Adding Standard Windows Domain Groups |
Desktop - OpenSUSE | ||||||||||||||||||||||||||||||||||||||||||||||
First, you must understand that SAMBA, by default, does map Linux users accounts to Windows user accounts within the /etc/samba/smbusers file. This most often will map root to administrator and nobody to guest. So we have a domain administrator but not a Domain Administrators group. Does this matter? Well yes, when a Windows workstation or server joins the domain it would expect the Domain Administrators group to be added to the Local Administrators group and the same with Domain Users to the Local Users group. If you need the Domain Accounts to have permissions and rights automatically assigned though these group membership you will need to know this.
Create our Domain Administrators MappingWe must first choose or create our posix group that will host the users that will make up the membership of the Domain Administrators group. Here I will create a group called domadmin :- groupadd domadmin Now we need to edit the /etc/group file to add our posix users to this group. My sample entry will read domadmin:x:1000:root,geeko This shows the group with two members. the user geeko and root. You may also edit this group though YaST > Users and Groups To map this to the Windows Domain Administrators group you will need to check the SAMBA Documentation or at least the extract we have included. Each of the Windows Builtin groups will have a specified RID ( Relative Identifier ). TA group becomes the Domain Administrators group, the name is just descriptive, by the RID. It is this that makes it actually the Domain Administrators Group. The following table list the name of the group and the corresponding RID to use. You will see Domain Users, Administrators and Guests are listed as “Essential”. Well maybe you do not need Domain Guests but this is your choice.
The final step in the equation then is to run the net command to map our posix or unix group to the ntgroup:- net groupmap add ntgroup=“Domain Admins” unixgroup=domadmin rid=512 type=d To verify your settings once the command has succeeded you run the command:- net groupmap list Mapping Domain UsersSo this now should be a piece of cake for you. Especially if you use SUSE that does have a shared posix users group. If you use a Red Hat style distribution you will need to create a central users group and add in all of your users that you wish to be in your Windows Domain users group. net groupmap add ntgroup=“Domain Users” unixgroup=users rid=513 type=d |