Whyte, Brian C CIV NSWCDD, W63
2008-Feb-01 22:06 UTC
[Samba] Help with mapping a UNIX group to a AD Directory Group
Hi All, I have already integrated my samba with the Active directory domain using winbind, but I am trying to do the following. I want to map a UNIX group "ccusers" to Active Directory group "NICE\ccusers". I need my AD users that don't have local accounts on my machine to be able to access directories owne by the UNIX group ccusers. It seems like it should be simple to do, but I cannot figure out how to make it work. I do know that this will work if I add a local account for each user with the correct group, but I have about 2000 users so I'd rather not do this. Here's what I have done. I have a UNIX group called ccusers with a gid of 330 The following commands both work and return all the users and groups in the AD domain. %getent passwd </etc/passwd output> . . . <winbind user output> . . . %getent group </etc/group output> . . . <winbind group output> . . . I had thought that "net groupmap add ..." was the right way to map these, but it does not seem to do anything. I might be confused as to what this command is supposed to accomplish. Here is what I tried: %net groupmap add ntgroup=ccusers unixgroup=ccusers rid=1022 type=d <successfully added...> <did not appear to map my two groups in getent output> %net groupmap delete ntgroup=ccusers %net groupmap add ntgroup=NICE\ccusers unixgroup=ccusers rid=1022 type=d %cd /var/cache/samba %rm winbindd_cache.tdb %rm winbindd_idmap.tdb %/etc/init.d/smb restart %/etc/init.d/winbind restart <same unsatisfactory result> First, can someone tell me what this command is actually supposed to do? The man page's explanation of it leaves a lot to the imagination. As far as I'm concerned it does absolutely nothing except update the output of "net groupmap list". Here's a detailed example of what I'm looking for samba and winbind to do: Right now the output of getent passwd looks like this for an AD user on my Linux machine (Yes, I am not using a separator and I am using templates for the home directory and shell) jsmith:*:233:204:John Smith:/home/NICE/jsmith:/bin/bash 204 is the gid that the winbind service has assigned to the AD NICE\ccusers group 330 is the gid of my Linux ccusers group I would like the output of winbind to look like this jsmith:*:233:330:John Smith:/home/NICE/jsmith:/bin/bash (correct gid) The only way I have found to make this work, is the following: %/etc/init.d/winbind stop %groupdel ccusers %groupadd -g 204 ccusers %/etc/init.d/winbind start This would probably work fine for me if this was a new server. The problem is that gid 330 owns a ton of files on the system and I'm not sure that winbind will always assign 204 to the AD NICE\ccusers group. Does anyone have any ideas? Sincerely, Brian
Mark Braker
2008-Feb-02 00:08 UTC
[Samba] Help with mapping a UNIX group to a AD Directory Group
I thought there might be a way to do this in the smb.conf file itself or possibly in the /etc/samba/smbusers file. some kind of user/group mapping config. -------------------------------------------------- From: "Whyte, Brian C CIV NSWCDD, W63" <brian.c.whyte@navy.mil> Sent: Friday, February 01, 2008 5:00 PM To: <samba@lists.samba.org> Subject: [Samba] Help with mapping a UNIX group to a AD Directory Group> Hi All, > > I have already integrated my samba with the Active directory domain > using winbind, but I am trying to do the following. I want to map a UNIX > group "ccusers" to Active Directory group "NICE\ccusers". I need my AD > users that don't have local accounts on my machine to be able to access > directories owne by the UNIX group ccusers. It seems like it should be > simple to do, but I cannot figure out how to make it work. > > I do know that this will work if I add a local account for each user > with the correct group, but I have about 2000 users so I'd rather not do > this. > > Here's what I have done. > > I have a UNIX group called ccusers with a gid of 330 > > The following commands both work and return all the users and groups in > the AD domain. > > %getent passwd > </etc/passwd output> > . > . > . > <winbind user output> > . > . > . > %getent group > </etc/group output> > . > . > . > <winbind group output> > . > . > . > > > I had thought that "net groupmap add ..." was the right way to map > these, but it does not seem to do anything. I might be confused as to > what this command is supposed to accomplish. Here is what I tried: > > %net groupmap add ntgroup=ccusers unixgroup=ccusers rid=1022 type=d > <successfully added...> > <did not appear to map my two groups in getent output> > > %net groupmap delete ntgroup=ccusers > %net groupmap add ntgroup=NICE\ccusers unixgroup=ccusers rid=1022 type=d > %cd /var/cache/samba > %rm winbindd_cache.tdb > %rm winbindd_idmap.tdb > %/etc/init.d/smb restart > %/etc/init.d/winbind restart > <same unsatisfactory result> > > First, can someone tell me what this command is actually supposed to do? > The man page's explanation of it leaves a lot to the imagination. As > far as I'm concerned it does absolutely nothing except update the output > of "net groupmap list". > > Here's a detailed example of what I'm looking for samba and winbind to > do: > > Right now the output of getent passwd looks like this for an AD user on > my Linux machine (Yes, I am not using a separator and I am using > templates for the home directory and shell) > jsmith:*:233:204:John Smith:/home/NICE/jsmith:/bin/bash > > 204 is the gid that the winbind service has assigned to the AD > NICE\ccusers group > 330 is the gid of my Linux ccusers group > > I would like the output of winbind to look like this > jsmith:*:233:330:John Smith:/home/NICE/jsmith:/bin/bash (correct gid) > > The only way I have found to make this work, is the following: > > %/etc/init.d/winbind stop > %groupdel ccusers > %groupadd -g 204 ccusers > %/etc/init.d/winbind start > > This would probably work fine for me if this was a new server. The > problem is that gid 330 owns a ton of files on the system and I'm not > sure that winbind will always assign 204 to the AD NICE\ccusers group. > Does anyone have any ideas? > > > Sincerely, > > Brian > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >