PDC与WINDOWS AD域相比最大的缺陷是不能在PDC上建组,利用以下的命令可以实现将linux本的组(local group)映射到PDC ,并且兼容Windows,即在Windows客户端也可以看到所映射的组。
利用此命令net groupmap list,可以查看系统默认映射的组。
利用此命令可以实现本地组的映射:
net groupmap add S-1-1 ntgroup="Domino Users" unixgroup=cncadmin
其中“S-1-1"是samba服务器的ID号,“Domino Users"指映射到PDC上的组的名称,“cncadmin"指linux本的组,即在/etc/group文件中必须存在。
net groupmap delete (删除映射的组)
net groupmap add (增加映射的组)
net groupmap modify (修改映射的组)
英文原文如下:samba 3.0 help
group
You will need to add the following text to the end of the '/etc/group' file. Make sure that there are no overlaps with names or ID's for any existing groups. You can edit the group ID's as needed.
(You should also change 'WORKGROUP' to the name of your domain, or else remove it if you do not want a group that represents the domain)
# these group entries need to be added to the '/etc/group' file
#
# samba requires a 'machines' group equal to 100
machines:*:100:
# locally defined groups. the first is the domain group 'WORKGROUP'
# you should change this depending upon the domain
WORKGROUP:*:1001:
# group added for 'dhcpd'
dhcpd:*:1002:
# group added for 'samba' (default for all new Samba users)
samba:*:1003:administrator,root
# additional 'operator' groups for Samba - print, account, backup
print:*:1004:
account:*:1005:
backup:*:1006:
mapgroup.sh
The following script will associate the various 'Samba' groups (compatible with Windows) with UNIX groups defind in the '/etc/group' file. Some of the examples were left 'as-is' and commented out, using examples obtained from the Samba documentation. Additional information as comments has been placed at the end of the script in order to document the correct 'RID' values, should you need to re-create the groups yourself.
(You should make sure that each of the groups referenced in the script actually exist, and add them to the '/etc/group' file if they do not).
#!/bin/sh
#### Keep this as a shell script for future re-use
# assign well known groups for the domain
# net groupmap add ntgroup="Domain Admins" unixgroup=wheel type=d rid=512
# net groupmap add ntgroup="Domain Users" unixgroup=samba type=d rid=513
# net groupmap add ntgroup="Domain Guests" unixgroup=nobody type=d rid=514
net groupmap modify ntgroup="Domain Admins" unixgroup=wheel
net groupmap modify ntgroup="Domain Users" unixgroup=samba
net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
# now, do the local groups. Change 'WORKGROUP' to the group that is
# associated with the domain name.
net groupmap modify ntgroup="Administrators" unixgroup=wheel
net groupmap modify ntgroup="Users" unixgroup=samba
net groupmap modify ntgroup="Guests" unixgroup=guest
net groupmap modify ntgroup="Power Users" unixgroup=WORKGROUP
net groupmap modify ntgroup="Account Operators" unixgroup=account
net groupmap modify ntgroup="System Operators" unixgroup=operator
net groupmap modify ntgroup="Print Operators" unixgroup=print
net groupmap modify ntgroup="Backup Operators" unixgroup=backup
net groupmap modify ntgroup="Replicators" unixgroup=staff
# list of domain groups and RID's
# Domain Admins 200H
# Domain Users 201H
# Domain Guests 202H
# list of local groups
# Administrators 26
# Users 27
# Guests 28
# Power Users 29
# Account Operators 30
# System Operators 31
# Print Operators 32
# Backup Operators 33
# Replicators 34
