Gerald (Jerry) Carter
2004-May-25 14:49 UTC
[Samba] Re: Nested group support documentation
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ww m-pubsyssamba wrote: | With regards Jerry's comment on nested groups, the how | to guide included with Samba 3.0.3 source code still says | nested groups are not supported. Does anyone know where I | can get some information on the functionality | which is included for nested groups on 3.0.3 onwards? Here's a rough draft from Volker. ciao, jerry - -------- Original Message -------- Subject: winbind nested groups quick docu Date: Wed, 21 Apr 2004 14:10:36 +0200 From: Volker.Lendecke@SerNet.DE Hi! Attached find a little preliminary howto entry for nested groups. I did not look where this would best be included into the howto. Feel free to add it. Volker Nested Groups Windows supports the concept of nested groups to ease administration. You can create a so-called local group on any machine and add users and global (domain) groups from any trusted SAM to it. This way you might be able to reduce the amount of ACL entries you have to set on any file or directory. Another prominent example is the use of administrative privileges on workstations that are domain members. Administrative privileges are given to all members of the builtin local group Administrators on each workstation. To make sure that all domain administrators also have full rights on any workstation, upon domain join the Domain Admins group is added to the local Administrators group. Thus anybody logged into the domain as member of the Domain Admins group is also granted local admin privileges on each workstation. Unix does not support the concept of nested groups, and thus Samba has for a long time not supported them either. The problem is that you would have to put unix groups as auxiliary members of a group into /etc/group which is not possible. Since Samba 2.2 winbind is the daemon that can provide /etc/group entries on demand by asking the Domain Controller of the domain Samba is a member of on the fly. So Samba since that time has control over the /etc/group file via the dynamic libnss_winbind mechanism. Beginning with Samba 3.0.3 this facility is used to provide local groups in the same manner as Windows does it. It works by expanding the local groups on the fly while being accessed. So when you put for example the Domain Users group of your domain as a member of the local alias "all", whenever asking for the members of "all" winbind asks the DC for all members of the Domain Users group. By definition it can only contain user objects which can then be faked to be member of the Unix group "all". To be able to use nested groups, you need to run winbindd and nss_winbind. Creation and administration of the local groups is done best via the Windows User Manager for Domains or its Samba equivalent, the utility "net rpc group". Creating the local group "all" can be done by net rpc group add all -L where the -L switch denotes that you want to create a local group. Please add -S and -U switches for accessing the correct host via a user with root priviliges as needed. Adding and removing group members can be done via the addmem and delmem subcommands of "net rpc group". For example adding "DOM\Domain Users" to the local group "all" would be done by net rpc group addmem all "DOM\Domain Users" Having done these two steps you will find that "getent group all" will show all members of the global Domain Users group as members of the group "all". Certainly this also works with any local or domain user. In case the domain DOM trusts another domain, it is also possible to add global users and groups of the trusted domain as members of "all". -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - enigmail.mozdev.org iD8DBQFAs1ztIR7qMdg1EfYRAj3mAJwMXyIX60UUmsc/3CWawg23at7o0QCglkZv 5aBhr+mBsg3oLKWjBCBGWCs=JMn5 -----END PGP SIGNATURE-----