Adding Standard Windows Domain Groups
Desktop - OpenSUSE

First, you must understand that SAMBA, by default, does map Linux users accounts to Windows user accounts within the /etc/samba/smbusers file. This most often will map root to administrator and nobody to guest. So we have a domain administrator but not a Domain Administrators group. Does this matter? Well yes, when a Windows workstation or server joins the domain it would expect the Domain Administrators group to be added to the Local Administrators group and the same with Domain Users to the Local Users group. If you need the Domain Accounts to have permissions and rights automatically assigned though these group membership you will need to know this.

 

Create our Domain Administrators Mapping

We must first choose or create our posix group that will host the users that will make up the membership of the Domain Administrators group. Here I will create a group called domadmin :-

groupadd domadmin

Now we need to edit the /etc/group file to add our posix users to this group. My sample entry will read

domadmin:x:1000:root,geeko

This shows the group with two members. the user geeko and root. You may also edit this group though YaST > Users and Groups

To map this to the Windows Domain Administrators group you will need to check the SAMBA Documentation or at least the extract we have included.

Each of the Windows Builtin groups will have a specified RID ( Relative Identifier ). TA group becomes the Domain Administrators group, the name is just descriptive, by the RID. It is this that makes it actually the Domain Administrators Group. The following table list the name of the group and the corresponding RID to use. You will see Domain Users, Administrators and Guests are listed as “Essential”. Well maybe you do not need Domain Guests but this is your choice.

Well-Known Entity

RID Type Essential

Domain Administrator

500 User No

Domain Guest

501 User No

Domain KRBTG

502 User No

Domain Admins

512 Group Yes

Domain Users

513 Group Yes

Domain Guests

514 Group Yes

Domain Computers

515 Group No

Domain Controllers

516 Group No

Domain Certificate Admins

517 Group No

Domain Schema Admins

518 Group No

Domain Enterprise Admins

519 Group No

Domain Policy Admins

520 Group No

Builtin Admins

544 Alias No

Builtin users

545 Alias No

Builtin Guests

546 Alias No

Builtin Power Users

547 Alias No

Builtin Account Operators

548 Alias No

Builtin System Operators

549 Alias No

Builtin Print Operators

550 Alias No

Builtin Backup Operators

551 Alias No

Builtin Replicator

552 Alias No

Builtin RAS Servers

553 Alias No

The final step in the equation then is to run the net command to map our posix or unix group to the ntgroup:-

net groupmap add ntgroup=“Domain Admins” unixgroup=domadmin rid=512 type=d

To verify your settings once the command has succeeded you run the command:-

net groupmap list

Mapping Domain Users

So this now should be a piece of cake for you. Especially if you use SUSE that does have a shared posix users group. If you use a Red Hat style distribution you will need to create a central users group and add in all of your users that you wish to be in your Windows Domain users group.

net groupmap add ntgroup=“Domain Users” unixgroup=users rid=513 type=d