PDC與WINDOWS AD域相比最大的缺陷是不能在PDC上建組,利用以下的命令可以實現將linux本的組(local group)映射到PDC ,並且兼容Windows,即在Windows客戶端也可以看到所映射的組。 利用此命令net groupmap list,可以查看系統默認映射的組。 利用此命令可以實現本地組的映射: net groupmap add S-1-1 ntgroup="Domino Users" unixgroup=cncadmin 其中「S-1-1"是samba伺服器的ID號,「Domino Users"指映射到PDC上的組的名稱,「cncadmin"指linux本的組,即在/etc/group文件中必須存在。 net groupmap delete (刪除映射的組) net groupmap add (增加映射的組) net groupmap modify (修改映射的組) 英文原文如下:samba 3.0 help group You will need to add the following text to the end of the '/etc/group' file. Make sure that there are no overlaps with names or ID's for any existing groups. You can edit the group ID's as needed. (You should also change 'WORKGROUP' to the name of your domain, or else remove it if you do not want a group that represents the domain)
# these group entries need to be added to the '/etc/group' file # # samba requires a 'machines' group equal to 100 machines:*:100: # locally defined groups. the first is the domain group 'WORKGROUP' # you should change this depending upon the domain WORKGROUP:*:1001: # group added for 'dhcpd' dhcpd:*:1002: # group added for 'samba' (default for all new Samba users) samba:*:1003:administrator,root # additional 'operator' groups for Samba - print, account, backup print:*:1004: account:*:1005: backup:*:1006:
mapgroup.sh The following script will associate the various 'Samba' groups (compatible with Windows) with UNIX groups defind in the '/etc/group' file. Some of the examples were left 'as-is' and commented out, using examples obtained from the Samba documentation. Additional information as comments has been placed at the end of the script in order to document the correct 'RID' values, should you need to re-create the groups yourself. (You should make sure that each of the groups referenced in the script actually exist, and add them to the '/etc/group' file if they do not).
#!/bin/sh #### Keep this as a shell script for future re-use
# assign well known groups for the domain # net groupmap add ntgroup="Domain Admins" unixgroup=wheel type=d rid=512 # net groupmap add ntgroup="Domain Users" unixgroup=samba type=d rid=513 # net groupmap add ntgroup="Domain Guests" unixgroup=nobody type=d rid=514
net groupmap modify ntgroup="Domain Admins" unixgroup=wheel net groupmap modify ntgroup="Domain Users" unixgroup=samba net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
# now, do the local groups. Change 'WORKGROUP' to the group that is # associated with the domain name. net groupmap modify ntgroup="Administrators" unixgroup=wheel net groupmap modify ntgroup="Users" unixgroup=samba net groupmap modify ntgroup="Guests" unixgroup=guest net groupmap modify ntgroup="Power Users" unixgroup=WORKGROUP net groupmap modify ntgroup="Account Operators" unixgroup=account net groupmap modify ntgroup="System Operators" unixgroup=operator net groupmap modify ntgroup="Print Operators" unixgroup=print net groupmap modify ntgroup="Backup Operators" unixgroup=backup net groupmap modify ntgroup="Replicators" unixgroup=staff
# list of domain groups and RID's # Domain Admins 200H # Domain Users 201H # Domain Guests 202H
# list of local groups # Administrators 26 # Users 27 # Guests 28 # Power Users 29 # Account Operators 30 # System Operators 31 # Print Operators 32 # Backup Operators 33 # Replicators 34
