Authorizing Users in Samba (
Page 1 of 4 )
In this conclusion to a four-part series that covers authentication and authorization in Samba, you will learn about group mapping, user privilege management, and more. This article is excerpted from chapter five of Using Samba, Third Edition, written by Gerald Carter, Jay Ts and Robert Eckstein (O'Reilly, 2007; ISBN: 0596007698). Copyright © 2007 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.
Group Mapping
Remember that Samba exports Unix objects in a means that is palatable to Windows clients. In keeping with this philosophy, Unix groups are handled in a very similar fashion to Unix users. The underlying Unix group must already exist. Samba then associates a SID and name with that group and displays it to Windows. This operation is referred to as group mapping. The additional attributes can be manipulated using the net groupmap command.
The group mapping functionality is provided as part of Samba’s passdb API and therefore shares the same storage mechanisms as user accounts. Both the smbpasswd and tdbsam passdb modules use the group_mapping.tdb file (stored in /usr/local/ samba/var/locks by default). The ldapsam backend stores mapping entries by adding the sambaGroupMapping auxiliary object class to an existing posixGroup entry in the directory service. For all three backends, the actual table entries can be managed using the same Samba command-line tools (as was the case with user accounts).
The group mapping interfaces and internal design have been given a new look starting with the 3.0.23 release. However, the basic concept is the same as in previous releases. Only the tools have changed. The new interface is a command set named net sam, which provides an interface to users, groups, and password policies. At the time of writing, the toolset is not yet complete.
A group mapping entry is primarily an association from a SID to a Unix gid. A current entry can be viewed using the net groupmap list command. Be aware that all of the net groupmap commands must be run as root, because they operate on the passdb storage service directly.
root# net groupmap list verbose ntgroup="Printer Admins"
Printer Admins
SID : S-1-5-21-391507597-2097566357-2340928898-3091
Unix group: prtadmin
Group type: Domain Group
Comment : Domain Unix group
Printer Admins is the name that will be displayed to Windows clients. The membership of this group is handled by managing the prtadmin Unix group membership. Only those Unix groups that posses a valid group mapping entry are displayed, as illustrated by Figure 5-3. The same is true for users: only those users who have an account in the current passdb backend are displayed in the Windows object picker UI.
You can view a complete list of current group mappings by omitting the group name when entering net groupmap list. But groups mapped to a value of –1 are placeholder entries created by smbd and are ignored.
root# net groupmap list
Printer Admins (S-1-5-21-391507597-2097566357-2340928898-3091) -> prtadmin
Administrators (S-1-5-32-544) -> -1
Domain Admins (S-1-5-21-391507597-2097566357-2340928898-512) -> -1
Users (S-1-5-32-545) -> -1
Domain Guests (S-1-5-21-391507597-2097566357-2340928898-514) -> -1
Domain Users (S-1-5-21-391507597-2097566357-2340928898-513) -> -1
remaining output deleted
The placeholder entries are not present when using an ldapsam passdb backend. Future versions of Samba will remove them from the remainng backends for the sake of consistency.
New maps can be added by executing net groupmap add and including the Unix group name and either a SID or simply a Windows group map. It is better to define the ntgroup name value and allow Samba to allocate a SID unless you have a specific group (e.g., Domain Admins) that you require.
root# net groupmap add ntgroup="System Managers" unixgroup=sysadmin
No rid or sid specified, choosing algorithmic mapping
Successfully added group Systems Managers to the mapping db
Figure 5-3. Displaying users and groups in the windows object picker
The associated Unix group and group description can be changed with the modify subcommand:
root# net groupmap modify ntgroup="System Managers" unixgroup=sysops comment="Server
administrators group"
Updated mapping entry for System Managers
The Unix gid is not stored in the map entry and is therefore unaffected by renaming a group in /etc/group. In this example, the sysops and sysadmins groups are entirely different groups on the Unix server.
Finally, you can remove entries using net groupmap delete:
root# net groupmap delete ntgroup="Systems Managers"
Successfully removed Systems Managers from the mapping db
Table 5-14 gives a brief overview of the net groupmap command-line arguments.
There are more esoteric things that can be done with the net groupmap tool. Most of these are prone to error and are not recommend for nor mal use. The options covered in this section are the most common and the least likely to change in a future Samba release.
Table 5-14. net groupmap command-line options
|
Command
|
Arguments
|
Description
|
|
add |
{ntgroup=name,sid=sid_string} unixgroup=name |
Add a new group mapping between a Unix group and a Windows group name or SID. |
| |
[comment=string] |
|
|
delete |
{ntgroup=name,sid=sid_string} |
Remove an existing group mapping entry. |
|
list |
[verbose] [ntgroup=name,sid=sid_string] |
List all or a specific group mapping record. The verbose option includes all map attributes. |
|
modify |
{ntgroup=name,sid=sid_string} |
Update an existing group mapping record. |
| |
[unixgroup=name] |
|
|
|
[comment=string] |
|
/ 4 
