Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Samba HowTo Guide
Prev Home Next

Nested Groups: Adding Windows Domain Groups to Windows Local Groups

This functionality is known as nested groups and was first added to Samba-3.0.3.

All MS Windows products since the release of Windows NT 3.10 support the use of nested groups. Many Windows network administrators depend on this capability because it greatly simplifies security administration.

The nested group architecture was designed with the premise that day-to-day user and group membership management should be performed on the domain security database. The application of group security should be implemented on domain member servers using only local groups. On the domain member server, all file system security controls are then limited to use of the local groups, which will contain domain global groups and domain global users.

You may ask, What are the benefits of this arrangement? The answer is obvious to those who have plumbed the dark depths of Windows networking architecture. Consider for a moment a server on which are stored 200,000 files, each with individual domain user and domain group settings. The company that owns the file server is bought by another company, resulting in the server being moved to another location, and then it is made a member of a different domain. Who would you think now owns all the files and directories? Answer: Account Unknown.

Unraveling the file ownership mess is an unenviable administrative task that can be avoided simply by using local groups to control all file and directory access control. In this case, only the members of the local groups will have been lost. The files and directories in the storage subsystem will still be owned by the local groups. The same goes for all ACLs on them. It is administratively much simpler to delete the Account Unknown membership entries inside local groups with appropriate entries for domain global groups in the new domain that the server has been made a member of.

Another prominent example of the use of nested groups involves implementation of administrative privileges on domain member workstations and servers. Administrative privileges are given to all members of the built-in local group Administrators on each domain member machine. To ensure that all domain administrators have full rights on the member server or workstation, on joining the domain, the Domain Admins group is added to the local Administrators group. Thus everyone who is logged into the domain as a member of the Domain Admins group is also granted local administrative privileges on each domain member.

UNIX/Linux has no concept of support for nested groups, and thus Samba has for a long time not supported them either. The problem is that you would have to enter UNIX groups as auxiliary members of a group in /etc/group. This does not work because it was not a design requirement at the time the UNIX file system security model was implemented. Since Samba-2.2, the winbind daemon can provide /etc/group entries on demand by obtaining user and group information from the domain controller that the Samba server is a member of.

In effect, Samba supplements the /etc/group data via the dynamic libnss_winbind mechanism. Beginning with Samba-3.0.3, this facility is used to provide local groups in the same manner as Windows does it. It works by expanding the local groups on the fly as they are accessed. For example, the Domain Users group of the domain is made a member of the local group demo. Whenever Samba needs to resolve membership of the demo local (alias) group, winbind asks the domain controller for demo members of the Domain Users group. By definition, it can only contain user objects, which can then be faked to be member of the UNIX/Linux group demo.

To enable the use of nested groups, winbindd must be used with NSS winbind. Creation and administration of the local groups is done best via the Windows Domain User Manager or its Samba equivalent, the utility net rpc group . Creating the local group demo is achieved by executing:

	root#  net rpc group add demo -L -Uroot%not24get
	

Here the -L switch means that you want to create a local group. It may be necessary to add -S and -U switches for accessing the correct host with appropriate user or root privileges. Adding and removing group members can be done via the addmem and delmem subcommands of net rpc group command. For example, addition of “DOM\Domain Users” to the local group demo is done by executing:

	net rpc group addmem demo "DOM\Domain Users"
	

Having completed these two steps, the execution of getent group demo will show demo members of the global Domain Users group as members of the group demo. This also works with any local or domain user. In case the domain DOM trusts another domain, it is also possible to add global users and groups of the trusted domain as members of demo. The users from the foreign domain who are members of the group that has been added to the demo group now have the same local access permissions as local domain users have.

Samba HowTo Guide
Prev Home Next

 
 
  Published under the terms fo the GNU General Public License Design by Interspire