- Timestamp:
- Mar 1, 2010, 3:05:48 PM (15 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/samba-3.3.x/docs/htmldocs/Samba3-HOWTO/NetCommand.html
r368 r411 1 <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 13. Remote and Local Management: The Net Command</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.7 5.2"><link rel="home" href="index.html" title="The Official Samba 3.3.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="groupmapping.html" title="Chapter 12. Group Mapping: MS Windows and UNIX"><link rel="next" href="idmapper.html" title="Chapter 14. Identity Mapping (IDMAP)"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 13. Remote and Local Management: The Net Command</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="groupmapping.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="idmapper.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 13. Remote and Local Management: The Net Command"><div class="titlepage"><div><div><h2 class="title"><a name="NetCommand"></a>Chapter 13. Remote and Local Management: The Net Command</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Volker</span> <span class="surname">Lendecke</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:Volker.Lendecke@SerNet.DE">Volker.Lendecke@SerNet.DE</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Guenther</span> <span class="surname">Deschner</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:gd@samba.org">gd@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">May 9, 2005</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="NetCommand.html#id2605091">Overview</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2605385">Administrative Tasks and Methods</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2605466">UNIX and Windows Group Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2605625">Adding, Renaming, or Deletion of Group Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#grpmemshipchg">Manipulating Group Memberships</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#nestedgrpmgmgt">Nested Group Support</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2606994">UNIX and Windows User Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#sbeuseraddn">Adding User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2607206">Deletion of User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2607254">Managing User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2607322">User Mapping</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2607406">Administering User Rights and Privileges</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2607751">Managing Trust Relationships</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2607766">Machine Trust Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2608135">Interdomain Trusts</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2608369">Managing Security Identifiers (SIDS)</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2608591">Share Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2608636">Creating, Editing, and Removing Shares</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2608824">Creating and Changing Share ACLs</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2608854">Share, Directory, and File Migration</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2609477">Printer Migration</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2609728">Controlling Open Files</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2609747">Session and Connection Management</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2609812">Printers and ADS</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2609928">Manipulating the Samba Cache</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2609946">Managing IDMAP UID/SID Mappings</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2609990">Creating an IDMAP Database Dump File</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2610025">Restoring the IDMAP Database Dump File</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#netmisc1">Other Miscellaneous Operations</a></span></dt></dl></div><p>2 <a class="indexterm" name="id2 604952"></a>3 <a class="indexterm" name="id2 604959"></a>4 <a class="indexterm" name="id2 604966"></a>5 <a class="indexterm" name="id2 604973"></a>1 <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 13. Remote and Local Management: The Net Command</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="The Official Samba 3.3.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="groupmapping.html" title="Chapter 12. Group Mapping: MS Windows and UNIX"><link rel="next" href="idmapper.html" title="Chapter 14. Identity Mapping (IDMAP)"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 13. Remote and Local Management: The Net Command</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="groupmapping.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="idmapper.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="NetCommand"></a>Chapter 13. Remote and Local Management: The Net Command</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="orgname">Samba Team</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Volker</span> <span class="orgname">Samba Team</span> <span class="surname">Lendecke</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:Volker.Lendecke@SerNet.DE">Volker.Lendecke@SerNet.DE</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Guenther</span> <span class="orgname">Samba Team</span> <span class="surname">Deschner</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a class="email" href="mailto:gd@samba.org">gd@samba.org</a>></code></p></div></div></div></div><div><p class="pubdate">May 9, 2005</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="NetCommand.html#id2599005">Overview</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2599300">Administrative Tasks and Methods</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2599381">UNIX and Windows Group Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2599539">Adding, Renaming, or Deletion of Group Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#grpmemshipchg">Manipulating Group Memberships</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#nestedgrpmgmgt">Nested Group Support</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2600908">UNIX and Windows User Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#sbeuseraddn">Adding User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2601120">Deletion of User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2601168">Managing User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2601237">User Mapping</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2601320">Administering User Rights and Privileges</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2601665">Managing Trust Relationships</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2601680">Machine Trust Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2602049">Interdomain Trusts</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2602283">Managing Security Identifiers (SIDS)</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2602505">Share Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2602550">Creating, Editing, and Removing Shares</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2602738">Creating and Changing Share ACLs</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2602768">Share, Directory, and File Migration</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2603391">Printer Migration</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2603642">Controlling Open Files</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2603661">Session and Connection Management</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2603727">Printers and ADS</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2603842">Manipulating the Samba Cache</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2603860">Managing IDMAP UID/SID Mappings</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2603904">Creating an IDMAP Database Dump File</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2603939">Restoring the IDMAP Database Dump File</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#netmisc1">Other Miscellaneous Operations</a></span></dt></dl></div><p> 2 <a class="indexterm" name="id2598866"></a> 3 <a class="indexterm" name="id2598873"></a> 4 <a class="indexterm" name="id2598880"></a> 5 <a class="indexterm" name="id2598887"></a> 6 6 The <code class="literal">net</code> command is one of the new features of Samba-3 and is an attempt to provide a useful 7 7 tool for the majority of remote management operations necessary for common tasks. The <code class="literal">net</code> 8 8 tool is flexible by design and is intended for command-line use as well as for scripted control application. 9 9 </p><p> 10 <a class="indexterm" name="id2 604999"></a>11 <a class="indexterm" name="id2 605006"></a>12 <a class="indexterm" name="id2 605013"></a>13 <a class="indexterm" name="id2 605020"></a>10 <a class="indexterm" name="id2598913"></a> 11 <a class="indexterm" name="id2598920"></a> 12 <a class="indexterm" name="id2598927"></a> 13 <a class="indexterm" name="id2598934"></a> 14 14 Originally introduced with the intent to mimic the Microsoft Windows command that has the same name, the 15 15 <code class="literal">net</code> command has morphed into a very powerful instrument that has become an essential part … … 23 23 A Samba-3 administrator cannot afford to gloss over this chapter because to do so will almost certainly cause 24 24 the infliction of self-induced pain, agony, and desperation. Be warned: this is an important chapter. 25 </p><div class="sect1" title="Overview"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2605091"></a>Overview</h2></div></div></div><p>26 <a class="indexterm" name="id2 605099"></a>27 <a class="indexterm" name="id2 605106"></a>28 <a class="indexterm" name="id2 605113"></a>29 <a class="indexterm" name="id2 605119"></a>30 <a class="indexterm" name="id2 605126"></a>31 <a class="indexterm" name="id2 605132"></a>25 </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2599005"></a>Overview</h2></div></div></div><p> 26 <a class="indexterm" name="id2599013"></a> 27 <a class="indexterm" name="id2599020"></a> 28 <a class="indexterm" name="id2599027"></a> 29 <a class="indexterm" name="id2599033"></a> 30 <a class="indexterm" name="id2599040"></a> 31 <a class="indexterm" name="id2599046"></a> 32 32 The tasks that follow the installation of a Samba-3 server, whether standalone or domain member, of a 33 33 domain controller (PDC or BDC) begins with the need to create administrative rights. Of course, the … … 36 36 the central domain authentication backend. 37 37 </p><p> 38 <a class="indexterm" name="id2 605150"></a>39 <a class="indexterm" name="id2 605157"></a>40 <a class="indexterm" name="id2 605164"></a>41 <a class="indexterm" name="id2 605170"></a>42 <a class="indexterm" name="id2 605177"></a>43 <a class="indexterm" name="id2 605184"></a>44 <a class="indexterm" name="id2 605190"></a>45 <a class="indexterm" name="id2 605197"></a>38 <a class="indexterm" name="id2599064"></a> 39 <a class="indexterm" name="id2599071"></a> 40 <a class="indexterm" name="id2599078"></a> 41 <a class="indexterm" name="id2599085"></a> 42 <a class="indexterm" name="id2599092"></a> 43 <a class="indexterm" name="id2599098"></a> 44 <a class="indexterm" name="id2599105"></a> 45 <a class="indexterm" name="id2599112"></a> 46 46 Regardless of the type of server being installed, local UNIX groups must be mapped to the Windows 47 47 networking domain global group accounts. Do you ask why? Because Samba always limits its access to … … 51 51 Samba. Such mappings are implemented using the <code class="literal">net</code> command. 52 52 </p><p> 53 <a class="indexterm" name="id2 605222"></a>54 <a class="indexterm" name="id2 605229"></a>55 <a class="indexterm" name="id2 605235"></a>56 <a class="indexterm" name="id2 605242"></a>57 <a class="indexterm" name="id2 605249"></a>58 <a class="indexterm" name="id2 605256"></a>59 <a class="indexterm" name="id2 605263"></a>53 <a class="indexterm" name="id2599136"></a> 54 <a class="indexterm" name="id2599143"></a> 55 <a class="indexterm" name="id2599149"></a> 56 <a class="indexterm" name="id2599156"></a> 57 <a class="indexterm" name="id2599163"></a> 58 <a class="indexterm" name="id2599170"></a> 59 <a class="indexterm" name="id2599177"></a> 60 60 UNIX systems that are hosting a Samba-3 server that is running as a member (PDC, BDC, or DMS) must have 61 61 a machine security account in the domain authentication database (or directory). The creation of such 62 62 security (or trust) accounts is also handled using the <code class="literal">net</code> command. 63 63 </p><p> 64 <a class="indexterm" name="id2 605283"></a>65 <a class="indexterm" name="id2 605290"></a>66 <a class="indexterm" name="id2 605296"></a>67 <a class="indexterm" name="id2 605303"></a>68 <a class="indexterm" name="id2 605310"></a>69 <a class="indexterm" name="id2 605317"></a>70 <a class="indexterm" name="id2 605324"></a>71 <a class="indexterm" name="id2 605331"></a>72 <a class="indexterm" name="id2 605338"></a>64 <a class="indexterm" name="id2599197"></a> 65 <a class="indexterm" name="id2599204"></a> 66 <a class="indexterm" name="id2599210"></a> 67 <a class="indexterm" name="id2599217"></a> 68 <a class="indexterm" name="id2599224"></a> 69 <a class="indexterm" name="id2599231"></a> 70 <a class="indexterm" name="id2599238"></a> 71 <a class="indexterm" name="id2599245"></a> 72 <a class="indexterm" name="id2599252"></a> 73 73 The establishment of interdomain trusts is achieved using the <code class="literal">net</code> command also, as 74 74 may a plethora of typical administrative duties such as user management, group management, share and 75 75 printer management, file and printer migration, security identifier management, and so on. 76 76 </p><p> 77 <a class="indexterm" name="id2 605358"></a>78 <a class="indexterm" name="id2 605365"></a>77 <a class="indexterm" name="id2599273"></a> 78 <a class="indexterm" name="id2599279"></a> 79 79 The overall picture should be clear now: the <code class="literal">net</code> command plays a central role 80 80 on the Samba-3 stage. This role will continue to be developed. The inclusion of this chapter is 81 81 evidence of its importance, one that has grown in complexity to the point that it is no longer considered 82 82 prudent to cover its use fully in the online UNIX man pages. 83 </p></div><div class="sect1" title="Administrative Tasks and Methods"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2605385"></a>Administrative Tasks and Methods</h2></div></div></div><p>84 <a class="indexterm" name="id2 605394"></a>85 <a class="indexterm" name="id2 605400"></a>86 <a class="indexterm" name="id2 605407"></a>87 <a class="indexterm" name="id2 605416"></a>83 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2599300"></a>Administrative Tasks and Methods</h2></div></div></div><p> 84 <a class="indexterm" name="id2599308"></a> 85 <a class="indexterm" name="id2599314"></a> 86 <a class="indexterm" name="id2599321"></a> 87 <a class="indexterm" name="id2599330"></a> 88 88 The basic operations of the <code class="literal">net</code> command are documented here. This documentation is not 89 89 exhaustive, and thus it is incomplete. Since the primary focus is on migration from Windows servers to a Samba … … 95 95 <code class="constant">rap</code> modes. Please refer to the man page for a more comprehensive overview of the 96 96 capabilities of this utility. 97 </p></div><div class="sect1" title="UNIX and Windows Group Management"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2605466"></a>UNIX and Windows Group Management</h2></div></div></div><p>98 <a class="indexterm" name="id2 605475"></a>99 <a class="indexterm" name="id2 605482"></a>100 <a class="indexterm" name="id2 605490"></a>101 <a class="indexterm" name="id2 605499"></a>102 <a class="indexterm" name="id2 605508"></a>97 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2599381"></a>UNIX and Windows Group Management</h2></div></div></div><p> 98 <a class="indexterm" name="id2599389"></a> 99 <a class="indexterm" name="id2599396"></a> 100 <a class="indexterm" name="id2599404"></a> 101 <a class="indexterm" name="id2599413"></a> 102 <a class="indexterm" name="id2599422"></a> 103 103 As stated, the focus in most of this chapter is on use of the <code class="literal">net rpc</code> family of 104 104 operations that are supported by Samba. Most of them are supported by the <code class="literal">net ads</code> … … 107 107 earlier SMB servers. 108 108 </p><p> 109 <a class="indexterm" name="id2 605541"></a>110 <a class="indexterm" name="id2 605547"></a>111 <a class="indexterm" name="id2 605554"></a>109 <a class="indexterm" name="id2599455"></a> 110 <a class="indexterm" name="id2599461"></a> 111 <a class="indexterm" name="id2599468"></a> 112 112 Samba's <code class="literal">net</code> tool implements sufficient capability to permit all common administrative 113 113 tasks to be completed from the command line. In this section each of the essential user and group management 114 114 facilities are explored. 115 115 </p><p> 116 <a class="indexterm" name="id2 605574"></a>117 <a class="indexterm" name="id2 605581"></a>118 <a class="indexterm" name="id2 605590"></a>119 <a class="indexterm" name="id2 605599"></a>116 <a class="indexterm" name="id2599488"></a> 117 <a class="indexterm" name="id2599495"></a> 118 <a class="indexterm" name="id2599504"></a> 119 <a class="indexterm" name="id2599513"></a> 120 120 Samba-3 recognizes two types of groups: <span class="emphasis"><em>domain groups</em></span> and <span class="emphasis"><em>local 121 121 groups</em></span>. Domain groups can contain (have as members) only domain user accounts. Local groups … … 124 124 The purpose of a local group is to permit file permission to be set for a group account that, like the 125 125 usual UNIX/Linux group, is persistent across redeployment of a Windows file server. 126 </p><div class="sect2" title="Adding, Renaming, or Deletion of Group Accounts"><div class="titlepage"><div><div><h3 class="title"><a name="id2605625"></a>Adding, Renaming, or Deletion of Group Accounts</h3></div></div></div><p>126 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2599539"></a>Adding, Renaming, or Deletion of Group Accounts</h3></div></div></div><p> 127 127 Samba provides file and print services to Windows clients. The file system resources it makes available 128 128 to the Windows environment must, of necessity, be provided in a manner that is compatible with the … … 144 144 show how UNIX group members automatically pass-through to Windows group membership as soon as a logical 145 145 mapping has been created. 146 </p><div class="sect3" title="Adding or Creating a New Group"><div class="titlepage"><div><div><h4 class="title"><a name="id2605667"></a>Adding or Creating a New Group</h4></div></div></div><p>146 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2599581"></a>Adding or Creating a New Group</h4></div></div></div><p> 147 147 Before attempting to add a Windows group account, the currently available groups can be listed as shown 148 148 here: 149 <a class="indexterm" name="id2 605677"></a>150 <a class="indexterm" name="id2 605688"></a>149 <a class="indexterm" name="id2599591"></a> 150 <a class="indexterm" name="id2599602"></a> 151 151 </p><pre class="screen"> 152 152 <code class="prompt">root# </code> net rpc group list -Uroot%not24get … … 162 162 </pre><p> 163 163 </p><p> 164 A Windows group account called <span class="quote">“<span class="quote">SupportEngrs</span>”</span>can be added by executing the following164 A Windows group account called “<span class="quote">SupportEngrs</span>” can be added by executing the following 165 165 command: 166 <a class="indexterm" name="id2 605724"></a>166 <a class="indexterm" name="id2599638"></a> 167 167 </p><pre class="screen"> 168 168 <code class="prompt">root# </code> net rpc group add "SupportEngrs" -Uroot%not24get … … 184 184 </pre><p> 185 185 </p><p> 186 <a class="indexterm" name="id2 605767"></a>187 <a class="indexterm" name="id2 605774"></a>188 <a class="indexterm" name="id2 605781"></a>186 <a class="indexterm" name="id2599681"></a> 187 <a class="indexterm" name="id2599688"></a> 188 <a class="indexterm" name="id2599695"></a> 189 189 The following demonstrates that the POSIX (UNIX/Linux system account) group has been created by calling 190 190 the <a class="link" href="smb.conf.5.html#ADDGROUPSCRIPT" target="_top">add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"</a> interface … … 206 206 results in immediate mapping of the POSIX group that has been created to the Windows group account as shown 207 207 here: 208 <a class="indexterm" name="id2 605827"></a>208 <a class="indexterm" name="id2599741"></a> 209 209 </p><pre class="screen"> 210 210 <code class="prompt">root# </code> net groupmap list … … 219 219 SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -> SupportEngrs 220 220 </pre><p> 221 </p></div><div class="sect3" title="Mapping Windows Groups to UNIX Groups"><div class="titlepage"><div><div><h4 class="title"><a name="id2605869"></a>Mapping Windows Groups to UNIX Groups</h4></div></div></div><p>222 <a class="indexterm" name="id2 605876"></a>223 <a class="indexterm" name="id2 605883"></a>224 <a class="indexterm" name="id2 605890"></a>225 <a class="indexterm" name="id2 605897"></a>221 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2599783"></a>Mapping Windows Groups to UNIX Groups</h4></div></div></div><p> 222 <a class="indexterm" name="id2599790"></a> 223 <a class="indexterm" name="id2599797"></a> 224 <a class="indexterm" name="id2599804"></a> 225 <a class="indexterm" name="id2599811"></a> 226 226 Windows groups must be mapped to UNIX system (POSIX) groups so that file system access controls 227 227 can be asserted in a manner that is consistent with the methods appropriate to the operating 228 228 system that is hosting the Samba server. 229 229 </p><p> 230 <a class="indexterm" name="id2 605911"></a>231 <a class="indexterm" name="id2 605918"></a>232 <a class="indexterm" name="id2 605924"></a>233 <a class="indexterm" name="id2 605931"></a>230 <a class="indexterm" name="id2599825"></a> 231 <a class="indexterm" name="id2599832"></a> 232 <a class="indexterm" name="id2599838"></a> 233 <a class="indexterm" name="id2599845"></a> 234 234 All file system (file and directory) access controls, within the file system of a UNIX/Linux server that is 235 235 hosting a Samba server, are implemented using a UID/GID identity tuple. Samba does not in any way override … … 239 239 command does not call any RPC-functions here but directly accesses the passdb. 240 240 </p><p> 241 <a class="indexterm" name="id2 605956"></a>242 <a class="indexterm" name="id2 605963"></a>243 <a class="indexterm" name="id2 605970"></a>244 <a class="indexterm" name="id2 605977"></a>245 <a class="indexterm" name="id2 605984"></a>246 <a class="indexterm" name="id2 605991"></a>247 <a class="indexterm" name="id2 605998"></a>241 <a class="indexterm" name="id2599871"></a> 242 <a class="indexterm" name="id2599878"></a> 243 <a class="indexterm" name="id2599884"></a> 244 <a class="indexterm" name="id2599891"></a> 245 <a class="indexterm" name="id2599898"></a> 246 <a class="indexterm" name="id2599905"></a> 247 <a class="indexterm" name="id2599912"></a> 248 248 Samba depends on default mappings for the <code class="constant">Domain Admins, Domain Users</code>, and 249 249 <code class="constant">Domain Guests</code> global groups. Additional groups may be added as shown in the … … 252 252 of creation of the mapping. 253 253 </p><p> 254 <a class="indexterm" name="id2 606021"></a>255 <a class="indexterm" name="id2 606033"></a>256 <a class="indexterm" name="id2 606044"></a>254 <a class="indexterm" name="id2599936"></a> 255 <a class="indexterm" name="id2599947"></a> 256 <a class="indexterm" name="id2599958"></a> 257 257 The operations that are permitted include: <code class="constant">add</code>, <code class="constant">modify</code>, 258 258 and <code class="constant">delete</code>. An example of each operation is shown here. 259 </p><div class="note" title="Note"style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>259 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> 260 260 Commencing with Samba-3.0.23 Windows Domain Groups must be explicitly created. By default, all 261 261 UNIX groups are exposed to Windows networking as Windows local groups. … … 291 291 treated as local to the individual Samba server. Local groups can be used with Samba to enable multiple 292 292 nested group support. 293 </p></div><div class="sect3" title="Deleting a Group Account"><div class="titlepage"><div><div><h4 class="title"><a name="id2606176"></a>Deleting a Group Account</h4></div></div></div><p>294 <a class="indexterm" name="id260 6184"></a>293 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2600090"></a>Deleting a Group Account</h4></div></div></div><p> 294 <a class="indexterm" name="id2600098"></a> 295 295 A group account may be deleted by executing the following command: 296 296 </p><pre class="screen"> … … 299 299 </p><p> 300 300 Validation of the deletion is advisable. The same commands may be executed as shown above. 301 </p></div><div class="sect3" title="Rename Group Accounts"><div class="titlepage"><div><div><h4 class="title"><a name="id2606216"></a>Rename Group Accounts</h4></div></div></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>301 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2600130"></a>Rename Group Accounts</h4></div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> 302 302 This command is not documented in the man pages; it is implemented in the source code, but it does not 303 303 work at this time. The example given documents, from the source code, how it should work. Watch the … … 306 306 Sometimes it is necessary to rename a group account. Good administrators know how painful some managers' 307 307 demands can be if this simple request is ignored. The following command demonstrates how the Windows group 308 <span class="quote">“<span class="quote">SupportEngrs</span>”</span> can be renamed to <span class="quote">“<span class="quote">CustomerSupport</span>”</span>:309 <a class="indexterm" name="id260 6245"></a>308 “<span class="quote">SupportEngrs</span>” can be renamed to “<span class="quote">CustomerSupport</span>”: 309 <a class="indexterm" name="id2600159"></a> 310 310 </p><pre class="screen"> 311 311 <code class="prompt">root# </code> net rpc group rename SupportEngrs \ 312 312 CustomerSupport -Uroot%not24get 313 313 </pre><p> 314 </p></div></div><div class="sect2" title="Manipulating Group Memberships"><div class="titlepage"><div><div><h3 class="title"><a name="grpmemshipchg"></a>Manipulating Group Memberships</h3></div></div></div><p>314 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="grpmemshipchg"></a>Manipulating Group Memberships</h3></div></div></div><p> 315 315 Three operations can be performed regarding group membership. It is possible to (1) add Windows users 316 316 to a Windows group, to (2) delete Windows users from Windows groups, and to (3) list the Windows users that are … … 350 350 group mapping, a member of the Windows group, an attempt to add this account again should fail. This is 351 351 demonstrated here: 352 <a class="indexterm" name="id260 6376"></a>352 <a class="indexterm" name="id2600290"></a> 353 353 </p><pre class="screen"> 354 354 <code class="prompt">root# </code> net rpc group addmem "MIDEARTH\Engineers" ajt -Uroot%not24get … … 360 360 To permit the user <code class="constant">ajt</code> to be added using the <code class="literal">net rpc group</code> utility, 361 361 this account must first be removed. The removal and confirmation of its effect is shown here: 362 <a class="indexterm" name="id260 6418"></a>362 <a class="indexterm" name="id2600332"></a> 363 363 </p><pre class="screen"> 364 364 <code class="prompt">root# </code> net rpc group delmem "MIDEARTH\Engineers" ajt -Uroot%not24get … … 384 384 the <code class="literal">net rpc group</code> utility. Note the this contents of the UNIX/Linux group was shown 385 385 four paragraphs earlier. The Windows (domain) group membership is shown here: 386 <a class="indexterm" name="id260 6515"></a>386 <a class="indexterm" name="id2600429"></a> 387 387 </p><pre class="screen"> 388 388 <code class="prompt">root# </code> net rpc group members "Domain Users" -Uroot%not24get … … 403 403 MIDEARTH\vlendecke 404 404 </pre><p> 405 </p><div class="note" title="Note"style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>405 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> 406 406 An attempt to specify the group name as <code class="constant">MIDEARTH\Domain Users</code> in place of 407 407 just simply <code class="constant">Domain Users</code> will fail. The default behavior of the net rpc group … … 409 409 If it is necessary to query another machine, its name can be specified using the <code class="constant">-S 410 410 servername</code> parameter to the <code class="literal">net</code> command. 411 </p></div></div><div class="sect2" title="Nested Group Support"><div class="titlepage"><div><div><h3 class="title"><a name="nestedgrpmgmgt"></a>Nested Group Support</h3></div></div></div><p>411 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="nestedgrpmgmgt"></a>Nested Group Support</h3></div></div></div><p> 412 412 It is possible in Windows (and now in Samba also) to create a local group that has members (contains), 413 413 domain users, and domain global groups. Creation of the local group <code class="constant">demo</code> is … … 422 422 Addition and removal of group members can be achieved using the <code class="constant">addmem</code> and 423 423 <code class="constant">delmem</code> subcommands of <code class="literal">net rpc group</code> command. For example, 424 addition of <span class="quote">“<span class="quote">DOM\Domain Users</span>”</span>to the local group <code class="constant">demo</code> would be424 addition of “<span class="quote">DOM\Domain Users</span>” to the local group <code class="constant">demo</code> would be 425 425 done by executing: 426 426 </p><pre class="screen"> … … 441 441 <code class="prompt">root# </code> net rpc group delmem demo "DOM\jht" -Uroot%not24get 442 442 </pre><p> 443 </p><div class="sect3" title="Managing Nest Groups on Workstations from the Samba Server"><div class="titlepage"><div><div><h4 class="title"><a name="id2606695"></a>Managing Nest Groups on Workstations from the Samba Server</h4></div></div></div><p>443 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2600610"></a>Managing Nest Groups on Workstations from the Samba Server</h4></div></div></div><p> 444 444 Windows network administrators often ask on the Samba mailing list how it is possible to grant everyone 445 445 administrative rights on their own workstation. This is of course a very bad practice, but commonly done 446 446 to avoid user complaints. Here is how it can be done remotely from a Samba PDC or BDC: 447 <a class="indexterm" name="id260 6709"></a>447 <a class="indexterm" name="id2600623"></a> 448 448 </p><pre class="screen"> 449 449 <code class="prompt">root# </code> net rpc group addmem "Administrators" "Domain Users" \ … … 453 453 This can be scripted, and can therefore be performed as a user logs onto the domain from a Windows 454 454 workstation. Here is a simple example that shows how this can be done. 455 </p><div class="procedure" title="Procedure 13.1. Automating User Addition to the Workstation Power Users Group"><a name="id2606741"></a><p class="title"><b>Procedure 13.1. Automating User Addition to the Workstation Power Users Group</b></p><div class="example"><a name="autopoweruserscript"></a><p class="title"><b>Example 13.1. Script to Auto-add Domain Users to Workstation Power Users Group</b></p><div class="example-contents"><pre class="screen">455 </p><div class="procedure"><a name="id2600655"></a><p class="title"><b>Procedure 13.1. Automating User Addition to the Workstation Power Users Group</b></p><div class="example"><a name="autopoweruserscript"></a><p class="title"><b>Example 13.1. Script to Auto-add Domain Users to Workstation Power Users Group</b></p><div class="example-contents"><pre class="screen"> 456 456 #!/bin/bash 457 457 … … 460 460 461 461 exit 0 462 </pre></div></div><br class="example-break"><div class="example"><a name="magicnetlogon"></a><p class="title"><b>Example 13.2. A Magic Netlogon Share</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id2606896"></a><em class="parameter"><code>comment = Netlogon Share</code></em></td></tr><tr><td><a class="indexterm" name="id2606908"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id2606920"></a><em class="parameter"><code>root preexec = /etc/samba/scripts/autopoweruser.sh %U %m</code></em></td></tr><tr><td><a class="indexterm" name="id2606932"></a><em class="parameter"><code>read only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2606944"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr></table></div></div><br class="example-break"><ol class="procedure" type="1"><li class="step" title="Step 1"><p>462 </pre></div></div><br class="example-break"><div class="example"><a name="magicnetlogon"></a><p class="title"><b>Example 13.2. A Magic Netlogon Share</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id2600811"></a><em class="parameter"><code>comment = Netlogon Share</code></em></td></tr><tr><td><a class="indexterm" name="id2600822"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id2600834"></a><em class="parameter"><code>root preexec = /etc/samba/scripts/autopoweruser.sh %U %m</code></em></td></tr><tr><td><a class="indexterm" name="id2600846"></a><em class="parameter"><code>read only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2600858"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr></table></div></div><br class="example-break"><ol type="1"><li><p> 463 463 Create the script shown in <a class="link" href="NetCommand.html#autopoweruserscript" title="Example 13.1. Script to Auto-add Domain Users to Workstation Power Users Group">“Script to Auto-add Domain Users to Workstation Power Users Group”</a> and locate it in 464 464 the directory <code class="filename">/etc/samba/scripts</code>, named as <code class="filename">autopoweruser.sh</code>. 465 <a class="indexterm" name="id260 6773"></a>466 <a class="indexterm" name="id260 6784"></a>467 <a class="indexterm" name="id260 6791"></a>468 </p></li><li class="step" title="Step 2"><p>465 <a class="indexterm" name="id2600687"></a> 466 <a class="indexterm" name="id2600698"></a> 467 <a class="indexterm" name="id2600705"></a> 468 </p></li><li><p> 469 469 Set the permissions on this script to permit it to be executed as part of the logon process: 470 470 </p><pre class="screen"> … … 472 472 <code class="prompt">root# </code> chmod 755 /etc/samba/autopoweruser.sh 473 473 </pre><p> 474 </p></li><li class="step" title="Step 3"><p>474 </p></li><li><p> 475 475 Modify the <code class="filename">smb.conf</code> file so the <code class="literal">NETLOGON</code> stanza contains the parameters 476 476 shown in <a class="link" href="NetCommand.html#magicnetlogon" title="Example 13.2. A Magic Netlogon Share">the Netlogon Example smb.conf file</a>. 477 </p></li><li class="step" title="Step 4"><p>477 </p></li><li><p> 478 478 Ensure that every Windows workstation Administrator account has the same password that you 479 479 have used in the script shown in <a class="link" href="NetCommand.html#magicnetlogon" title="Example 13.2. A Magic Netlogon Share">the Netlogon Example smb.conf … … 485 485 for the use of this method is that it will guarantee that all users have appropriate rights on 486 486 the workstation. 487 </p></div></div></div><div class="sect1" title="UNIX and Windows User Management"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2606994"></a>UNIX and Windows User Management</h2></div></div></div><p>488 <a class="indexterm" name="id260 7002"></a>489 <a class="indexterm" name="id260 7009"></a>490 <a class="indexterm" name="id260 7016"></a>491 <a class="indexterm" name="id260 7023"></a>492 <a class="indexterm" name="id260 7030"></a>493 <a class="indexterm" name="id260 7036"></a>494 <a class="indexterm" name="id260 7043"></a>495 <a class="indexterm" name="id260 7050"></a>487 </p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2600908"></a>UNIX and Windows User Management</h2></div></div></div><p> 488 <a class="indexterm" name="id2600917"></a> 489 <a class="indexterm" name="id2600923"></a> 490 <a class="indexterm" name="id2600930"></a> 491 <a class="indexterm" name="id2600937"></a> 492 <a class="indexterm" name="id2600944"></a> 493 <a class="indexterm" name="id2600950"></a> 494 <a class="indexterm" name="id2600958"></a> 495 <a class="indexterm" name="id2600964"></a> 496 496 Every Windows network user account must be translated to a UNIX/Linux user account. In actual fact, 497 497 the only account information the UNIX/Linux Samba server needs is a UID. The UID is available either … … 504 504 different name. Refer to the man page for the <code class="filename">smb.conf</code> file for more information regarding this 505 505 facility. User name mappings cannot be managed using the <code class="literal">net</code> utility. 506 </p><div class="sect2" title="Adding User Accounts"><div class="titlepage"><div><div><h3 class="title"><a name="sbeuseraddn"></a>Adding User Accounts</h3></div></div></div><p>506 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbeuseraddn"></a>Adding User Accounts</h3></div></div></div><p> 507 507 The syntax for adding a user account via the <code class="literal">net</code> (according to the man page) is shown 508 508 here: … … 517 517 </p><p> 518 518 The following demonstrates the addition of an account to the server <code class="constant">FRODO</code>: 519 <a class="indexterm" name="id260 7148"></a>520 <a class="indexterm" name="id260 7159"></a>519 <a class="indexterm" name="id2601062"></a> 520 <a class="indexterm" name="id2601073"></a> 521 521 </p><pre class="screen"> 522 522 <code class="prompt">root# </code> net rpc user add jacko -S FRODO -Uroot%not24get … … 529 529 -S FRODO -Uroot%not24get 530 530 </pre><p> 531 </p></div><div class="sect2" title="Deletion of User Accounts"><div class="titlepage"><div><div><h3 class="title"><a name="id2607206"></a>Deletion of User Accounts</h3></div></div></div><p>531 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2601120"></a>Deletion of User Accounts</h3></div></div></div><p> 532 532 Deletion of a user account can be done using the following syntax: 533 533 </p><pre class="screen"> … … 535 535 </pre><p> 536 536 The following command will delete the user account <code class="constant">jacko</code>: 537 <a class="indexterm" name="id260 7228"></a>537 <a class="indexterm" name="id2601142"></a> 538 538 </p><pre class="screen"> 539 539 <code class="prompt">root# </code> net rpc user delete jacko -Uroot%not24get 540 540 Deleted user account 541 541 </pre><p> 542 </p></div><div class="sect2" title="Managing User Accounts"><div class="titlepage"><div><div><h3 class="title"><a name="id2607254"></a>Managing User Accounts</h3></div></div></div><p>542 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2601168"></a>Managing User Accounts</h3></div></div></div><p> 543 543 Two basic user account operations are routinely used: change of password and querying which groups a user 544 544 is a member of. The change of password operation is shown in <a class="link" href="NetCommand.html#sbeuseraddn" title="Adding User Accounts">“Adding User Accounts”</a>. … … 546 546 The ability to query Windows group membership can be essential. Here is how a remote server may be 547 547 interrogated to find which groups a user is a member of: 548 <a class="indexterm" name="id260 7277"></a>548 <a class="indexterm" name="id2601191"></a> 549 549 </p><pre class="screen"> 550 550 <code class="prompt">root# </code> net rpc user info jacko -S SAURON -Uroot%not24get … … 559 559 </p><p> 560 560 It is also possible to rename user accounts: 561 <a class="indexterm" name="id260 7306"></a>oldusername newusername561 <a class="indexterm" name="id2601221"></a>oldusername newusername 562 562 Note that this operation does not yet work against Samba Servers. It is, however, possible to rename useraccounts on 563 563 Windows Servers. 564 564 565 </p></div><div class="sect2" title="User Mapping"><div class="titlepage"><div><div><h3 class="title"><a name="id2607322"></a>User Mapping</h3></div></div></div><p>566 <a class="indexterm" name="id260 7330"></a>567 <a class="indexterm" name="id260 7337"></a>568 <a class="indexterm" name="id260 7344"></a>565 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2601237"></a>User Mapping</h3></div></div></div><p> 566 <a class="indexterm" name="id2601244"></a> 567 <a class="indexterm" name="id2601251"></a> 568 <a class="indexterm" name="id2601258"></a> 569 569 In some situations it is unavoidable that a user's Windows logon name will differ from the login ID 570 570 that user has on the Samba server. It is possible to create a special file on the Samba server that … … 579 579 marygee: geeringm 580 580 </pre><p> 581 In this example the Windows user account <span class="quote">“<span class="quote">William Parsons</span>”</span>will be mapped to the UNIX user582 <code class="constant">parsonsw</code>, and the Windows user account <span class="quote">“<span class="quote">geeringm</span>”</span>will be mapped to the581 In this example the Windows user account “<span class="quote">William Parsons</span>” will be mapped to the UNIX user 582 <code class="constant">parsonsw</code>, and the Windows user account “<span class="quote">geeringm</span>” will be mapped to the 583 583 UNIX user <code class="constant">marygee</code>. 584 </p></div></div><div class="sect1" title="Administering User Rights and Privileges"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2607406"></a>Administering User Rights and Privileges</h2></div></div></div><p>585 <a class="indexterm" name="id260 7414"></a>586 <a class="indexterm" name="id260 7421"></a>587 <a class="indexterm" name="id260 7428"></a>588 <a class="indexterm" name="id260 7435"></a>589 <a class="indexterm" name="id260 7442"></a>584 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2601320"></a>Administering User Rights and Privileges</h2></div></div></div><p> 585 <a class="indexterm" name="id2601328"></a> 586 <a class="indexterm" name="id2601335"></a> 587 <a class="indexterm" name="id2601342"></a> 588 <a class="indexterm" name="id2601349"></a> 589 <a class="indexterm" name="id2601356"></a> 590 590 With all versions of Samba earlier than 3.0.11 the only account on a Samba server that could 591 591 manage users, groups, shares, printers, and such was the <code class="constant">root</code> account. This caused … … 593 593 credentials for the most security-sensitive account on a UNIX/Linux system. 594 594 </p><p> 595 <a class="indexterm" name="id260 7461"></a>596 <a class="indexterm" name="id260 7468"></a>597 <a class="indexterm" name="id260 7475"></a>598 <a class="indexterm" name="id260 7482"></a>599 <a class="indexterm" name="id260 7489"></a>595 <a class="indexterm" name="id2601375"></a> 596 <a class="indexterm" name="id2601383"></a> 597 <a class="indexterm" name="id2601389"></a> 598 <a class="indexterm" name="id2601396"></a> 599 <a class="indexterm" name="id2601404"></a> 600 600 New to Samba version 3.0.11 is the ability to delegate administrative privileges as necessary to either 601 601 a normal user or to groups of users. The significance of the administrative privileges is documented 602 602 in <a class="link" href="rights.html" title="Chapter 15. User Rights and Privileges">“User Rights and Privileges”</a>. Examples of use of the <code class="literal">net</code> for user rights and privilege 603 603 management is appropriate to this chapter. 604 </p><div class="note" title="Note"style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>604 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> 605 605 When user rights and privileges are correctly set, there is no longer a need for a Windows 606 606 network account for the <code class="constant">root</code> user (nor for any synonym of it) with a UNIX UID=0. … … 633 633 The <code class="literal">net</code> command can be used to obtain the currently supported capabilities for rights 634 634 and privileges using this method: 635 <a class="indexterm" name="id260 7563"></a>636 <a class="indexterm" name="id260 7570"></a>637 <a class="indexterm" name="id260 7577"></a>638 <a class="indexterm" name="id260 7584"></a>639 <a class="indexterm" name="id260 7591"></a>640 <a class="indexterm" name="id260 7598"></a>641 <a class="indexterm" name="id260 7605"></a>642 <a class="indexterm" name="id260 7612"></a>643 <a class="indexterm" name="id260 7619"></a>635 <a class="indexterm" name="id2601477"></a> 636 <a class="indexterm" name="id2601484"></a> 637 <a class="indexterm" name="id2601491"></a> 638 <a class="indexterm" name="id2601498"></a> 639 <a class="indexterm" name="id2601505"></a> 640 <a class="indexterm" name="id2601512"></a> 641 <a class="indexterm" name="id2601519"></a> 642 <a class="indexterm" name="id2601526"></a> 643 <a class="indexterm" name="id2601533"></a> 644 644 </p><pre class="screen"> 645 645 <code class="prompt">root# </code> net rpc rights list -U root%not24get … … 660 660 idea since members of this group are generally expected to be all-powerful. This assignment makes that 661 661 the reality: 662 <a class="indexterm" name="id260 7665"></a>662 <a class="indexterm" name="id2601579"></a> 663 663 </p><pre class="screen"> 664 664 <code class="prompt">root# </code> net rpc rights grant "MIDEARTH\Domain Admins" \ … … 679 679 </p><p> 680 680 The following step permits validation of the changes just made: 681 <a class="indexterm" name="id260 7716"></a>681 <a class="indexterm" name="id2601630"></a> 682 682 </p><pre class="screen"> 683 683 <code class="prompt">root# </code> net rpc rights list accounts -U root%not24get … … 713 713 SeDiskOperatorPrivilege 714 714 </pre><p> 715 </p></div><div class="sect1" title="Managing Trust Relationships"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2607751"></a>Managing Trust Relationships</h2></div></div></div><p>715 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2601665"></a>Managing Trust Relationships</h2></div></div></div><p> 716 716 There are essentially two types of trust relationships: the first is between domain controllers and domain 717 717 member machines (network clients), the second is between domains (called interdomain trusts). All 718 718 Samba servers that participate in domain security require a domain membership trust account, as do like 719 719 Windows NT/200x/XP workstations. 720 </p><div class="sect2" title="Machine Trust Accounts"><div class="titlepage"><div><div><h3 class="title"><a name="id2607766"></a>Machine Trust Accounts</h3></div></div></div><p>720 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2601680"></a>Machine Trust Accounts</h3></div></div></div><p> 721 721 The net command looks in the <code class="filename">smb.conf</code> file to obtain its own configuration settings. Thus, the following 722 722 command 'knows' which domain to join from the <code class="filename">smb.conf</code> file. 723 723 </p><p> 724 724 A Samba server domain trust account can be validated as shown in this example: 725 <a class="indexterm" name="id260 7793"></a>725 <a class="indexterm" name="id2601707"></a> 726 726 </p><pre class="screen"> 727 727 <code class="prompt">root# </code> net rpc testjoin … … 736 736 </p><p> 737 737 The equivalent command for joining a Samba server to a Windows ADS domain is shown here: 738 <a class="indexterm" name="id260 7830"></a>738 <a class="indexterm" name="id2601745"></a> 739 739 </p><pre class="screen"> 740 740 <code class="prompt">root# </code> net ads testjoin … … 751 751 The following demonstrates the process of creating a machine trust account in the target domain for the 752 752 Samba server from which the command is executed: 753 <a class="indexterm" name="id260 7876"></a>753 <a class="indexterm" name="id2601790"></a> 754 754 </p><pre class="screen"> 755 755 <code class="prompt">root# </code> net rpc join -S FRODO -Uroot%not24get … … 766 766 purely as a workstation, in which case the S is replaced with a W (indicating a workstation account). The 767 767 following command can be used to affect this: 768 <a class="indexterm" name="id260 7920"></a>768 <a class="indexterm" name="id2601834"></a> 769 769 </p><pre class="screen"> 770 770 <code class="prompt">root# </code> net rpc join member -S FRODO -Uroot%not24get … … 774 774 the type is deduced from the <code class="filename">smb.conf</code> file configuration. To specifically join as a PDC or BDC, the 775 775 command-line parameter will be <code class="constant">[PDC | BDC]</code>. For example: 776 <a class="indexterm" name="id260 7960"></a>776 <a class="indexterm" name="id2601875"></a> 777 777 </p><pre class="screen"> 778 778 <code class="prompt">root# </code> net rpc join bdc -S FRODO -Uroot%not24get … … 782 782 </p><p> 783 783 The command to join a Samba server to a Windows ADS domain is shown here: 784 <a class="indexterm" name="id260 7996"></a>784 <a class="indexterm" name="id2601910"></a> 785 785 </p><pre class="screen"> 786 786 <code class="prompt">root# </code> net ads join -UAdministrator%not24get … … 793 793 either. Inactive domain member accounts can be removed using any convenient tool. If necessary, the 794 794 machine account can be removed using the following <code class="literal">net</code> command: 795 <a class="indexterm" name="id260 8036"></a>795 <a class="indexterm" name="id2601950"></a> 796 796 </p><pre class="screen"> 797 797 <code class="prompt">root# </code> net rpc user delete HERRING\$ -Uroot%not24get … … 803 803 A Samba-3 server that is a Windows ADS domain member can execute the following command to detach from the 804 804 domain: 805 <a class="indexterm" name="id260 8068"></a>805 <a class="indexterm" name="id2601983"></a> 806 806 </p><pre class="screen"> 807 807 <code class="prompt">root# </code> net ads leave … … 810 810 Detailed information regarding an ADS domain can be obtained by a Samba DMS machine by executing the 811 811 following: 812 <a class="indexterm" name="id260 8096"></a>812 <a class="indexterm" name="id2602011"></a> 813 813 </p><pre class="screen"> 814 814 <code class="prompt">root# </code> net ads status 815 815 </pre><p> 816 The volume of information is extensive. Please refer to the book <span class="quote">“<span class="quote">Samba-3 by Example</span>”</span>,816 The volume of information is extensive. Please refer to the book “<span class="quote">Samba-3 by Example</span>”, 817 817 Chapter 7 for more information regarding its use. This book may be obtained either in print or online from 818 818 the <a class="ulink" href="http://www.samba.org/samba/docs/Samba3-ByExample.pdf" target="_top">Samba-3 by Example</a>. 819 </p></div><div class="sect2" title="Interdomain Trusts"><div class="titlepage"><div><div><h3 class="title"><a name="id2608135"></a>Interdomain Trusts</h3></div></div></div><p>819 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2602049"></a>Interdomain Trusts</h3></div></div></div><p> 820 820 Interdomain trust relationships form the primary mechanism by which users from one domain can be granted 821 821 access rights and privileges in another domain. 822 822 </p><p> 823 823 To discover what trust relationships are in effect, execute this command: 824 <a class="indexterm" name="id260 8150"></a>824 <a class="indexterm" name="id2602064"></a> 825 825 </p><pre class="screen"> 826 826 <code class="prompt">root# </code> net rpc trustdom list -Uroot%not24get … … 838 838 create a trusted connection with this account. That means that the foreign domain is being trusted 839 839 to access resources in the local domain. This command creates the local trust account: 840 <a class="indexterm" name="id260 8184"></a>840 <a class="indexterm" name="id2602098"></a> 841 841 </p><pre class="screen"> 842 842 <code class="prompt">root# </code> net rpc trustdom add DAMNATION f00db4r -Uroot%not24get … … 851 851 </p><p> 852 852 If the trusting domain is not capable of being reached, the following command will fail: 853 <a class="indexterm" name="id260 8235"></a>853 <a class="indexterm" name="id2602149"></a> 854 854 </p><pre class="screen"> 855 855 <code class="prompt">root# </code> net rpc trustdom list -Uroot%not24get … … 877 877 the foreign account. In the process it creates a one-way trust to the resources on the remote domain. This 878 878 command achieves the objective of joining the trust relationship: 879 <a class="indexterm" name="id260 8279"></a>879 <a class="indexterm" name="id2602193"></a> 880 880 </p><pre class="screen"> 881 881 <code class="prompt">root# </code> net rpc trustdom establish DAMNATION … … 898 898 Sometimes it is necessary to remove the ability for local users to access a foreign domain. The trusting 899 899 connection can be revoked as shown here: 900 <a class="indexterm" name="id260 8327"></a>900 <a class="indexterm" name="id2602241"></a> 901 901 </p><pre class="screen"> 902 902 <code class="prompt">root# </code> net rpc trustdom revoke DAMNATION -Uroot%not24get … … 908 908 </pre><p> 909 909 910 </p></div></div><div class="sect1" title="Managing Security Identifiers (SIDS)"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2608369"></a>Managing Security Identifiers (SIDS)</h2></div></div></div><p>911 <a class="indexterm" name="id260 8377"></a>912 <a class="indexterm" name="id260 8384"></a>913 <a class="indexterm" name="id260 8390"></a>914 <a class="indexterm" name="id260 8397"></a>915 <a class="indexterm" name="id260 8404"></a>910 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2602283"></a>Managing Security Identifiers (SIDS)</h2></div></div></div><p> 911 <a class="indexterm" name="id2602291"></a> 912 <a class="indexterm" name="id2602298"></a> 913 <a class="indexterm" name="id2602305"></a> 914 <a class="indexterm" name="id2602312"></a> 915 <a class="indexterm" name="id2602318"></a> 916 916 The basic security identifier that is used by all Windows networking operations is the Windows security 917 917 identifier (SID). All Windows network machines (servers and workstations), users, and groups are … … 919 919 are specific to the SID of the domain to which the user belongs. 920 920 </p><p> 921 <a class="indexterm" name="id260 8421"></a>922 <a class="indexterm" name="id260 8428"></a>923 <a class="indexterm" name="id260 8434"></a>924 <a class="indexterm" name="id260 8441"></a>921 <a class="indexterm" name="id2602335"></a> 922 <a class="indexterm" name="id2602342"></a> 923 <a class="indexterm" name="id2602348"></a> 924 <a class="indexterm" name="id2602355"></a> 925 925 It is truly prudent to store the machine and/or domain SID in a file for safekeeping. Why? Because 926 926 a change in hostname or in the domain (workgroup) name may result in a change in the SID. When you … … 930 930 First, do not forget to store the local SID in a file. It is a good idea to put this in the directory 931 931 in which the <code class="filename">smb.conf</code> file is also stored. Here is a simple action to achieve this: 932 <a class="indexterm" name="id260 8467"></a>932 <a class="indexterm" name="id2602381"></a> 933 933 </p><pre class="screen"> 934 934 <code class="prompt">root# </code> net getlocalsid > /etc/samba/my-sid … … 946 946 file, simply copy the SID (the string of characters that begins with <code class="constant">S-1-5-21</code>) to 947 947 the command line shown here: 948 <a class="indexterm" name="id260 8529"></a>948 <a class="indexterm" name="id2602443"></a> 949 949 </p><pre class="screen"> 950 950 <code class="prompt">root# </code> net setlocalsid S-1-5-21-1385457007-882775198-1210191635 … … 957 957 any potential namespace collision. Here is the way that the BDC SID can be synchronized to that 958 958 of the PDC (this is the default NT4 domain practice also): 959 <a class="indexterm" name="id260 8561"></a>959 <a class="indexterm" name="id2602475"></a> 960 960 </p><pre class="screen"> 961 961 <code class="prompt">root# </code> net rpc getsid -S FRODO -Uroot%not24get … … 965 965 Usually it is not necessary to specify the target server (-S FRODO) or the administrator account 966 966 credentials (-Uroot%not24get). 967 </p></div><div class="sect1" title="Share Management"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2608591"></a>Share Management</h2></div></div></div><p>967 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2602505"></a>Share Management</h2></div></div></div><p> 968 968 Share management is central to all file serving operations. Typical share operations include: 969 </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Creation/change/deletion of shares</p></li><li class="listitem"><p>Setting/changing ACLs on shares</p></li><li class="listitem"><p>Moving shares from one server to another</p></li><li class="listitem"><p>Change of permissions of share contents</p></li></ul></div><p>969 </p><div class="itemizedlist"><ul type="disc"><li><p>Creation/change/deletion of shares</p></li><li><p>Setting/changing ACLs on shares</p></li><li><p>Moving shares from one server to another</p></li><li><p>Change of permissions of share contents</p></li></ul></div><p> 970 970 Each of these are dealt with here insofar as they involve the use of the <code class="literal">net</code> 971 971 command. Operations outside of this command are covered elsewhere in this document. 972 </p><div class="sect2" title="Creating, Editing, and Removing Shares"><div class="titlepage"><div><div><h3 class="title"><a name="id2608636"></a>Creating, Editing, and Removing Shares</h3></div></div></div><p>972 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2602550"></a>Creating, Editing, and Removing Shares</h3></div></div></div><p> 973 973 A share can be added using the <code class="literal">net rpc share</code> command capabilities. 974 974 The target machine may be local or remote and is specified by the -S option. It must be noted … … 983 983 file system is the directory <code class="filename">/data</code>. The command that can be executed to perform the 984 984 addition of this share is shown here: 985 <a class="indexterm" name="id260 8732"></a>985 <a class="indexterm" name="id2602646"></a> 986 986 </p><pre class="screen"> 987 987 <code class="prompt">root# </code> net rpc share add Bulge=/data -S MERLIN -Uroot%not24get … … 1004 1004 Often it is desirable also to permit a share to be removed using a command-line tool. 1005 1005 The following step permits the share that was previously added to be removed: 1006 <a class="indexterm" name="id260 8783"></a>1006 <a class="indexterm" name="id2602698"></a> 1007 1007 </p><pre class="screen"> 1008 1008 <code class="prompt">root# </code> net rpc share delete Bulge -S MERLIN -Uroot%not24get … … 1020 1020 kyocera 1021 1021 </pre><p> 1022 </p></div><div class="sect2" title="Creating and Changing Share ACLs"><div class="titlepage"><div><div><h3 class="title"><a name="id2608824"></a>Creating and Changing Share ACLs</h3></div></div></div><p>1022 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2602738"></a>Creating and Changing Share ACLs</h3></div></div></div><p> 1023 1023 At this time the <code class="literal">net</code> tool cannot be used to manage ACLs on Samba shares. In MS Windows 1024 1024 language this is called Share Permissions. … … 1027 1027 or using the Computer Management MMC snap-in. Neither is covered here, 1028 1028 but see <a class="link" href="AccessControls.html" title="Chapter 16. File, Directory, and Share Access Controls">“File, Directory, and Share Access Controls”</a>. 1029 </p></div><div class="sect2" title="Share, Directory, and File Migration"><div class="titlepage"><div><div><h3 class="title"><a name="id2608854"></a>Share, Directory, and File Migration</h3></div></div></div><p>1030 <a class="indexterm" name="id260 8862"></a>1029 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2602768"></a>Share, Directory, and File Migration</h3></div></div></div><p> 1030 <a class="indexterm" name="id2602776"></a> 1031 1031 Shares and files can be migrated in the same manner as user, machine, and group accounts. 1032 1032 It is possible to preserve access control settings (ACLs) as well as security settings … … 1059 1059 </p><p> 1060 1060 There are two known limitations to the migration process: 1061 </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>1061 </p><div class="orderedlist"><ol type="1"><li><p> 1062 1062 The <code class="literal">net</code> command requires that the user credentials provided exist on both 1063 1063 the migration source and the migration target. 1064 </p></li><li class="listitem"><p>1064 </p></li><li><p> 1065 1065 Printer settings may not be fully or may be incorrectly migrated. This might in particular happen 1066 1066 when migrating a Windows 2003 print server to Samba. 1067 </p></li></ol></div><div class="sect3" title="Share Migration"><div class="titlepage"><div><div><h4 class="title"><a name="id2608964"></a>Share Migration</h4></div></div></div><p>1067 </p></li></ol></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2602878"></a>Share Migration</h4></div></div></div><p> 1068 1068 The <code class="literal">net rpc share migrate</code> command operation permits the migration of plain 1069 1069 share stanzas. A stanza contains the parameters within which a file or print share are defined. … … 1092 1092 large list of available shares on the system that is being migrated can be limited using the 1093 1093 <em class="parameter"><code>--exclude</code></em> switch. For example: 1094 <a class="indexterm" name="id260 9077"></a>1094 <a class="indexterm" name="id2602992"></a> 1095 1095 </p><pre class="screen"> 1096 1096 <code class="prompt">root# </code> net rpc share migrate shares myshare\ … … 1105 1105 to validate that the migrated accounts (on the Samba server) have the needed rights and privileges. 1106 1106 This can be done as shown here: 1107 <a class="indexterm" name="id260 9132"></a>1107 <a class="indexterm" name="id2603046"></a> 1108 1108 </p><pre class="screen"> 1109 1109 <code class="prompt">root# </code> net rpc right list accounts -Uroot%not24get … … 1111 1111 The steps taken so far perform only the migration of shares. Directories and directory contents 1112 1112 are not migrated by the steps covered up to this point. 1113 </p></div><div class="sect3" title="File and Directory Migration"><div class="titlepage"><div><div><h4 class="title"><a name="id2609160"></a>File and Directory Migration</h4></div></div></div><p>1113 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2603074"></a>File and Directory Migration</h4></div></div></div><p> 1114 1114 Everything covered to this point has been done in preparation for the migration of file and directory 1115 1115 data. For many people preparation is potentially boring and the real excitement only begins when file … … 1148 1148 <em class="parameter"><code>--timestamps</code></em> switch, and the DOS file attributes (i.e., hidden, archive, etc.) can 1149 1149 be preserved by specifying the <em class="parameter"><code>--attrs</code></em> switch. 1150 </p><div class="note" title="Note"style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>1150 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> 1151 1151 The ability to preserve ACLs depends on appropriate support for ACLs as well as the general file system 1152 1152 semantics of the host operating system on the target server. A migration from one Windows file server to … … 1162 1162 An example for migration of files from a machine called <code class="constant">nt4box</code> to the Samba server 1163 1163 from which the process will be handled is shown here: 1164 <a class="indexterm" name="id260 9336"></a>1164 <a class="indexterm" name="id2603250"></a> 1165 1165 </p><pre class="screen"> 1166 1166 <code class="prompt">root# </code> net rpc share migrate files -S nt4box --acls \ … … 1171 1171 <code class="constant">nt4box</code> to the Samba server from which migration is initiated. Files that are group-owned 1172 1172 will be owned by the user account <code class="constant">administrator</code>. 1173 </p></div><div class="sect3" title="Share-ACL Migration"><div class="titlepage"><div><div><h4 class="title"><a name="id2609375"></a>Share-ACL Migration</h4></div></div></div><p>1173 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2603290"></a>Share-ACL Migration</h4></div></div></div><p> 1174 1174 It is possible to have share-ACLs (security descriptors) that won't allow you, even as Administrator, to 1175 1175 copy any files or directories into it. Therefor the migration of the share-ACLs has been put into a separate 1176 1176 function: 1177 <a class="indexterm" name="id260 9387"></a>1177 <a class="indexterm" name="id2603301"></a> 1178 1178 </p><pre class="screen"> 1179 1179 <code class="prompt">root# </code> net rpc share migrate security -S nt4box -U administrator%secret … … 1181 1181 </p><p> 1182 1182 This command will only copy the share-ACL of each share on nt4box to your local samba-system. 1183 </p></div><div class="sect3" title="Simultaneous Share and File Migration"><div class="titlepage"><div><div><h4 class="title"><a name="id2609418"></a>Simultaneous Share and File Migration</h4></div></div></div><p>1183 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2603332"></a>Simultaneous Share and File Migration</h4></div></div></div><p> 1184 1184 The operating mode shown here is just a combination of the previous three. It first migrates 1185 1185 share definitions and then all shared files and directories and finally migrates the share-ACLs: … … 1190 1190 </p><p> 1191 1191 An example of simultaneous migration is shown here: 1192 <a class="indexterm" name="id260 9443"></a>1192 <a class="indexterm" name="id2603357"></a> 1193 1193 </p><pre class="screen"> 1194 1194 <code class="prompt">root# </code> net rpc share migrate all -S w2k3server -U administrator%secret 1195 1195 </pre><p> 1196 1196 This will generate a complete server clone of the <em class="parameter"><code>w2k3server</code></em> server. 1197 </p></div></div><div class="sect2" title="Printer Migration"><div class="titlepage"><div><div><h3 class="title"><a name="id2609477"></a>Printer Migration</h3></div></div></div><p>1197 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2603391"></a>Printer Migration</h3></div></div></div><p> 1198 1198 The installation of a new server, as with the migration to a new network environment, often is similar to 1199 1199 building a house; progress is very rapid from the laying of foundations up to the stage at which … … 1214 1214 </p><p> 1215 1215 The migration of an existing printing architecture involves the following: 1216 </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Establishment of print queues.</p></li><li class="listitem"><p>Installation of printer drivers (both for the print server and for Windows clients.</p></li><li class="listitem"><p>Configuration of printing forms.</p></li><li class="listitem"><p>Implementation of security settings.</p></li><li class="listitem"><p>Configuration of printer settings.</p></li></ul></div><p>1216 </p><div class="itemizedlist"><ul type="disc"><li><p>Establishment of print queues.</p></li><li><p>Installation of printer drivers (both for the print server and for Windows clients.</p></li><li><p>Configuration of printing forms.</p></li><li><p>Implementation of security settings.</p></li><li><p>Configuration of printer settings.</p></li></ul></div><p> 1217 1217 The Samba <code class="literal">net</code> utility permits printer migration from one Windows print server 1218 1218 to another. When this tool is used to migrate printers to a Samba server <code class="literal">smbd</code>, … … 1232 1232 Printer migration from a Windows print server (NT4 or 200x) is shown. This instruction causes the 1233 1233 printer share to be created together with the underlying print queue: 1234 <a class="indexterm" name="id260 9612"></a>1234 <a class="indexterm" name="id2603526"></a> 1235 1235 </p><pre class="screen"> 1236 1236 net rpc printer MIGRATE PRINTERS [printer] [misc. options] [targets] … … 1238 1238 Printer drivers can be migrated from the Windows print server to the Samba server using this 1239 1239 command-line instruction: 1240 <a class="indexterm" name="id260 9632"></a>1240 <a class="indexterm" name="id2603547"></a> 1241 1241 </p><pre class="screen"> 1242 1242 net rpc printer MIGRATE DRIVERS [printer] [misc. options] [targets] 1243 1243 </pre><p> 1244 1244 Printer forms can be migrated with the following operation: 1245 <a class="indexterm" name="id260 9652"></a>1245 <a class="indexterm" name="id2603566"></a> 1246 1246 </p><pre class="screen"> 1247 1247 net rpc printer MIGRATE FORMS [printer] [misc. options] [targets] 1248 1248 </pre><p> 1249 1249 Printer security settings (ACLs) can be migrated from the Windows server to the Samba server using this command: 1250 <a class="indexterm" name="id260 9672"></a>1250 <a class="indexterm" name="id2603586"></a> 1251 1251 </p><pre class="screen"> 1252 1252 net rpc printer MIGRATE SECURITY [printer] [misc. options] [targets] … … 1254 1254 Printer configuration settings include factors such as paper size and default paper orientation. 1255 1255 These can be migrated from the Windows print server to the Samba server with this command: 1256 <a class="indexterm" name="id260 9694"></a>1256 <a class="indexterm" name="id2603608"></a> 1257 1257 </p><pre class="screen"> 1258 1258 net rpc printer MIGRATE SETTINGS [printer] [misc. options] [targets] … … 1264 1264 net rpc printer MIGRATE ALL [printer] [misc. options] [targets] 1265 1265 </pre><p> 1266 </p></div></div><div class="sect1" title="Controlling Open Files"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2609728"></a>Controlling Open Files</h2></div></div></div><p>1266 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2603642"></a>Controlling Open Files</h2></div></div></div><p> 1267 1267 The man page documents the <code class="literal">net file</code> function suite, which provides the tools to 1268 1268 close open files using either RAP or RPC function calls. Please refer to the man page for specific 1269 1269 usage information. 1270 </p></div><div class="sect1" title="Session and Connection Management"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2609747"></a>Session and Connection Management</h2></div></div></div><p>1270 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2603661"></a>Session and Connection Management</h2></div></div></div><p> 1271 1271 The session management interface of the <code class="literal">net session</code> command uses the old RAP 1272 1272 method to obtain the list of connections to the Samba server, as shown here: 1273 <a class="indexterm" name="id260 9763"></a>1273 <a class="indexterm" name="id2603677"></a> 1274 1274 </p><pre class="screen"> 1275 1275 <code class="prompt">root# </code> net rap session -S MERLIN -Uroot%not24get … … 1286 1286 <code class="prompt">root# </code> net rap session close marvel -Uroot%not24get 1287 1287 </pre><p> 1288 </p></div><div class="sect1" title="Printers and ADS"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2609812"></a>Printers and ADS</h2></div></div></div><p>1288 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2603727"></a>Printers and ADS</h2></div></div></div><p> 1289 1289 When Samba-3 is used within an MS Windows ADS environment, printers shared via Samba will not be browseable 1290 1290 until they have been published to the ADS domain. Information regarding published printers may be obtained 1291 1291 from the ADS server by executing the <code class="literal">net ads print info</code> command following this syntax: 1292 <a class="indexterm" name="id260 9831"></a>1292 <a class="indexterm" name="id2603745"></a> 1293 1293 </p><pre class="screen"> 1294 1294 net ads printer info <printer_name> <server_name> -Uadministrator%secret … … 1298 1298 </p><p> 1299 1299 To publish (make available) a printer to ADS, execute the following command: 1300 <a class="indexterm" name="id260 9857"></a>1300 <a class="indexterm" name="id2603771"></a> 1301 1301 </p><pre class="screen"> 1302 1302 net ads printer publish <printer_name> -Uadministrator%secret … … 1305 1305 </p><p> 1306 1306 Removal of a Samba printer from ADS is achieved by executing this command: 1307 <a class="indexterm" name="id260 9882"></a>1307 <a class="indexterm" name="id2603796"></a> 1308 1308 </p><pre class="screen"> 1309 1309 net ads printer remove <printer_name> -Uadministrator%secret … … 1311 1311 </p><p> 1312 1312 A generic search (query) can also be made to locate a printer across the entire ADS domain by executing: 1313 <a class="indexterm" name="id260 9907"></a>1313 <a class="indexterm" name="id2603821"></a> 1314 1314 </p><pre class="screen"> 1315 1315 net ads printer search <printer_name> -Uadministrator%secret 1316 1316 </pre><p> 1317 </p></div><div class="sect1" title="Manipulating the Samba Cache"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2609928"></a>Manipulating the Samba Cache</h2></div></div></div><p>1317 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2603842"></a>Manipulating the Samba Cache</h2></div></div></div><p> 1318 1318 Please refer to the <code class="literal">net</code> command man page for information regarding cache management. 1319 </p></div><div class="sect1" title="Managing IDMAP UID/SID Mappings"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2609946"></a>Managing IDMAP UID/SID Mappings</h2></div></div></div><p>1319 </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2603860"></a>Managing IDMAP UID/SID Mappings</h2></div></div></div><p> 1320 1320 The IDMAP UID to SID, and SID to UID, mappings that are created by <code class="literal">winbindd</code> can be 1321 1321 backed up to a text file. The text file can be manually edited, although it is highly recommended that … … 1328 1328 Winbind must be shut down to dump the IDMAP file. Before restoring a dump file, shut down 1329 1329 <code class="literal">winbindd</code> and delete the old <code class="filename">winbindd_idmap.tdb</code> file. 1330 </p><div class="sect2" title="Creating an IDMAP Database Dump File"><div class="titlepage"><div><div><h3 class="title"><a name="id2609990"></a>Creating an IDMAP Database Dump File</h3></div></div></div><p>1330 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2603904"></a>Creating an IDMAP Database Dump File</h3></div></div></div><p> 1331 1331 The IDMAP database can be dumped to a text file as shown here: 1332 1332 </p><pre class="screen"> … … 1338 1338 net idmap dump /var/lib/samba/winbindd_idmap.tdb > idmap_dump.txt 1339 1339 </pre><p> 1340 </p></div><div class="sect2" title="Restoring the IDMAP Database Dump File"><div class="titlepage"><div><div><h3 class="title"><a name="id2610025"></a>Restoring the IDMAP Database Dump File</h3></div></div></div><p>1340 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2603939"></a>Restoring the IDMAP Database Dump File</h3></div></div></div><p> 1341 1341 The IDMAP dump file can be restored using the following command: 1342 1342 </p><pre class="screen"> … … 1348 1348 net idmap restore /var/lib/samba/winbindd_idmap.tdb < idmap_dump.txt 1349 1349 </pre><p> 1350 </p></div></div><div class="sect1" title="Other Miscellaneous Operations"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="netmisc1"></a>Other Miscellaneous Operations</h2></div></div></div><p>1350 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="netmisc1"></a>Other Miscellaneous Operations</h2></div></div></div><p> 1351 1351 The following command is useful for obtaining basic statistics regarding a Samba domain. This command does 1352 1352 not work with current Windows XP Professional clients. 1353 <a class="indexterm" name="id26 10075"></a>1353 <a class="indexterm" name="id2603989"></a> 1354 1354 </p><pre class="screen"> 1355 1355 <code class="prompt">root# </code> net rpc info … … 1364 1364 Another useful tool is the <code class="literal">net time</code> tool set. This tool may be used to query the 1365 1365 current time on the target server as shown here: 1366 <a class="indexterm" name="id26 10111"></a>1366 <a class="indexterm" name="id2604025"></a> 1367 1367 </p><pre class="screen"> 1368 1368 <code class="prompt">root# </code> net time -S SAURON … … 1372 1372 <code class="literal">/bin/time</code>, it is a good idea to obtain the time from the target server in a format 1373 1373 that is ready to be passed through. This may be done by executing: 1374 <a class="indexterm" name="id26 10142"></a>1374 <a class="indexterm" name="id2604056"></a> 1375 1375 </p><pre class="screen"> 1376 1376 <code class="prompt">root# </code> net time system -S FRODO … … 1378 1378 </pre><p> 1379 1379 The time can be set on a target server by executing: 1380 <a class="indexterm" name="id26 10167"></a>1380 <a class="indexterm" name="id2604081"></a> 1381 1381 </p><pre class="screen"> 1382 1382 <code class="prompt">root# </code> net time set -S MAGGOT -U Administrator%not24get … … 1384 1384 </pre><p> 1385 1385 It is possible to obtain the time zone of a server by executing the following command against it: 1386 <a class="indexterm" name="id26 10192"></a>1386 <a class="indexterm" name="id2604107"></a> 1387 1387 </p><pre class="screen"> 1388 1388 <code class="prompt">root# </code> net time zone -S SAURON
Note:
See TracChangeset
for help on using the changeset viewer.
