Mapping Windows Groups to UNIX Groups
Windows groups must be mapped to UNIX system (POSIX) groups so that file system access controls
can be asserted in a manner that is consistent with the methods appropriate to the operating
system that is hosting the Samba server.
All file system (file and directory) access controls, within the file system of a UNIX/Linux server that is
hosting a Samba server, are implemented using a UID/GID identity tuple. Samba does not in any way override
or replace UNIX file system semantics. Thus it is necessary that all Windows networking operations that
access the file system provide a mechanism that maps a Windows user to a particular UNIX/Linux group
account. The user account must also map to a locally known UID. Note that the
command does not call any RPC-functions here but directly accesses the passdb.
Samba depends on default mappings for the
Domain Admins, Domain Users, and
Domain Guests global groups. Additional groups may be added as shown in the
examples just given. There are times when it is necessary to map an existing UNIX group account
to a Windows group. This operation, in effect, creates a Windows group account as a consequence
of creation of the mapping.
The operations that are permitted include:
delete. An example of each operation is shown here.
An existing UNIX group may be mapped to an existing Windows group by this example:
root# net groupmap modify ntgroup="Domain Users" unixgroup=users
An existing UNIX group may be mapped to a new Windows group as shown here:
root# net groupmap add ntgroup="EliteEngrs" unixgroup=Engineers type=d
Supported mapping types are 'd' (domain global) and 'l' (domain local).
A Windows group may be deleted, and then a new Windows group can be mapped to the UNIX group by
executing these commands:
root# net groupmap delete ntgroup=Engineers
root# net groupmap add ntgroup=EngineDrivers unixgroup=Engineers type=d
The deletion and addition operations affected only the logical entities known as Windows groups, or domain
groups. These operations are inert to UNIX system groups, meaning that they neither delete nor create UNIX
system groups. The mapping of a UNIX group to a Windows group makes the UNIX group available as Windows
groups so that files and folders on domain member clients (workstations and servers) can be given
domain-wide access controls for domain users and groups.
Two types of Windows groups can be created:
domain (global) and
In the previous examples the Windows groups created were of type
domain or global. The
following command will create a Windows group of type
root# net groupmap add ntgroup=Pixies unixgroup=pixies type=l
Supported mapping types are 'd' (domain global) and 'l' (domain local), a domain local group in Samba is
treated as local to the individual Samba server. Local groups can be used with Samba to enable multiple
nested group support.