Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Mail Systems
Eclipse Documentation

How To Guides
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Problem Solutions
Privacy Policy




Samba HowTo Guide
Prev Home Next

Adding, Renaming, or Deletion of Group Accounts

Samba provides file and print services to Windows clients. The file system resources it makes available to the Windows environment must, of necessity, be provided in a manner that is compatible with the Windows networking environment. UNIX groups are created and deleted as required to serve operational needs in the UNIX operating system and its file systems.

In order to make available to the Windows environment, Samba has a facility by which UNIX groups can be mapped to a logical entity, called a Windows (or domain) group. Samba supports two types of Windows groups, local and global. Global groups can contain as members, global users. This membership is affected in the normal UNIX manner, but adding UNIX users to UNIX groups. Windows user accounts consist of a mapping between a user SambaSAMAccount (logical entity) and a UNIX user account. Therefore, a UNIX user is mapped to a Windows user (i.e., is given a Windows user account and password) and the UNIX groups to which that user belongs, is mapped to a Windows group account. The result is that in the Windows account environment that user is also a member of the Windows group account by virtue of UNIX group memberships.

The following sub-sections that deal with management of Windows groups demonstrates the relationship between the UNIX group account and its members to the respective Windows group accounts. It goes on to show how UNIX group members automatically pass-through to Windows group membership as soon as a logical mapping has been created.

Adding or Creating a New Group

Before attempting to add a Windows group account, the currently available groups can be listed as shown here:

root#  net rpc group list -Uroot%not24get
Domain Admins
Domain Users
Domain Guests
Print Operators
Backup Operators
Domain Computers

A Windows group account called “SupportEngrs” can be added by executing the following command:

root#  net rpc group add "SupportEngrs" -Uroot%not24get

The addition will result in immediate availability of the new group account as validated by executing this command:

root#  net rpc group list -Uroot%not24get
Domain Admins
Domain Users
Domain Guests
Print Operators
Backup Operators
Domain Computers

The following demonstrates that the POSIX (UNIX/Linux system account) group has been created by calling the add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g" interface script:

root#  getent group
Domain Admins:x:512:root
Domain Users:x:513:jht,lct,ajt,met
Domain Guests:x:514:
Print Operators:x:550:
Backup Operators:x:551:
Domain Computers:x:553:

The following demonstrates that the use of the net command to add a group account results in immediate mapping of the POSIX group that has been created to the Windows group account as shown here:

root#  net groupmap list
Domain Admins (S-1-5-21-72630-4128915-11681869-512) -> Domain Admins
Domain Users (S-1-5-21-72630-4128915-11681869-513) -> Domain Users
Domain Guests (S-1-5-21-72630-4128915-11681869-514) -> Domain Guests
Print Operators (S-1-5-21-72630-4128915-11681869-550) -> Print Operators
Backup Operators (S-1-5-21-72630-4128915-11681869-551) -> Backup Operators
Replicator (S-1-5-21-72630-4128915-11681869-552) -> Replicator
Domain Computers (S-1-5-21-72630-4128915-11681869-553) -> Domain Computers
Engineers (S-1-5-21-72630-4128915-11681869-3005) -> Engineers
SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -> SupportEngrs

Mapping Windows Groups to UNIX Groups

Windows groups must be mapped to UNIX system (POSIX) groups so that file system access controls can be asserted in a manner that is consistent with the methods appropriate to the operating system that is hosting the Samba server.

All file system (file and directory) access controls, within the file system of a UNIX/Linux server that is hosting a Samba server, are implemented using a UID/GID identity tuple. Samba does not in any way override or replace UNIX file system semantics. Thus it is necessary that all Windows networking operations that access the file system provide a mechanism that maps a Windows user to a particular UNIX/Linux group account. The user account must also map to a locally known UID. Note that the net command does not call any RPC-functions here but directly accesses the passdb.

Samba depends on default mappings for the Domain Admins, Domain Users, and Domain Guests global groups. Additional groups may be added as shown in the examples just given. There are times when it is necessary to map an existing UNIX group account to a Windows group. This operation, in effect, creates a Windows group account as a consequence of creation of the mapping.

The operations that are permitted include: add, modify, and delete. An example of each operation is shown here.

An existing UNIX group may be mapped to an existing Windows group by this example:

root#  net groupmap modify ntgroup="Domain Users" unixgroup=users

An existing UNIX group may be mapped to a new Windows group as shown here:

root#  net groupmap add ntgroup="EliteEngrs" unixgroup=Engineers type=d

Supported mapping types are 'd' (domain global) and 'l' (domain local). A Windows group may be deleted, and then a new Windows group can be mapped to the UNIX group by executing these commands:

root#  net groupmap delete ntgroup=Engineers
root#  net groupmap add ntgroup=EngineDrivers unixgroup=Engineers type=d

The deletion and addition operations affected only the logical entities known as Windows groups, or domain groups. These operations are inert to UNIX system groups, meaning that they neither delete nor create UNIX system groups. The mapping of a UNIX group to a Windows group makes the UNIX group available as Windows groups so that files and folders on domain member clients (workstations and servers) can be given domain-wide access controls for domain users and groups.

Two types of Windows groups can be created: domain (global) and local. In the previous examples the Windows groups created were of type domain or global. The following command will create a Windows group of type local.

root#  net groupmap add ntgroup=Pixies unixgroup=pixies type=l

Supported mapping types are 'd' (domain global) and 'l' (domain local), a domain local group in Samba is treated as local to the individual Samba server. Local groups can be used with Samba to enable multiple nested group support.

Deleting a Group Account

A group account may be deleted by executing the following command:

root#  net rpc group delete SupportEngineers -Uroot%not24get

Validation of the deletion is advisable. The same commands may be executed as shown above.

Rename Group Accounts

Samba HowTo Guide
Prev Home Next

  Published under the terms fo the GNU General Public License Design by Interspire