Editing, and Removing Shares</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2608824">Creating and Changing Share ACLs</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2608854">Share, Directory, and File Migration</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2609477">Printer Migration</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2609728">Controlling Open Files</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2609747">Session and Connection Management</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2609812">Printers and ADS</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2609928">Manipulating the Samba Cache</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2609946">Managing IDMAP UID/SID Mappings</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2609990">Creating an IDMAP Database Dump File</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2610025">Restoring the IDMAP Database Dump File</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#netmisc1">Other Miscellaneous Operations</a></span></dt></dl></div><p>
2
<a class="indexterm" name="id2604952"></a>
3
<a class="indexterm" name="id2604959"></a>
4
<a class="indexterm" name="id2604966"></a>
5
<a class="indexterm" name="id2604973"></a>
6
6
The <code class="literal">net</code> command is one of the new features of Samba-3 and is an attempt to provide a useful
7
7
tool for the majority of remote management operations necessary for common tasks. The <code class="literal">net</code>
8
8
tool is flexible by design and is intended for command-line use as well as for scripted control application.
10
<a class="indexterm" name="id2598932"></a>
11
<a class="indexterm" name="id2598939"></a>
12
<a class="indexterm" name="id2598946"></a>
13
<a class="indexterm" name="id2598953"></a>
10
<a class="indexterm" name="id2604999"></a>
11
<a class="indexterm" name="id2605006"></a>
12
<a class="indexterm" name="id2605013"></a>
13
<a class="indexterm" name="id2605020"></a>
14
14
Originally introduced with the intent to mimic the Microsoft Windows command that has the same name, the
15
15
<code class="literal">net</code> command has morphed into a very powerful instrument that has become an essential part
16
16
of the Samba network administrator's toolbox. The Samba Team has introduced tools, such as
23
23
A Samba-3 administrator cannot afford to gloss over this chapter because to do so will almost certainly cause
24
24
the infliction of self-induced pain, agony, and desperation. Be warned: this is an important chapter.
25
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2599024"></a>Overview</h2></div></div></div><p>
26
<a class="indexterm" name="id2599032"></a>
27
<a class="indexterm" name="id2599039"></a>
28
<a class="indexterm" name="id2599046"></a>
29
<a class="indexterm" name="id2599052"></a>
30
<a class="indexterm" name="id2599059"></a>
31
<a class="indexterm" name="id2599065"></a>
25
</p><div class="sect1" title="Overview"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2605091"></a>Overview</h2></div></div></div><p>
26
<a class="indexterm" name="id2605099"></a>
27
<a class="indexterm" name="id2605106"></a>
28
<a class="indexterm" name="id2605113"></a>
29
<a class="indexterm" name="id2605119"></a>
30
<a class="indexterm" name="id2605126"></a>
31
<a class="indexterm" name="id2605132"></a>
32
32
The tasks that follow the installation of a Samba-3 server, whether standalone or domain member, of a
33
33
domain controller (PDC or BDC) begins with the need to create administrative rights. Of course, the
34
34
creation of user and group accounts is essential for both a standalone server and a PDC.
35
35
In the case of a BDC or a Domain Member server (DMS), domain user and group accounts are obtained from
36
36
the central domain authentication backend.
38
<a class="indexterm" name="id2599083"></a>
39
<a class="indexterm" name="id2599090"></a>
40
<a class="indexterm" name="id2599097"></a>
41
<a class="indexterm" name="id2599104"></a>
42
<a class="indexterm" name="id2599111"></a>
43
<a class="indexterm" name="id2599117"></a>
44
<a class="indexterm" name="id2599124"></a>
45
<a class="indexterm" name="id2599131"></a>
38
<a class="indexterm" name="id2605150"></a>
39
<a class="indexterm" name="id2605157"></a>
40
<a class="indexterm" name="id2605164"></a>
41
<a class="indexterm" name="id2605170"></a>
42
<a class="indexterm" name="id2605177"></a>
43
<a class="indexterm" name="id2605184"></a>
44
<a class="indexterm" name="id2605190"></a>
45
<a class="indexterm" name="id2605197"></a>
46
46
Regardless of the type of server being installed, local UNIX groups must be mapped to the Windows
47
47
networking domain global group accounts. Do you ask why? Because Samba always limits its access to
48
48
the resources of the host server by way of traditional UNIX UID and GID controls. This means that local
50
50
global groups can be given access rights based on UIDs and GIDs local to the server that is hosting
51
51
Samba. Such mappings are implemented using the <code class="literal">net</code> command.
53
<a class="indexterm" name="id2599155"></a>
54
<a class="indexterm" name="id2599162"></a>
55
<a class="indexterm" name="id2599168"></a>
56
<a class="indexterm" name="id2599175"></a>
57
<a class="indexterm" name="id2599182"></a>
58
<a class="indexterm" name="id2599189"></a>
59
<a class="indexterm" name="id2599196"></a>
53
<a class="indexterm" name="id2605222"></a>
54
<a class="indexterm" name="id2605229"></a>
55
<a class="indexterm" name="id2605235"></a>
56
<a class="indexterm" name="id2605242"></a>
57
<a class="indexterm" name="id2605249"></a>
58
<a class="indexterm" name="id2605256"></a>
59
<a class="indexterm" name="id2605263"></a>
60
60
UNIX systems that are hosting a Samba-3 server that is running as a member (PDC, BDC, or DMS) must have
61
61
a machine security account in the domain authentication database (or directory). The creation of such
62
62
security (or trust) accounts is also handled using the <code class="literal">net</code> command.
64
<a class="indexterm" name="id2599216"></a>
65
<a class="indexterm" name="id2599223"></a>
66
<a class="indexterm" name="id2599229"></a>
67
<a class="indexterm" name="id2599236"></a>
68
<a class="indexterm" name="id2599243"></a>
69
<a class="indexterm" name="id2599250"></a>
70
<a class="indexterm" name="id2599257"></a>
71
<a class="indexterm" name="id2599264"></a>
72
<a class="indexterm" name="id2599271"></a>
64
<a class="indexterm" name="id2605283"></a>
65
<a class="indexterm" name="id2605290"></a>
66
<a class="indexterm" name="id2605296"></a>
67
<a class="indexterm" name="id2605303"></a>
68
<a class="indexterm" name="id2605310"></a>
69
<a class="indexterm" name="id2605317"></a>
70
<a class="indexterm" name="id2605324"></a>
71
<a class="indexterm" name="id2605331"></a>
72
<a class="indexterm" name="id2605338"></a>
73
73
The establishment of interdomain trusts is achieved using the <code class="literal">net</code> command also, as
74
74
may a plethora of typical administrative duties such as user management, group management, share and
75
75
printer management, file and printer migration, security identifier management, and so on.
77
<a class="indexterm" name="id2599292"></a>
78
<a class="indexterm" name="id2599298"></a>
77
<a class="indexterm" name="id2605358"></a>
78
<a class="indexterm" name="id2605365"></a>
79
79
The overall picture should be clear now: the <code class="literal">net</code> command plays a central role
80
80
on the Samba-3 stage. This role will continue to be developed. The inclusion of this chapter is
81
81
evidence of its importance, one that has grown in complexity to the point that it is no longer considered
82
82
prudent to cover its use fully in the online UNIX man pages.
83
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2599319"></a>Administrative Tasks and Methods</h2></div></div></div><p>
84
<a class="indexterm" name="id2599327"></a>
85
<a class="indexterm" name="id2599333"></a>
86
<a class="indexterm" name="id2599340"></a>
87
<a class="indexterm" name="id2599349"></a>
83
</p></div><div class="sect1" title="Administrative Tasks and Methods"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2605385"></a>Administrative Tasks and Methods</h2></div></div></div><p>
84
<a class="indexterm" name="id2605394"></a>
85
<a class="indexterm" name="id2605400"></a>
86
<a class="indexterm" name="id2605407"></a>
87
<a class="indexterm" name="id2605416"></a>
88
88
The basic operations of the <code class="literal">net</code> command are documented here. This documentation is not
89
89
exhaustive, and thus it is incomplete. Since the primary focus is on migration from Windows servers to a Samba
90
90
server, the emphasis is on the use of the Distributed Computing Environment Remote Procedure Call (DCE RPC)
94
94
automatically fall back via the <code class="constant">ads</code>, <code class="constant">rpc</code>, and
95
95
<code class="constant">rap</code> modes. Please refer to the man page for a more comprehensive overview of the
96
96
capabilities of this utility.
97
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2599400"></a>UNIX and Windows Group Management</h2></div></div></div><p>
98
<a class="indexterm" name="id2599408"></a>
99
<a class="indexterm" name="id2599415"></a>
100
<a class="indexterm" name="id2599423"></a>
101
<a class="indexterm" name="id2599432"></a>
102
<a class="indexterm" name="id2599441"></a>
97
</p></div><div class="sect1" title="UNIX and Windows Group Management"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2605466"></a>UNIX and Windows Group Management</h2></div></div></div><p>
98
<a class="indexterm" name="id2605475"></a>
99
<a class="indexterm" name="id2605482"></a>
100
<a class="indexterm" name="id2605490"></a>
101
<a class="indexterm" name="id2605499"></a>
102
<a class="indexterm" name="id2605508"></a>
103
103
As stated, the focus in most of this chapter is on use of the <code class="literal">net rpc</code> family of
104
104
operations that are supported by Samba. Most of them are supported by the <code class="literal">net ads</code>
105
105
mode when used in connection with Active Directory. The <code class="literal">net rap</code> operating mode is
106
106
also supported for some of these operations. RAP protocols are used by IBM OS/2 and by several
107
107
earlier SMB servers.
109
<a class="indexterm" name="id2599474"></a>
110
<a class="indexterm" name="id2599480"></a>
111
<a class="indexterm" name="id2599487"></a>
109
<a class="indexterm" name="id2605541"></a>
110
<a class="indexterm" name="id2605547"></a>
111
<a class="indexterm" name="id2605554"></a>
112
112
Samba's <code class="literal">net</code> tool implements sufficient capability to permit all common administrative
113
113
tasks to be completed from the command line. In this section each of the essential user and group management
114
114
facilities are explored.
116
<a class="indexterm" name="id2599507"></a>
117
<a class="indexterm" name="id2599514"></a>
118
<a class="indexterm" name="id2599523"></a>
119
<a class="indexterm" name="id2599532"></a>
116
<a class="indexterm" name="id2605574"></a>
117
<a class="indexterm" name="id2605581"></a>
118
<a class="indexterm" name="id2605590"></a>
119
<a class="indexterm" name="id2605599"></a>
120
120
Samba-3 recognizes two types of groups: <span class="emphasis"><em>domain groups</em></span> and <span class="emphasis"><em>local
121
121
groups</em></span>. Domain groups can contain (have as members) only domain user accounts. Local groups
122
122
can contain local users, domain users, and domain groups as members.
124
124
The purpose of a local group is to permit file permission to be set for a group account that, like the
125
125
usual UNIX/Linux group, is persistent across redeployment of a Windows file server.
126
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2599558"></a>Adding, Renaming, or Deletion of Group Accounts</h3></div></div></div><p>
126
</p><div class="sect2" title="Adding, Renaming, or Deletion of Group Accounts"><div class="titlepage"><div><div><h3 class="title"><a name="id2605625"></a>Adding, Renaming, or Deletion of Group Accounts</h3></div></div></div><p>
127
127
Samba provides file and print services to Windows clients. The file system resources it makes available
128
128
to the Windows environment must, of necessity, be provided in a manner that is compatible with the
129
129
Windows networking environment. UNIX groups are created and deleted as required to serve operational
143
143
between the UNIX group account and its members to the respective Windows group accounts. It goes on to
144
144
show how UNIX group members automatically pass-through to Windows group membership as soon as a logical
145
145
mapping has been created.
146
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2599600"></a>Adding or Creating a New Group</h4></div></div></div><p>
146
</p><div class="sect3" title="Adding or Creating a New Group"><div class="titlepage"><div><div><h4 class="title"><a name="id2605667"></a>Adding or Creating a New Group</h4></div></div></div><p>
147
147
Before attempting to add a Windows group account, the currently available groups can be listed as shown
149
<a class="indexterm" name="id2599610"></a>
150
<a class="indexterm" name="id2599621"></a>
149
<a class="indexterm" name="id2605677"></a>
150
<a class="indexterm" name="id2605688"></a>
151
151
</p><pre class="screen">
152
152
<code class="prompt">root# </code> net rpc group list -Uroot%not24get
218
218
Engineers (S-1-5-21-72630-4128915-11681869-3005) -> Engineers
219
219
SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -> SupportEngrs
221
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2599802"></a>Mapping Windows Groups to UNIX Groups</h4></div></div></div><p>
222
<a class="indexterm" name="id2599809"></a>
223
<a class="indexterm" name="id2599816"></a>
224
<a class="indexterm" name="id2599823"></a>
225
<a class="indexterm" name="id2599830"></a>
221
</p></div><div class="sect3" title="Mapping Windows Groups to UNIX Groups"><div class="titlepage"><div><div><h4 class="title"><a name="id2605869"></a>Mapping Windows Groups to UNIX Groups</h4></div></div></div><p>
222
<a class="indexterm" name="id2605876"></a>
223
<a class="indexterm" name="id2605883"></a>
224
<a class="indexterm" name="id2605890"></a>
225
<a class="indexterm" name="id2605897"></a>
226
226
Windows groups must be mapped to UNIX system (POSIX) groups so that file system access controls
227
227
can be asserted in a manner that is consistent with the methods appropriate to the operating
228
228
system that is hosting the Samba server.
230
<a class="indexterm" name="id2599844"></a>
231
<a class="indexterm" name="id2599851"></a>
232
<a class="indexterm" name="id2599858"></a>
233
<a class="indexterm" name="id2599864"></a>
230
<a class="indexterm" name="id2605911"></a>
231
<a class="indexterm" name="id2605918"></a>
232
<a class="indexterm" name="id2605924"></a>
233
<a class="indexterm" name="id2605931"></a>
234
234
All file system (file and directory) access controls, within the file system of a UNIX/Linux server that is
235
235
hosting a Samba server, are implemented using a UID/GID identity tuple. Samba does not in any way override
236
236
or replace UNIX file system semantics. Thus it is necessary that all Windows networking operations that
238
238
account. The user account must also map to a locally known UID. Note that the <code class="literal">net</code>
239
239
command does not call any RPC-functions here but directly accesses the passdb.
241
<a class="indexterm" name="id2599890"></a>
242
<a class="indexterm" name="id2599897"></a>
243
<a class="indexterm" name="id2599904"></a>
244
<a class="indexterm" name="id2599910"></a>
245
<a class="indexterm" name="id2599917"></a>
246
<a class="indexterm" name="id2599924"></a>
247
<a class="indexterm" name="id2599931"></a>
241
<a class="indexterm" name="id2605956"></a>
242
<a class="indexterm" name="id2605963"></a>
243
<a class="indexterm" name="id2605970"></a>
244
<a class="indexterm" name="id2605977"></a>
245
<a class="indexterm" name="id2605984"></a>
246
<a class="indexterm" name="id2605991"></a>
247
<a class="indexterm" name="id2605998"></a>
248
248
Samba depends on default mappings for the <code class="constant">Domain Admins, Domain Users</code>, and
249
249
<code class="constant">Domain Guests</code> global groups. Additional groups may be added as shown in the
250
250
examples just given. There are times when it is necessary to map an existing UNIX group account
251
251
to a Windows group. This operation, in effect, creates a Windows group account as a consequence
252
252
of creation of the mapping.
254
<a class="indexterm" name="id2599955"></a>
255
<a class="indexterm" name="id2599966"></a>
256
<a class="indexterm" name="id2599977"></a>
254
<a class="indexterm" name="id2606021"></a>
255
<a class="indexterm" name="id2606033"></a>
256
<a class="indexterm" name="id2606044"></a>
257
257
The operations that are permitted include: <code class="constant">add</code>, <code class="constant">modify</code>,
258
258
and <code class="constant">delete</code>. An example of each operation is shown here.
259
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
259
</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
260
260
Commencing with Samba-3.0.23 Windows Domain Groups must be explicitly created. By default, all
261
261
UNIX groups are exposed to Windows networking as Windows local groups.
290
290
Supported mapping types are 'd' (domain global) and 'l' (domain local), a domain local group in Samba is
291
291
treated as local to the individual Samba server. Local groups can be used with Samba to enable multiple
292
292
nested group support.
293
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2600110"></a>Deleting a Group Account</h4></div></div></div><p>
294
<a class="indexterm" name="id2600118"></a>
293
</p></div><div class="sect3" title="Deleting a Group Account"><div class="titlepage"><div><div><h4 class="title"><a name="id2606176"></a>Deleting a Group Account</h4></div></div></div><p>
294
<a class="indexterm" name="id2606184"></a>
295
295
A group account may be deleted by executing the following command:
296
296
</p><pre class="screen">
297
297
<code class="prompt">root# </code> net rpc group delete SupportEngineers -Uroot%not24get
300
300
Validation of the deletion is advisable. The same commands may be executed as shown above.
301
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2600150"></a>Rename Group Accounts</h4></div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
301
</p></div><div class="sect3" title="Rename Group Accounts"><div class="titlepage"><div><div><h4 class="title"><a name="id2606216"></a>Rename Group Accounts</h4></div></div></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
302
302
This command is not documented in the man pages; it is implemented in the source code, but it does not
303
303
work at this time. The example given documents, from the source code, how it should work. Watch the
304
304
release notes of a future release to see when this may have been fixed.
306
306
Sometimes it is necessary to rename a group account. Good administrators know how painful some managers'
307
307
demands can be if this simple request is ignored. The following command demonstrates how the Windows group
308
“<span class="quote">SupportEngrs</span>” can be renamed to “<span class="quote">CustomerSupport</span>”:
309
<a class="indexterm" name="id2600178"></a>
308
<span class="quote">“<span class="quote">SupportEngrs</span>”</span> can be renamed to <span class="quote">“<span class="quote">CustomerSupport</span>”</span>:
309
<a class="indexterm" name="id2606245"></a>
310
310
</p><pre class="screen">
311
311
<code class="prompt">root# </code> net rpc group rename SupportEngrs \
312
312
CustomerSupport -Uroot%not24get
314
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="grpmemshipchg"></a>Manipulating Group Memberships</h3></div></div></div><p>
314
</p></div></div><div class="sect2" title="Manipulating Group Memberships"><div class="titlepage"><div><div><h3 class="title"><a name="grpmemshipchg"></a>Manipulating Group Memberships</h3></div></div></div><p>
315
315
Three operations can be performed regarding group membership. It is possible to (1) add Windows users
316
316
to a Windows group, to (2) delete Windows users from Windows groups, and to (3) list the Windows users that are
317
317
members of a Windows group.
403
403
MIDEARTH\vlendecke
405
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
405
</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
406
406
An attempt to specify the group name as <code class="constant">MIDEARTH\Domain Users</code> in place of
407
407
just simply <code class="constant">Domain Users</code> will fail. The default behavior of the net rpc group
408
408
is to direct the command at the local machine. The Windows group is treated as being local to the machine.
409
409
If it is necessary to query another machine, its name can be specified using the <code class="constant">-S
410
410
servername</code> parameter to the <code class="literal">net</code> command.
411
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="nestedgrpmgmgt"></a>Nested Group Support</h3></div></div></div><p>
411
</p></div></div><div class="sect2" title="Nested Group Support"><div class="titlepage"><div><div><h3 class="title"><a name="nestedgrpmgmgt"></a>Nested Group Support</h3></div></div></div><p>
412
412
It is possible in Windows (and now in Samba also) to create a local group that has members (contains),
413
413
domain users, and domain global groups. Creation of the local group <code class="constant">demo</code> is
414
414
achieved by executing:
440
440
</p><pre class="screen">
441
441
<code class="prompt">root# </code> net rpc group delmem demo "DOM\jht" -Uroot%not24get
443
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2600629"></a>Managing Nest Groups on Workstations from the Samba Server</h4></div></div></div><p>
443
</p><div class="sect3" title="Managing Nest Groups on Workstations from the Samba Server"><div class="titlepage"><div><div><h4 class="title"><a name="id2606695"></a>Managing Nest Groups on Workstations from the Samba Server</h4></div></div></div><p>
444
444
Windows network administrators often ask on the Samba mailing list how it is possible to grant everyone
445
445
administrative rights on their own workstation. This is of course a very bad practice, but commonly done
446
446
to avoid user complaints. Here is how it can be done remotely from a Samba PDC or BDC:
447
<a class="indexterm" name="id2600642"></a>
447
<a class="indexterm" name="id2606709"></a>
448
448
</p><pre class="screen">
449
449
<code class="prompt">root# </code> net rpc group addmem "Administrators" "Domain Users" \
450
450
-S WINPC032 -Uadministrator%secret
453
453
This can be scripted, and can therefore be performed as a user logs onto the domain from a Windows
454
454
workstation. Here is a simple example that shows how this can be done.
455
</p><div class="procedure"><a name="id2600674"></a><p class="title"><b>Procedure�13.1.�Automating User Addition to the Workstation Power Users Group</b></p><div class="example"><a name="autopoweruserscript"></a><p class="title"><b>Example�13.1.�Script to Auto-add Domain Users to Workstation Power Users Group</b></p><div class="example-contents"><pre class="screen">
455
</p><div class="procedure" title="Procedure�13.1.�Automating User Addition to the Workstation Power Users Group"><a name="id2606741"></a><p class="title"><b>Procedure�13.1.�Automating User Addition to the Workstation Power Users Group</b></p><div class="example"><a name="autopoweruserscript"></a><p class="title"><b>Example�13.1.�Script to Auto-add Domain Users to Workstation Power Users Group</b></p><div class="example-contents"><pre class="screen">
458
458
/usr/bin/net rpc group addmem "Power Users" "DOMAIN_NAME\$1" \
459
459
-UAdministrator%secret -S $2
462
</pre></div></div><br class="example-break"><div class="example"><a name="magicnetlogon"></a><p class="title"><b>Example�13.2.�A Magic Netlogon Share</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id2600830"></a><em class="parameter"><code>comment = Netlogon Share</code></em></td></tr><tr><td><a class="indexterm" name="id2600841"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id2600853"></a><em class="parameter"><code>root preexec = /etc/samba/scripts/autopoweruser.sh %U %m</code></em></td></tr><tr><td><a class="indexterm" name="id2600865"></a><em class="parameter"><code>read only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2600877"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr></table></div></div><br class="example-break"><ol type="1"><li><p>
462
</pre></div></div><br class="example-break"><div class="example"><a name="magicnetlogon"></a><p class="title"><b>Example�13.2.�A Magic Netlogon Share</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id2606896"></a><em class="parameter"><code>comment = Netlogon Share</code></em></td></tr><tr><td><a class="indexterm" name="id2606908"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id2606920"></a><em class="parameter"><code>root preexec = /etc/samba/scripts/autopoweruser.sh %U %m</code></em></td></tr><tr><td><a class="indexterm" name="id2606932"></a><em class="parameter"><code>read only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2606944"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr></table></div></div><br class="example-break"><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
463
463
Create the script shown in <a class="link" href="NetCommand.html#autopoweruserscript" title="Example�13.1.�Script to Auto-add Domain Users to Workstation Power Users Group">“Script to Auto-add Domain Users to Workstation Power Users Group”</a> and locate it in
464
464
the directory <code class="filename">/etc/samba/scripts</code>, named as <code class="filename">autopoweruser.sh</code>.
465
<a class="indexterm" name="id2600706"></a>
466
<a class="indexterm" name="id2600717"></a>
467
<a class="indexterm" name="id2600724"></a>
465
<a class="indexterm" name="id2606773"></a>
466
<a class="indexterm" name="id2606784"></a>
467
<a class="indexterm" name="id2606791"></a>
468
</p></li><li class="step" title="Step 2"><p>
469
469
Set the permissions on this script to permit it to be executed as part of the logon process:
470
470
</p><pre class="screen">
471
471
<code class="prompt">root# </code> chown root:root /etc/samba/autopoweruser.sh
472
472
<code class="prompt">root# </code> chmod 755 /etc/samba/autopoweruser.sh
474
</p></li><li class="step" title="Step 3"><p>
475
475
Modify the <code class="filename">smb.conf</code> file so the <code class="literal">NETLOGON</code> stanza contains the parameters
476
476
shown in <a class="link" href="NetCommand.html#magicnetlogon" title="Example�13.2.�A Magic Netlogon Share">the Netlogon Example smb.conf file</a>.
477
</p></li><li class="step" title="Step 4"><p>
478
478
Ensure that every Windows workstation Administrator account has the same password that you
479
479
have used in the script shown in <a class="link" href="NetCommand.html#magicnetlogon" title="Example�13.2.�A Magic Netlogon Share">the Netlogon Example smb.conf
484
484
in which case there is little justification for the use of this procedure. The key justification
485
485
for the use of this method is that it will guarantee that all users have appropriate rights on
487
</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2600928"></a>UNIX and Windows User Management</h2></div></div></div><p>
488
<a class="indexterm" name="id2600936"></a>
489
<a class="indexterm" name="id2600942"></a>
490
<a class="indexterm" name="id2600949"></a>
491
<a class="indexterm" name="id2600956"></a>
492
<a class="indexterm" name="id2600963"></a>
493
<a class="indexterm" name="id2600970"></a>
494
<a class="indexterm" name="id2600977"></a>
495
<a class="indexterm" name="id2600983"></a>
487
</p></div></div></div><div class="sect1" title="UNIX and Windows User Management"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2606994"></a>UNIX and Windows User Management</h2></div></div></div><p>
488
<a class="indexterm" name="id2607002"></a>
489
<a class="indexterm" name="id2607009"></a>
490
<a class="indexterm" name="id2607016"></a>
491
<a class="indexterm" name="id2607023"></a>
492
<a class="indexterm" name="id2607030"></a>
493
<a class="indexterm" name="id2607036"></a>
494
<a class="indexterm" name="id2607043"></a>
495
<a class="indexterm" name="id2607050"></a>
496
496
Every Windows network user account must be translated to a UNIX/Linux user account. In actual fact,
497
497
the only account information the UNIX/Linux Samba server needs is a UID. The UID is available either
498
498
from a system (POSIX) account or from a pool (range) of UID numbers that is set aside for the purpose
528
528
<code class="prompt">root# </code> net rpc user password jacko f4sth0rse \
529
529
-S FRODO -Uroot%not24get
531
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2601139"></a>Deletion of User Accounts</h3></div></div></div><p>
531
</p></div><div class="sect2" title="Deletion of User Accounts"><div class="titlepage"><div><div><h3 class="title"><a name="id2607206"></a>Deletion of User Accounts</h3></div></div></div><p>
532
532
Deletion of a user account can be done using the following syntax:
533
533
</p><pre class="screen">
534
534
net [<method>] user DELETE <name> [misc. options] [targets]
536
536
The following command will delete the user account <code class="constant">jacko</code>:
537
<a class="indexterm" name="id2601162"></a>
537
<a class="indexterm" name="id2607228"></a>
538
538
</p><pre class="screen">
539
539
<code class="prompt">root# </code> net rpc user delete jacko -Uroot%not24get
540
540
Deleted user account
542
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2601187"></a>Managing User Accounts</h3></div></div></div><p>
542
</p></div><div class="sect2" title="Managing User Accounts"><div class="titlepage"><div><div><h3 class="title"><a name="id2607254"></a>Managing User Accounts</h3></div></div></div><p>
543
543
Two basic user account operations are routinely used: change of password and querying which groups a user
544
544
is a member of. The change of password operation is shown in <a class="link" href="NetCommand.html#sbeuseraddn" title="Adding User Accounts">“Adding User Accounts”</a>.
546
546
The ability to query Windows group membership can be essential. Here is how a remote server may be
547
547
interrogated to find which groups a user is a member of:
548
<a class="indexterm" name="id2601210"></a>
548
<a class="indexterm" name="id2607277"></a>
549
549
</p><pre class="screen">
550
550
<code class="prompt">root# </code> net rpc user info jacko -S SAURON -Uroot%not24get
551
551
net rpc user info jacko -S SAURON -Uroot%not24get
560
560
It is also possible to rename user accounts:
561
<a class="indexterm" name="id2601240"></a>oldusername newusername
561
<a class="indexterm" name="id2607306"></a>oldusername newusername
562
562
Note that this operation does not yet work against Samba Servers. It is, however, possible to rename useraccounts on
565
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2601256"></a>User Mapping</h3></div></div></div><p>
566
<a class="indexterm" name="id2601264"></a>
567
<a class="indexterm" name="id2601270"></a>
568
<a class="indexterm" name="id2601277"></a>
565
</p></div><div class="sect2" title="User Mapping"><div class="titlepage"><div><div><h3 class="title"><a name="id2607322"></a>User Mapping</h3></div></div></div><p>
566
<a class="indexterm" name="id2607330"></a>
567
<a class="indexterm" name="id2607337"></a>
568
<a class="indexterm" name="id2607344"></a>
569
569
In some situations it is unavoidable that a user's Windows logon name will differ from the login ID
570
570
that user has on the Samba server. It is possible to create a special file on the Samba server that
571
571
will permit the Windows user name to be mapped to a different UNIX/Linux user name. The <code class="filename">smb.conf</code>
578
578
parsonsw: "William Parsons"
579
579
marygee: geeringm
581
In this example the Windows user account “<span class="quote">William Parsons</span>” will be mapped to the UNIX user
582
<code class="constant">parsonsw</code>, and the Windows user account “<span class="quote">geeringm</span>” will be mapped to the
581
In this example the Windows user account <span class="quote">“<span class="quote">William Parsons</span>”</span> will be mapped to the UNIX user
582
<code class="constant">parsonsw</code>, and the Windows user account <span class="quote">“<span class="quote">geeringm</span>”</span> will be mapped to the
583
583
UNIX user <code class="constant">marygee</code>.
584
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2601339"></a>Administering User Rights and Privileges</h2></div></div></div><p>
585
<a class="indexterm" name="id2601347"></a>
586
<a class="indexterm" name="id2601354"></a>
587
<a class="indexterm" name="id2601361"></a>
588
<a class="indexterm" name="id2601368"></a>
589
<a class="indexterm" name="id2601375"></a>
584
</p></div></div><div class="sect1" title="Administering User Rights and Privileges"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2607406"></a>Administering User Rights and Privileges</h2></div></div></div><p>
585
<a class="indexterm" name="id2607414"></a>
586
<a class="indexterm" name="id2607421"></a>
587
<a class="indexterm" name="id2607428"></a>
588
<a class="indexterm" name="id2607435"></a>
589
<a class="indexterm" name="id2607442"></a>
590
590
With all versions of Samba earlier than 3.0.11 the only account on a Samba server that could
591
591
manage users, groups, shares, printers, and such was the <code class="constant">root</code> account. This caused
592
592
problems for some users and was a frequent source of scorn over the necessity to hand out the
593
593
credentials for the most security-sensitive account on a UNIX/Linux system.
595
<a class="indexterm" name="id2601394"></a>
596
<a class="indexterm" name="id2601402"></a>
597
<a class="indexterm" name="id2601408"></a>
598
<a class="indexterm" name="id2601416"></a>
599
<a class="indexterm" name="id2601423"></a>
595
<a class="indexterm" name="id2607461"></a>
596
<a class="indexterm" name="id2607468"></a>
597
<a class="indexterm" name="id2607475"></a>
598
<a class="indexterm" name="id2607482"></a>
599
<a class="indexterm" name="id2607489"></a>
600
600
New to Samba version 3.0.11 is the ability to delegate administrative privileges as necessary to either
601
601
a normal user or to groups of users. The significance of the administrative privileges is documented
602
602
in <a class="link" href="rights.html" title="Chapter�15.�User Rights and Privileges">“User Rights and Privileges”</a>. Examples of use of the <code class="literal">net</code> for user rights and privilege
603
603
management is appropriate to this chapter.
604
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
604
</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
605
605
When user rights and privileges are correctly set, there is no longer a need for a Windows
606
606
network account for the <code class="constant">root</code> user (nor for any synonym of it) with a UNIX UID=0.
607
607
Initial user rights and privileges can be assigned by any account that is a member of the <code class="constant">
633
633
The <code class="literal">net</code> command can be used to obtain the currently supported capabilities for rights
634
634
and privileges using this method:
635
<a class="indexterm" name="id2601496"></a>
636
<a class="indexterm" name="id2601503"></a>
637
<a class="indexterm" name="id2601510"></a>
638
<a class="indexterm" name="id2601517"></a>
639
<a class="indexterm" name="id2601524"></a>
640
<a class="indexterm" name="id2601531"></a>
641
<a class="indexterm" name="id2601538"></a>
642
<a class="indexterm" name="id2601545"></a>
643
<a class="indexterm" name="id2601552"></a>
635
<a class="indexterm" name="id2607563"></a>
636
<a class="indexterm" name="id2607570"></a>
637
<a class="indexterm" name="id2607577"></a>
638
<a class="indexterm" name="id2607584"></a>
639
<a class="indexterm" name="id2607591"></a>
640
<a class="indexterm" name="id2607598"></a>
641
<a class="indexterm" name="id2607605"></a>
642
<a class="indexterm" name="id2607612"></a>
643
<a class="indexterm" name="id2607619"></a>
644
644
</p><pre class="screen">
645
645
<code class="prompt">root# </code> net rpc rights list -U root%not24get
646
646
SeMachineAccountPrivilege Add machines to domain
712
712
SeRemoteShutdownPrivilege
713
713
SeDiskOperatorPrivilege
715
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2601684"></a>Managing Trust Relationships</h2></div></div></div><p>
715
</p></div><div class="sect1" title="Managing Trust Relationships"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2607751"></a>Managing Trust Relationships</h2></div></div></div><p>
716
716
There are essentially two types of trust relationships: the first is between domain controllers and domain
717
717
member machines (network clients), the second is between domains (called interdomain trusts). All
718
718
Samba servers that participate in domain security require a domain membership trust account, as do like
719
719
Windows NT/200x/XP workstations.
720
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2601699"></a>Machine Trust Accounts</h3></div></div></div><p>
720
</p><div class="sect2" title="Machine Trust Accounts"><div class="titlepage"><div><div><h3 class="title"><a name="id2607766"></a>Machine Trust Accounts</h3></div></div></div><p>
721
721
The net command looks in the <code class="filename">smb.conf</code> file to obtain its own configuration settings. Thus, the following
722
722
command 'knows' which domain to join from the <code class="filename">smb.conf</code> file.
724
724
A Samba server domain trust account can be validated as shown in this example:
725
<a class="indexterm" name="id2601726"></a>
725
<a class="indexterm" name="id2607793"></a>
726
726
</p><pre class="screen">
727
727
<code class="prompt">root# </code> net rpc testjoin
728
728
Join to 'MIDEARTH' is OK
803
803
A Samba-3 server that is a Windows ADS domain member can execute the following command to detach from the
805
<a class="indexterm" name="id2602002"></a>
805
<a class="indexterm" name="id2608068"></a>
806
806
</p><pre class="screen">
807
807
<code class="prompt">root# </code> net ads leave
810
810
Detailed information regarding an ADS domain can be obtained by a Samba DMS machine by executing the
812
<a class="indexterm" name="id2602030"></a>
812
<a class="indexterm" name="id2608096"></a>
813
813
</p><pre class="screen">
814
814
<code class="prompt">root# </code> net ads status
816
The volume of information is extensive. Please refer to the book “<span class="quote">Samba-3 by Example</span>”,
816
The volume of information is extensive. Please refer to the book <span class="quote">“<span class="quote">Samba-3 by Example</span>”</span>,
817
817
Chapter 7 for more information regarding its use. This book may be obtained either in print or online from
818
818
the <a class="ulink" href="http://www.samba.org/samba/docs/Samba3-ByExample.pdf" target="_top">Samba-3 by Example</a>.
819
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2602068"></a>Interdomain Trusts</h3></div></div></div><p>
819
</p></div><div class="sect2" title="Interdomain Trusts"><div class="titlepage"><div><div><h3 class="title"><a name="id2608135"></a>Interdomain Trusts</h3></div></div></div><p>
820
820
Interdomain trust relationships form the primary mechanism by which users from one domain can be granted
821
821
access rights and privileges in another domain.
823
823
To discover what trust relationships are in effect, execute this command:
824
<a class="indexterm" name="id2602083"></a>
824
<a class="indexterm" name="id2608150"></a>
825
825
</p><pre class="screen">
826
826
<code class="prompt">root# </code> net rpc trustdom list -Uroot%not24get
827
827
Trusted domains list:
907
907
<code class="prompt">root# </code> net rpc trustdom del DAMNATION -Uroot%not24get
910
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2602302"></a>Managing Security Identifiers (SIDS)</h2></div></div></div><p>
911
<a class="indexterm" name="id2602310"></a>
912
<a class="indexterm" name="id2602317"></a>
913
<a class="indexterm" name="id2602324"></a>
914
<a class="indexterm" name="id2602331"></a>
915
<a class="indexterm" name="id2602338"></a>
910
</p></div></div><div class="sect1" title="Managing Security Identifiers (SIDS)"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2608369"></a>Managing Security Identifiers (SIDS)</h2></div></div></div><p>
911
<a class="indexterm" name="id2608377"></a>
912
<a class="indexterm" name="id2608384"></a>
913
<a class="indexterm" name="id2608390"></a>
914
<a class="indexterm" name="id2608397"></a>
915
<a class="indexterm" name="id2608404"></a>
916
916
The basic security identifier that is used by all Windows networking operations is the Windows security
917
917
identifier (SID). All Windows network machines (servers and workstations), users, and groups are
918
918
identified by their respective SID. All desktop profiles are also encoded with user and group SIDs that
919
919
are specific to the SID of the domain to which the user belongs.
921
<a class="indexterm" name="id2602354"></a>
922
<a class="indexterm" name="id2602361"></a>
923
<a class="indexterm" name="id2602368"></a>
924
<a class="indexterm" name="id2602374"></a>
921
<a class="indexterm" name="id2608421"></a>
922
<a class="indexterm" name="id2608428"></a>
923
<a class="indexterm" name="id2608434"></a>
924
<a class="indexterm" name="id2608441"></a>
925
925
It is truly prudent to store the machine and/or domain SID in a file for safekeeping. Why? Because
926
926
a change in hostname or in the domain (workgroup) name may result in a change in the SID. When you
927
927
have the SID on hand, it is a simple matter to restore it. The alternative is to suffer the pain of
965
965
Usually it is not necessary to specify the target server (-S FRODO) or the administrator account
966
966
credentials (-Uroot%not24get).
967
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2602524"></a>Share Management</h2></div></div></div><p>
967
</p></div><div class="sect1" title="Share Management"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2608591"></a>Share Management</h2></div></div></div><p>
968
968
Share management is central to all file serving operations. Typical share operations include:
969
</p><div class="itemizedlist"><ul type="disc"><li><p>Creation/change/deletion of shares</p></li><li><p>Setting/changing ACLs on shares</p></li><li><p>Moving shares from one server to another</p></li><li><p>Change of permissions of share contents</p></li></ul></div><p>
969
</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Creation/change/deletion of shares</p></li><li class="listitem"><p>Setting/changing ACLs on shares</p></li><li class="listitem"><p>Moving shares from one server to another</p></li><li class="listitem"><p>Change of permissions of share contents</p></li></ul></div><p>
970
970
Each of these are dealt with here insofar as they involve the use of the <code class="literal">net</code>
971
971
command. Operations outside of this command are covered elsewhere in this document.
972
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2602569"></a>Creating, Editing, and Removing Shares</h3></div></div></div><p>
972
</p><div class="sect2" title="Creating, Editing, and Removing Shares"><div class="titlepage"><div><div><h3 class="title"><a name="id2608636"></a>Creating, Editing, and Removing Shares</h3></div></div></div><p>
973
973
A share can be added using the <code class="literal">net rpc share</code> command capabilities.
974
974
The target machine may be local or remote and is specified by the -S option. It must be noted
975
975
that the addition and deletion of shares using this tool depends on the availability of a suitable
1022
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2602757"></a>Creating and Changing Share ACLs</h3></div></div></div><p>
1022
</p></div><div class="sect2" title="Creating and Changing Share ACLs"><div class="titlepage"><div><div><h3 class="title"><a name="id2608824"></a>Creating and Changing Share ACLs</h3></div></div></div><p>
1023
1023
At this time the <code class="literal">net</code> tool cannot be used to manage ACLs on Samba shares. In MS Windows
1024
1024
language this is called Share Permissions.
1026
1026
It is possible to set ACLs on Samba shares using either the SRVTOOLS NT4 Domain Server Manager
1027
1027
or using the Computer Management MMC snap-in. Neither is covered here,
1028
1028
but see <a class="link" href="AccessControls.html" title="Chapter�16.�File, Directory, and Share Access Controls">“File, Directory, and Share Access Controls”</a>.
1029
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2602787"></a>Share, Directory, and File Migration</h3></div></div></div><p>
1030
<a class="indexterm" name="id2602795"></a>
1029
</p></div><div class="sect2" title="Share, Directory, and File Migration"><div class="titlepage"><div><div><h3 class="title"><a name="id2608854"></a>Share, Directory, and File Migration</h3></div></div></div><p>
1030
<a class="indexterm" name="id2608862"></a>
1031
1031
Shares and files can be migrated in the same manner as user, machine, and group accounts.
1032
1032
It is possible to preserve access control settings (ACLs) as well as security settings
1033
1033
throughout the migration process. The <code class="literal">net rpc vampire</code> facility is used
1058
1058
server (or domain) as well as the processes on which the migration is critically dependant.
1060
1060
There are two known limitations to the migration process:
1061
</p><div class="orderedlist"><ol type="1"><li><p>
1061
</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>
1062
1062
The <code class="literal">net</code> command requires that the user credentials provided exist on both
1063
1063
the migration source and the migration target.
1064
</p></li><li class="listitem"><p>
1065
1065
Printer settings may not be fully or may be incorrectly migrated. This might in particular happen
1066
1066
when migrating a Windows 2003 print server to Samba.
1067
</p></li></ol></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2602897"></a>Share Migration</h4></div></div></div><p>
1067
</p></li></ol></div><div class="sect3" title="Share Migration"><div class="titlepage"><div><div><h4 class="title"><a name="id2608964"></a>Share Migration</h4></div></div></div><p>
1068
1068
The <code class="literal">net rpc share migrate</code> command operation permits the migration of plain
1069
1069
share stanzas. A stanza contains the parameters within which a file or print share are defined.
1070
1070
The use of this migration method will create share stanzas that have as parameters the file
1104
1104
identical on both systems. One precaution worth taking before commencement of migration of shares is
1105
1105
to validate that the migrated accounts (on the Samba server) have the needed rights and privileges.
1106
1106
This can be done as shown here:
1107
<a class="indexterm" name="id2603065"></a>
1107
<a class="indexterm" name="id2609132"></a>
1108
1108
</p><pre class="screen">
1109
1109
<code class="prompt">root# </code> net rpc right list accounts -Uroot%not24get
1111
1111
The steps taken so far perform only the migration of shares. Directories and directory contents
1112
1112
are not migrated by the steps covered up to this point.
1113
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2603094"></a>File and Directory Migration</h4></div></div></div><p>
1113
</p></div><div class="sect3" title="File and Directory Migration"><div class="titlepage"><div><div><h4 class="title"><a name="id2609160"></a>File and Directory Migration</h4></div></div></div><p>
1114
1114
Everything covered to this point has been done in preparation for the migration of file and directory
1115
1115
data. For many people preparation is potentially boring and the real excitement only begins when file
1116
1116
data can be used. The next steps demonstrate the techniques that can be used to transfer (migrate)
1147
1147
to the above command line. Original file timestamps can be preserved by specifying the
1148
1148
<em class="parameter"><code>--timestamps</code></em> switch, and the DOS file attributes (i.e., hidden, archive, etc.) can
1149
1149
be preserved by specifying the <em class="parameter"><code>--attrs</code></em> switch.
1150
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
1150
</p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
1151
1151
The ability to preserve ACLs depends on appropriate support for ACLs as well as the general file system
1152
1152
semantics of the host operating system on the target server. A migration from one Windows file server to
1153
1153
another will perfectly preserve all file attributes. Because of the difficulty of mapping Windows ACLs
1170
1170
This command will migrate all files and directories from all file shares on the Windows server called
1171
1171
<code class="constant">nt4box</code> to the Samba server from which migration is initiated. Files that are group-owned
1172
1172
will be owned by the user account <code class="constant">administrator</code>.
1173
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2603309"></a>Share-ACL Migration</h4></div></div></div><p>
1173
</p></div><div class="sect3" title="Share-ACL Migration"><div class="titlepage"><div><div><h4 class="title"><a name="id2609375"></a>Share-ACL Migration</h4></div></div></div><p>
1174
1174
It is possible to have share-ACLs (security descriptors) that won't allow you, even as Administrator, to
1175
1175
copy any files or directories into it. Therefor the migration of the share-ACLs has been put into a separate
1177
<a class="indexterm" name="id2603320"></a>
1177
<a class="indexterm" name="id2609387"></a>
1178
1178
</p><pre class="screen">
1179
1179
<code class="prompt">root# </code> net rpc share migrate security -S nt4box -U administrator%secret
1182
1182
This command will only copy the share-ACL of each share on nt4box to your local samba-system.
1183
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2603351"></a>Simultaneous Share and File Migration</h4></div></div></div><p>
1183
</p></div><div class="sect3" title="Simultaneous Share and File Migration"><div class="titlepage"><div><div><h4 class="title"><a name="id2609418"></a>Simultaneous Share and File Migration</h4></div></div></div><p>
1184
1184
The operating mode shown here is just a combination of the previous three. It first migrates
1185
1185
share definitions and then all shared files and directories and finally migrates the share-ACLs:
1186
1186
</p><pre class="screen">
1191
1191
An example of simultaneous migration is shown here:
1192
<a class="indexterm" name="id2603376"></a>
1192
<a class="indexterm" name="id2609443"></a>
1193
1193
</p><pre class="screen">
1194
1194
<code class="prompt">root# </code> net rpc share migrate all -S w2k3server -U administrator%secret
1196
1196
This will generate a complete server clone of the <em class="parameter"><code>w2k3server</code></em> server.
1197
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2603410"></a>Printer Migration</h3></div></div></div><p>
1197
</p></div></div><div class="sect2" title="Printer Migration"><div class="titlepage"><div><div><h3 class="title"><a name="id2609477"></a>Printer Migration</h3></div></div></div><p>
1198
1198
The installation of a new server, as with the migration to a new network environment, often is similar to
1199
1199
building a house; progress is very rapid from the laying of foundations up to the stage at which
1200
1200
the house can be locked up, but the finishing off appears to take longer and longer as building
1232
1232
Printer migration from a Windows print server (NT4 or 200x) is shown. This instruction causes the
1233
1233
printer share to be created together with the underlying print queue:
1234
<a class="indexterm" name="id2603546"></a>
1234
<a class="indexterm" name="id2609612"></a>
1235
1235
</p><pre class="screen">
1236
1236
net rpc printer MIGRATE PRINTERS [printer] [misc. options] [targets]
1238
1238
Printer drivers can be migrated from the Windows print server to the Samba server using this
1239
1239
command-line instruction:
1240
<a class="indexterm" name="id2603566"></a>
1240
<a class="indexterm" name="id2609632"></a>
1241
1241
</p><pre class="screen">
1242
1242
net rpc printer MIGRATE DRIVERS [printer] [misc. options] [targets]
1244
1244
Printer forms can be migrated with the following operation:
1245
<a class="indexterm" name="id2603585"></a>
1245
<a class="indexterm" name="id2609652"></a>
1246
1246
</p><pre class="screen">
1247
1247
net rpc printer MIGRATE FORMS [printer] [misc. options] [targets]
1249
1249
Printer security settings (ACLs) can be migrated from the Windows server to the Samba server using this command:
1250
<a class="indexterm" name="id2603605"></a>
1250
<a class="indexterm" name="id2609672"></a>
1251
1251
</p><pre class="screen">
1252
1252
net rpc printer MIGRATE SECURITY [printer] [misc. options] [targets]
1254
1254
Printer configuration settings include factors such as paper size and default paper orientation.
1255
1255
These can be migrated from the Windows print server to the Samba server with this command:
1256
<a class="indexterm" name="id2603627"></a>
1256
<a class="indexterm" name="id2609694"></a>
1257
1257
</p><pre class="screen">
1258
1258
net rpc printer MIGRATE SETTINGS [printer] [misc. options] [targets]
1263
1263
</p><pre class="screen">
1264
1264
net rpc printer MIGRATE ALL [printer] [misc. options] [targets]
1266
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2603661"></a>Controlling Open Files</h2></div></div></div><p>
1266
</p></div></div><div class="sect1" title="Controlling Open Files"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2609728"></a>Controlling Open Files</h2></div></div></div><p>
1267
1267
The man page documents the <code class="literal">net file</code> function suite, which provides the tools to
1268
1268
close open files using either RAP or RPC function calls. Please refer to the man page for specific
1269
1269
usage information.
1270
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2603680"></a>Session and Connection Management</h2></div></div></div><p>
1270
</p></div><div class="sect1" title="Session and Connection Management"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2609747"></a>Session and Connection Management</h2></div></div></div><p>
1271
1271
The session management interface of the <code class="literal">net session</code> command uses the old RAP
1272
1272
method to obtain the list of connections to the Samba server, as shown here:
1273
<a class="indexterm" name="id2603696"></a>
1273
<a class="indexterm" name="id2609763"></a>
1274
1274
</p><pre class="screen">
1275
1275
<code class="prompt">root# </code> net rap session -S MERLIN -Uroot%not24get
1276
1276
Computer User name Client Type Opens Idle time
1285
1285
</p><pre class="screen">
1286
1286
<code class="prompt">root# </code> net rap session close marvel -Uroot%not24get
1288
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2603746"></a>Printers and ADS</h2></div></div></div><p>
1288
</p></div><div class="sect1" title="Printers and ADS"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2609812"></a>Printers and ADS</h2></div></div></div><p>
1289
1289
When Samba-3 is used within an MS Windows ADS environment, printers shared via Samba will not be browseable
1290
1290
until they have been published to the ADS domain. Information regarding published printers may be obtained
1291
1291
from the ADS server by executing the <code class="literal">net ads print info</code> command following this syntax:
1292
<a class="indexterm" name="id2603764"></a>
1292
<a class="indexterm" name="id2609831"></a>
1293
1293
</p><pre class="screen">
1294
1294
net ads printer info <printer_name> <server_name> -Uadministrator%secret
1299
1299
To publish (make available) a printer to ADS, execute the following command:
1300
<a class="indexterm" name="id2603790"></a>
1300
<a class="indexterm" name="id2609857"></a>
1301
1301
</p><pre class="screen">
1302
1302
net ads printer publish <printer_name> -Uadministrator%secret
1304
1304
This publishes a printer from the local Samba server to ADS.
1306
1306
Removal of a Samba printer from ADS is achieved by executing this command:
1307
<a class="indexterm" name="id2603815"></a>
1307
<a class="indexterm" name="id2609882"></a>
1308
1308
</p><pre class="screen">
1309
1309
net ads printer remove <printer_name> -Uadministrator%secret
1312
1312
A generic search (query) can also be made to locate a printer across the entire ADS domain by executing:
1313
<a class="indexterm" name="id2603840"></a>
1313
<a class="indexterm" name="id2609907"></a>
1314
1314
</p><pre class="screen">
1315
1315
net ads printer search <printer_name> -Uadministrator%secret
1317
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2603862"></a>Manipulating the Samba Cache</h2></div></div></div><p>
1317
</p></div><div class="sect1" title="Manipulating the Samba Cache"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2609928"></a>Manipulating the Samba Cache</h2></div></div></div><p>
1318
1318
Please refer to the <code class="literal">net</code> command man page for information regarding cache management.
1319
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2603879"></a>Managing IDMAP UID/SID Mappings</h2></div></div></div><p>
1319
</p></div><div class="sect1" title="Managing IDMAP UID/SID Mappings"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2609946"></a>Managing IDMAP UID/SID Mappings</h2></div></div></div><p>
1320
1320
The IDMAP UID to SID, and SID to UID, mappings that are created by <code class="literal">winbindd</code> can be
1321
1321
backed up to a text file. The text file can be manually edited, although it is highly recommended that
1322
1322
you attempt this only if you know precisely what you are doing.
1371
1371
In the event that it is the intent to pass the time information obtained to the UNIX
1372
1372
<code class="literal">/bin/time</code>, it is a good idea to obtain the time from the target server in a format
1373
1373
that is ready to be passed through. This may be done by executing:
1374
<a class="indexterm" name="id2604075"></a>
1374
<a class="indexterm" name="id2610142"></a>
1375
1375
</p><pre class="screen">
1376
1376
<code class="prompt">root# </code> net time system -S FRODO
1377
1377
051700532005.16
1379
1379
The time can be set on a target server by executing:
1380
<a class="indexterm" name="id2604100"></a>
1380
<a class="indexterm" name="id2610167"></a>
1381
1381
</p><pre class="screen">
1382
1382
<code class="prompt">root# </code> net time set -S MAGGOT -U Administrator%not24get
1383
1383
Tue May 17 00:55:30 MDT 2005
1385
1385
It is possible to obtain the time zone of a server by executing the following command against it:
1386
<a class="indexterm" name="id2604126"></a>
1386
<a class="indexterm" name="id2610192"></a>
1387
1387
</p><pre class="screen">
1388
1388
<code class="prompt">root# </code> net time zone -S SAURON