Samba allows the administrator to create MS Windows NT4/200x group accounts and to
arbitrarily associate them with UNIX/Linux group accounts.
Group accounts can be managed using the MS Windows NT4 or MS Windows 200x/XP Professional MMC tools.
Appropriate interface scripts should be provided in
smb.conf if it is desired that UNIX/Linux system
accounts should be automatically created when these tools are used. In the absence of these scripts, and
so long as
is running, Samba group accounts that are created using these
tools will be allocated UNIX UIDs and GIDs from the ID range specified by the
parameters in the
Figure11.1.砠IDMAP: Group SID-to-GID Resolution.
Figure11.2.IDMAP: GID Resolution to Matching SID.
In both cases, when winbindd is not running, only locally resolvable groups can be recognized. Please refer to
IDMAP: Group SID-to-GID Resolution and
IDMAP: GID Resolution to Matching SID. The
used to establish UNIX group to NT SID mappings as shown in
Figure11.3.IDMAP Storing Group Mappings.
Administrators should be aware that where
smb.conf group interface scripts make
direct calls to the UNIX/Linux system tools (the shadow utilities,
), the resulting UNIX/Linux group names will be subject
to any limits imposed by these tools. If the tool does not allow uppercase characters
or space characters, then the creation of an MS Windows NT4/200x-style group of
Engineering Managers will attempt to create an identically named
UNIX/Linux group, an attempt that will of course fail.
There are several possible workarounds for the operating system tools limitation. One
method is to use a script that generates a name for the UNIX/Linux system group that
fits the operating system limits and that then just passes the UNIX/Linux group ID (GID)
back to the calling Samba interface. This will provide a dynamic workaround solution.
Another workaround is to manually create a UNIX/Linux group, then manually create the
MS Windows NT4/200x group on the Samba server, and then use the
tool to connect the two to each other.