summaryrefslogtreecommitdiff
path: root/docs/htmldocs/Samba3-HOWTO/NetCommand.html
diff options
context:
space:
mode:
authorvorlon <vorlon@alioth.debian.org>2008-08-06 08:20:34 +0000
committervorlon <vorlon@alioth.debian.org>2008-08-06 08:20:34 +0000
commit68aa8432723241ac2bf3ee5baf57a36c05f2594d (patch)
treee6a23070d0126ea4677ae042efac6880e2917e86 /docs/htmldocs/Samba3-HOWTO/NetCommand.html
parentd3d0a1bb1e3b23e7bb42b3bed443a144b66853de (diff)
downloadsamba-68aa8432723241ac2bf3ee5baf57a36c05f2594d.tar.gz
Load samba-3.2.1 into branches/samba/upstream.upstream/3.2.1
git-svn-id: svn://svn.debian.org/svn/pkg-samba/branches/samba/upstream@2104 fc4039ab-9d04-0410-8cac-899223bdd6b0
Diffstat (limited to 'docs/htmldocs/Samba3-HOWTO/NetCommand.html')
-rw-r--r--docs/htmldocs/Samba3-HOWTO/NetCommand.html274
1 files changed, 137 insertions, 137 deletions
diff --git a/docs/htmldocs/Samba3-HOWTO/NetCommand.html b/docs/htmldocs/Samba3-HOWTO/NetCommand.html
index b44ade5a36..71b9d90118 100644
--- a/docs/htmldocs/Samba3-HOWTO/NetCommand.html
+++ b/docs/htmldocs/Samba3-HOWTO/NetCommand.html
@@ -1,5 +1,5 @@
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 13. Remote and Local Management: The Net Command</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.73.1"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="groupmapping.html" title="Chapter 12. Group Mapping: MS Windows and UNIX"><link rel="next" href="idmapper.html" title="Chapter 14. Identity Mapping (IDMAP)"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 13. Remote and Local Management: The Net Command</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="groupmapping.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="idmapper.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="NetCommand"></a>Chapter 13. Remote and Local Management: The Net Command</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Volker</span> <span class="surname">Lendecke</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:Volker.Lendecke@SerNet.DE">Volker.Lendecke@SerNet.DE</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Guenther</span> <span class="surname">Deschner</span></h3><div class="affiliation"><span class="orgname">SuSE<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:gd@suse.de">gd@suse.de</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">May 9, 2005</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="NetCommand.html#id2592043">Overview</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2592337">Administrative Tasks and Methods</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2592419">UNIX and Windows Group Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2592577">Adding, Renaming, or Deletion of Group Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#grpmemshipchg">Manipulating Group Memberships</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#nestedgrpmgmgt">Nested Group Support</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2593941">UNIX and Windows User Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#sbeuseraddn">Adding User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2594153">Deletion of User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2594201">Managing User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2594269">User Mapping</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2594353">Administering User Rights and Privileges</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2594698">Managing Trust Relationships</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2594713">Machine Trust Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2595082">Interdomain Trusts</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2595316">Managing Security Identifiers (SIDS)</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2595544">Share Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2595589">Creating, Editing, and Removing Shares</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2595777">Creating and Changing Share ACLs</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2595808">Share, Directory, and File Migration</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2596430">Printer Migration</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2596687">Controlling Open Files</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2596706">Session and Connection Management</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2596772">Printers and ADS</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2596887">Manipulating the Samba Cache</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2596905">Managing IDMAP UID/SID Mappings</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2596949">Creating an IDMAP Database Dump File</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2596984">Restoring the IDMAP Database Dump File</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#netmisc1">Other Miscellaneous Operations</a></span></dt></dl></div><p>
-<a class="indexterm" name="id2591904"></a>
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 13. Remote and Local Management: The Net Command</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.73.1"><link rel="start" href="index.html" title="The Official Samba 3.2.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="groupmapping.html" title="Chapter 12. Group Mapping: MS Windows and UNIX"><link rel="next" href="idmapper.html" title="Chapter 14. Identity Mapping (IDMAP)"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 13. Remote and Local Management: The Net Command</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="groupmapping.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="idmapper.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="NetCommand"></a>Chapter 13. Remote and Local Management: The Net Command</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Volker</span> <span class="surname">Lendecke</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:Volker.Lendecke@SerNet.DE">Volker.Lendecke@SerNet.DE</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Guenther</span> <span class="surname">Deschner</span></h3><div class="affiliation"><span class="orgname">SuSE<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:gd@suse.de">gd@suse.de</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">May 9, 2005</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="NetCommand.html#id2592044">Overview</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2592338">Administrative Tasks and Methods</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2592419">UNIX and Windows Group Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2592578">Adding, Renaming, or Deletion of Group Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#grpmemshipchg">Manipulating Group Memberships</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#nestedgrpmgmgt">Nested Group Support</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2593942">UNIX and Windows User Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#sbeuseraddn">Adding User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2594153">Deletion of User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2594202">Managing User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2594270">User Mapping</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2594353">Administering User Rights and Privileges</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2594698">Managing Trust Relationships</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2594714">Machine Trust Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2595082">Interdomain Trusts</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2595316">Managing Security Identifiers (SIDS)</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2595544">Share Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2595590">Creating, Editing, and Removing Shares</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2595778">Creating and Changing Share ACLs</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2595808">Share, Directory, and File Migration</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2596431">Printer Migration</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2596687">Controlling Open Files</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2596707">Session and Connection Management</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2596772">Printers and ADS</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2596888">Manipulating the Samba Cache</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2596906">Managing IDMAP UID/SID Mappings</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2596949">Creating an IDMAP Database Dump File</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2596985">Restoring the IDMAP Database Dump File</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#netmisc1">Other Miscellaneous Operations</a></span></dt></dl></div><p>
+<a class="indexterm" name="id2591905"></a>
<a class="indexterm" name="id2591911"></a>
<a class="indexterm" name="id2591918"></a>
<a class="indexterm" name="id2591925"></a>
@@ -7,8 +7,8 @@ The <code class="literal">net</code> command is one of the new features of Samba
tool for the majority of remote management operations necessary for common tasks. The <code class="literal">net</code>
tool is flexible by design and is intended for command-line use as well as for scripted control application.
</p><p>
-<a class="indexterm" name="id2591951"></a>
-<a class="indexterm" name="id2591957"></a>
+<a class="indexterm" name="id2591952"></a>
+<a class="indexterm" name="id2591958"></a>
<a class="indexterm" name="id2591965"></a>
<a class="indexterm" name="id2591972"></a>
Originally introduced with the intent to mimic the Microsoft Windows command that has the same name, the
@@ -22,13 +22,13 @@ provided should look at the <code class="literal">net</code> command before sear
</p><p>
A Samba-3 administrator cannot afford to gloss over this chapter because to do so will almost certainly cause
the infliction of self-induced pain, agony, and desperation. Be warned: this is an important chapter.
-</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2592043"></a>Overview</h2></div></div></div><p>
+</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2592044"></a>Overview</h2></div></div></div><p>
<a class="indexterm" name="id2592051"></a>
<a class="indexterm" name="id2592058"></a>
-<a class="indexterm" name="id2592064"></a>
-<a class="indexterm" name="id2592071"></a>
+<a class="indexterm" name="id2592065"></a>
+<a class="indexterm" name="id2592072"></a>
<a class="indexterm" name="id2592078"></a>
-<a class="indexterm" name="id2592084"></a>
+<a class="indexterm" name="id2592085"></a>
The tasks that follow the installation of a Samba-3 server, whether standalone or domain member, of a
domain controller (PDC or BDC) begins with the need to create administrative rights. Of course, the
creation of user and group accounts is essential for both a standalone server and a PDC.
@@ -38,11 +38,11 @@ the infliction of self-induced pain, agony, and desperation. Be warned: this is
<a class="indexterm" name="id2592102"></a>
<a class="indexterm" name="id2592109"></a>
<a class="indexterm" name="id2592116"></a>
-<a class="indexterm" name="id2592122"></a>
-<a class="indexterm" name="id2592129"></a>
+<a class="indexterm" name="id2592123"></a>
+<a class="indexterm" name="id2592130"></a>
<a class="indexterm" name="id2592136"></a>
-<a class="indexterm" name="id2592142"></a>
-<a class="indexterm" name="id2592149"></a>
+<a class="indexterm" name="id2592143"></a>
+<a class="indexterm" name="id2592150"></a>
Regardless of the type of server being installed, local UNIX groups must be mapped to the Windows
networking domain global group accounts. Do you ask why? Because Samba always limits its access to
the resources of the host server by way of traditional UNIX UID and GID controls. This means that local
@@ -50,9 +50,9 @@ the infliction of self-induced pain, agony, and desperation. Be warned: this is
global groups can be given access rights based on UIDs and GIDs local to the server that is hosting
Samba. Such mappings are implemented using the <code class="literal">net</code> command.
</p><p>
-<a class="indexterm" name="id2592174"></a>
+<a class="indexterm" name="id2592175"></a>
<a class="indexterm" name="id2592181"></a>
-<a class="indexterm" name="id2592187"></a>
+<a class="indexterm" name="id2592188"></a>
<a class="indexterm" name="id2592194"></a>
<a class="indexterm" name="id2592201"></a>
<a class="indexterm" name="id2592208"></a>
@@ -63,27 +63,27 @@ the infliction of self-induced pain, agony, and desperation. Be warned: this is
</p><p>
<a class="indexterm" name="id2592235"></a>
<a class="indexterm" name="id2592242"></a>
-<a class="indexterm" name="id2592248"></a>
-<a class="indexterm" name="id2592255"></a>
-<a class="indexterm" name="id2592262"></a>
-<a class="indexterm" name="id2592269"></a>
-<a class="indexterm" name="id2592276"></a>
-<a class="indexterm" name="id2592283"></a>
+<a class="indexterm" name="id2592249"></a>
+<a class="indexterm" name="id2592256"></a>
+<a class="indexterm" name="id2592263"></a>
+<a class="indexterm" name="id2592270"></a>
+<a class="indexterm" name="id2592277"></a>
+<a class="indexterm" name="id2592284"></a>
<a class="indexterm" name="id2592290"></a>
The establishment of interdomain trusts is achieved using the <code class="literal">net</code> command also, as
may a plethora of typical administrative duties such as user management, group management, share and
printer management, file and printer migration, security identifier management, and so on.
</p><p>
-<a class="indexterm" name="id2592310"></a>
-<a class="indexterm" name="id2592317"></a>
+<a class="indexterm" name="id2592311"></a>
+<a class="indexterm" name="id2592318"></a>
The overall picture should be clear now: the <code class="literal">net</code> command plays a central role
on the Samba-3 stage. This role will continue to be developed. The inclusion of this chapter is
evidence of its importance, one that has grown in complexity to the point that it is no longer considered
prudent to cover its use fully in the online UNIX man pages.
- </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2592337"></a>Administrative Tasks and Methods</h2></div></div></div><p>
-<a class="indexterm" name="id2592345"></a>
-<a class="indexterm" name="id2592352"></a>
-<a class="indexterm" name="id2592358"></a>
+ </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2592338"></a>Administrative Tasks and Methods</h2></div></div></div><p>
+<a class="indexterm" name="id2592346"></a>
+<a class="indexterm" name="id2592353"></a>
+<a class="indexterm" name="id2592359"></a>
<a class="indexterm" name="id2592368"></a>
The basic operations of the <code class="literal">net</code> command are documented here. This documentation is not
exhaustive, and thus it is incomplete. Since the primary focus is on migration from Windows servers to a Samba
@@ -95,10 +95,10 @@ the infliction of self-induced pain, agony, and desperation. Be warned: this is
<code class="constant">rap</code> modes. Please refer to the man page for a more comprehensive overview of the
capabilities of this utility.
</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2592419"></a>UNIX and Windows Group Management</h2></div></div></div><p>
-<a class="indexterm" name="id2592427"></a>
+<a class="indexterm" name="id2592428"></a>
<a class="indexterm" name="id2592434"></a>
-<a class="indexterm" name="id2592442"></a>
-<a class="indexterm" name="id2592451"></a>
+<a class="indexterm" name="id2592443"></a>
+<a class="indexterm" name="id2592452"></a>
<a class="indexterm" name="id2592460"></a>
As stated, the focus in most of this chapter is on use of the <code class="literal">net rpc</code> family of
operations that are supported by Samba. Most of them are supported by the <code class="literal">net ads</code>
@@ -106,16 +106,16 @@ the infliction of self-induced pain, agony, and desperation. Be warned: this is
also supported for some of these operations. RAP protocols are used by IBM OS/2 and by several
earlier SMB servers.
</p><p>
-<a class="indexterm" name="id2592493"></a>
-<a class="indexterm" name="id2592500"></a>
-<a class="indexterm" name="id2592507"></a>
+<a class="indexterm" name="id2592494"></a>
+<a class="indexterm" name="id2592501"></a>
+<a class="indexterm" name="id2592508"></a>
Samba's <code class="literal">net</code> tool implements sufficient capability to permit all common administrative
tasks to be completed from the command line. In this section each of the essential user and group management
facilities are explored.
</p><p>
-<a class="indexterm" name="id2592526"></a>
-<a class="indexterm" name="id2592533"></a>
-<a class="indexterm" name="id2592542"></a>
+<a class="indexterm" name="id2592527"></a>
+<a class="indexterm" name="id2592534"></a>
+<a class="indexterm" name="id2592543"></a>
<a class="indexterm" name="id2592552"></a>
Samba-3 recognizes two types of groups: <span class="emphasis"><em>domain groups</em></span> and <span class="emphasis"><em>local
groups</em></span>. Domain groups can contain (have as members) only domain user accounts. Local groups
@@ -123,7 +123,7 @@ the infliction of self-induced pain, agony, and desperation. Be warned: this is
</p><p>
The purpose of a local group is to permit file permission to be set for a group account that, like the
usual UNIX/Linux group, is persistent across redeployment of a Windows file server.
- </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2592577"></a>Adding, Renaming, or Deletion of Group Accounts</h3></div></div></div><p>
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2592578"></a>Adding, Renaming, or Deletion of Group Accounts</h3></div></div></div><p>
Samba provides file and print services to Windows clients. The file system resources it makes available
to the Windows environment must, of necessity, be provided in a manner that is compatible with the
Windows networking environment. UNIX groups are created and deleted as required to serve operational
@@ -184,8 +184,8 @@ SupportEngrs
</pre><p>
</p><p>
<a class="indexterm" name="id2592720"></a>
-<a class="indexterm" name="id2592726"></a>
-<a class="indexterm" name="id2592733"></a>
+<a class="indexterm" name="id2592727"></a>
+<a class="indexterm" name="id2592734"></a>
The following demonstrates that the POSIX (UNIX/Linux system account) group has been created by calling
the <a class="link" href="smb.conf.5.html#ADDGROUPSCRIPT">add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"</a> interface
script:
@@ -218,18 +218,18 @@ Domain Computers (S-1-5-21-72630-4128915-11681869-553) -&gt; Domain Computers
Engineers (S-1-5-21-72630-4128915-11681869-3005) -&gt; Engineers
SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -&gt; SupportEngrs
</pre><p>
- </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2592821"></a>Mapping Windows Groups to UNIX Groups</h4></div></div></div><p>
+ </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2592822"></a>Mapping Windows Groups to UNIX Groups</h4></div></div></div><p>
<a class="indexterm" name="id2592829"></a>
<a class="indexterm" name="id2592836"></a>
-<a class="indexterm" name="id2592842"></a>
-<a class="indexterm" name="id2592849"></a>
+<a class="indexterm" name="id2592843"></a>
+<a class="indexterm" name="id2592850"></a>
Windows groups must be mapped to UNIX system (POSIX) groups so that file system access controls
can be asserted in a manner that is consistent with the methods appropriate to the operating
system that is hosting the Samba server.
</p><p>
<a class="indexterm" name="id2592864"></a>
-<a class="indexterm" name="id2592870"></a>
-<a class="indexterm" name="id2592877"></a>
+<a class="indexterm" name="id2592871"></a>
+<a class="indexterm" name="id2592878"></a>
<a class="indexterm" name="id2592884"></a>
All file system (file and directory) access controls, within the file system of a UNIX/Linux server that is
hosting a Samba server, are implemented using a UID/GID identity tuple. Samba does not in any way override
@@ -238,11 +238,11 @@ SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -&gt; SupportEngrs
account. The user account must also map to a locally known UID. Note that the <code class="literal">net</code>
command does not call any RPC-functions here but directly accesses the passdb.
</p><p>
-<a class="indexterm" name="id2592909"></a>
-<a class="indexterm" name="id2592916"></a>
-<a class="indexterm" name="id2592923"></a>
-<a class="indexterm" name="id2592930"></a>
-<a class="indexterm" name="id2592937"></a>
+<a class="indexterm" name="id2592910"></a>
+<a class="indexterm" name="id2592917"></a>
+<a class="indexterm" name="id2592924"></a>
+<a class="indexterm" name="id2592931"></a>
+<a class="indexterm" name="id2592938"></a>
<a class="indexterm" name="id2592944"></a>
<a class="indexterm" name="id2592951"></a>
Samba depends on default mappings for the <code class="constant">Domain Admins, Domain Users</code>, and
@@ -251,9 +251,9 @@ SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -&gt; SupportEngrs
to a Windows group. This operation, in effect, creates a Windows group account as a consequence
of creation of the mapping.
</p><p>
-<a class="indexterm" name="id2592974"></a>
-<a class="indexterm" name="id2592985"></a>
-<a class="indexterm" name="id2592996"></a>
+<a class="indexterm" name="id2592975"></a>
+<a class="indexterm" name="id2592986"></a>
+<a class="indexterm" name="id2592997"></a>
The operations that are permitted include: <code class="constant">add</code>, <code class="constant">modify</code>,
and <code class="constant">delete</code>. An example of each operation is shown here.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
@@ -290,15 +290,15 @@ SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -&gt; SupportEngrs
Supported mapping types are 'd' (domain global) and 'l' (domain local), a domain local group in Samba is
treated as local to the individual Samba server. Local groups can be used with Samba to enable multiple
nested group support.
- </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2593129"></a>Deleting a Group Account</h4></div></div></div><p>
-<a class="indexterm" name="id2593137"></a>
+ </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2593130"></a>Deleting a Group Account</h4></div></div></div><p>
+<a class="indexterm" name="id2593138"></a>
A group account may be deleted by executing the following command:
</p><pre class="screen">
<code class="prompt">root# </code> net rpc group delete SupportEngineers -Uroot%not24get
</pre><p>
</p><p>
Validation of the deletion is advisable. The same commands may be executed as shown above.
- </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2593169"></a>Rename Group Accounts</h4></div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2593170"></a>Rename Group Accounts</h4></div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
This command is not documented in the man pages; it is implemented in the source code, but it does not
work at this time. The example given documents, from the source code, how it should work. Watch the
release notes of a future release to see when this may have been fixed.
@@ -306,7 +306,7 @@ SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -&gt; SupportEngrs
Sometimes it is necessary to rename a group account. Good administrators know how painful some managers'
demands can be if this simple request is ignored. The following command demonstrates how the Windows group
&#8220;<span class="quote">SupportEngrs</span>&#8221; can be renamed to &#8220;<span class="quote">CustomerSupport</span>&#8221;:
-<a class="indexterm" name="id2593197"></a>
+<a class="indexterm" name="id2593198"></a>
</p><pre class="screen">
<code class="prompt">root# </code> net rpc group rename SupportEngrs \
CustomerSupport -Uroot%not24get
@@ -349,7 +349,7 @@ Engineers (S-1-5-21-72630-412605-116429-3001) -&gt; Engineers
Given that the user <code class="constant">ajt</code> is already a member of the UNIX/Linux group and, via the
group mapping, a member of the Windows group, an attempt to add this account again should fail. This is
demonstrated here:
-<a class="indexterm" name="id2593329"></a>
+<a class="indexterm" name="id2593330"></a>
</p><pre class="screen">
<code class="prompt">root# </code> net rpc group addmem "MIDEARTH\Engineers" ajt -Uroot%not24get
Could not add ajt to MIDEARTH\Engineers: NT_STATUS_MEMBER_IN_GROUP
@@ -359,7 +359,7 @@ Could not add ajt to MIDEARTH\Engineers: NT_STATUS_MEMBER_IN_GROUP
</p><p>
To permit the user <code class="constant">ajt</code> to be added using the <code class="literal">net rpc group</code> utility,
this account must first be removed. The removal and confirmation of its effect is shown here:
-<a class="indexterm" name="id2593371"></a>
+<a class="indexterm" name="id2593372"></a>
</p><pre class="screen">
<code class="prompt">root# </code> net rpc group delmem "MIDEARTH\Engineers" ajt -Uroot%not24get
<code class="prompt">root# </code> getent group Engineers
@@ -440,11 +440,11 @@ DOM\jht
</p><pre class="screen">
<code class="prompt">root# </code> net rpc group delmem demo "DOM\jht" -Uroot%not24get
</pre><p>
- </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2593648"></a>Managing Nest Groups on Workstations from the Samba Server</h4></div></div></div><p>
+ </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2593649"></a>Managing Nest Groups on Workstations from the Samba Server</h4></div></div></div><p>
Windows network administrators often ask on the Samba mailing list how it is possible to grant everyone
administrative rights on their own workstation. This is of course a very bad practice, but commonly done
to avoid user complaints. Here is how it can be done remotely from a Samba PDC or BDC:
-<a class="indexterm" name="id2593662"></a>
+<a class="indexterm" name="id2593663"></a>
</p><pre class="screen">
<code class="prompt">root# </code> net rpc group addmem "Administrators" "Domain Users" \
-S WINPC032 -Uadministrator%secret
@@ -459,11 +459,11 @@ DOM\jht
-UAdministrator%secret -S $2
exit 0
-</pre></div></div><br class="example-break"><div class="example"><a name="magicnetlogon"></a><p class="title"><b>Example 13.2. A Magic Netlogon Share</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id2593850"></a><em class="parameter"><code>comment = Netlogon Share</code></em></td></tr><tr><td><a class="indexterm" name="id2593862"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id2593874"></a><em class="parameter"><code>root preexec = /etc/samba/scripts/autopoweruser.sh %U %m</code></em></td></tr><tr><td><a class="indexterm" name="id2593886"></a><em class="parameter"><code>read only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2593897"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr></table></div></div><br class="example-break"><ol type="1"><li><p>
+</pre></div></div><br class="example-break"><div class="example"><a name="magicnetlogon"></a><p class="title"><b>Example 13.2. A Magic Netlogon Share</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id2593851"></a><em class="parameter"><code>comment = Netlogon Share</code></em></td></tr><tr><td><a class="indexterm" name="id2593862"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id2593874"></a><em class="parameter"><code>root preexec = /etc/samba/scripts/autopoweruser.sh %U %m</code></em></td></tr><tr><td><a class="indexterm" name="id2593886"></a><em class="parameter"><code>read only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2593898"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr></table></div></div><br class="example-break"><ol type="1"><li><p>
Create the script shown in <a class="link" href="NetCommand.html#autopoweruserscript" title="Example 13.1. Script to Auto-add Domain Users to Workstation Power Users Group">&#8220;Script to Auto-add Domain Users to Workstation Power Users Group&#8221;</a> and locate it in
the directory <code class="filename">/etc/samba/scripts</code>, named as <code class="filename">autopoweruser.sh</code>.
<a class="indexterm" name="id2593726"></a>
-<a class="indexterm" name="id2593737"></a>
+<a class="indexterm" name="id2593738"></a>
<a class="indexterm" name="id2593744"></a>
</p></li><li><p>
Set the permissions on this script to permit it to be executed as part of the logon process:
@@ -484,14 +484,14 @@ exit 0
in which case there is little justification for the use of this procedure. The key justification
for the use of this method is that it will guarantee that all users have appropriate rights on
the workstation.
- </p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2593941"></a>UNIX and Windows User Management</h2></div></div></div><p>
-<a class="indexterm" name="id2593949"></a>
+ </p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2593942"></a>UNIX and Windows User Management</h2></div></div></div><p>
+<a class="indexterm" name="id2593950"></a>
<a class="indexterm" name="id2593956"></a>
<a class="indexterm" name="id2593963"></a>
-<a class="indexterm" name="id2593969"></a>
-<a class="indexterm" name="id2593976"></a>
-<a class="indexterm" name="id2593983"></a>
-<a class="indexterm" name="id2593990"></a>
+<a class="indexterm" name="id2593970"></a>
+<a class="indexterm" name="id2593977"></a>
+<a class="indexterm" name="id2593984"></a>
+<a class="indexterm" name="id2593991"></a>
<a class="indexterm" name="id2593997"></a>
Every Windows network user account must be translated to a UNIX/Linux user account. In actual fact,
the only account information the UNIX/Linux Samba server needs is a UID. The UID is available either
@@ -534,18 +534,18 @@ Added user jacko
net [&lt;method&gt;] user DELETE &lt;name&gt; [misc. options] [targets]
</pre><p>
The following command will delete the user account <code class="constant">jacko</code>:
-<a class="indexterm" name="id2594175"></a>
+<a class="indexterm" name="id2594176"></a>
</p><pre class="screen">
<code class="prompt">root# </code> net rpc user delete jacko -Uroot%not24get
Deleted user account
</pre><p>
- </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2594201"></a>Managing User Accounts</h3></div></div></div><p>
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2594202"></a>Managing User Accounts</h3></div></div></div><p>
Two basic user account operations are routinely used: change of password and querying which groups a user
is a member of. The change of password operation is shown in <a class="link" href="NetCommand.html#sbeuseraddn" title="Adding User Accounts">&#8220;Adding User Accounts&#8221;</a>.
</p><p>
The ability to query Windows group membership can be essential. Here is how a remote server may be
interrogated to find which groups a user is a member of:
-<a class="indexterm" name="id2594224"></a>
+<a class="indexterm" name="id2594225"></a>
</p><pre class="screen">
<code class="prompt">root# </code> net rpc user info jacko -S SAURON -Uroot%not24get
net rpc user info jacko -S SAURON -Uroot%not24get
@@ -558,14 +558,14 @@ Emergency Services
</pre><p>
</p><p>
It is also possible to rename user accounts:
-<a class="indexterm" name="id2594253"></a>oldusername newusername
+<a class="indexterm" name="id2594254"></a>oldusername newusername
Note that this operation does not yet work against Samba Servers. It is, however, possible to rename useraccounts on
Windows Servers.
- </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2594269"></a>User Mapping</h3></div></div></div><p>
-<a class="indexterm" name="id2594277"></a>
-<a class="indexterm" name="id2594284"></a>
-<a class="indexterm" name="id2594291"></a>
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2594270"></a>User Mapping</h3></div></div></div><p>
+<a class="indexterm" name="id2594278"></a>
+<a class="indexterm" name="id2594285"></a>
+<a class="indexterm" name="id2594292"></a>
In some situations it is unavoidable that a user's Windows logon name will differ from the login ID
that user has on the Samba server. It is possible to create a special file on the Samba server that
will permit the Windows user name to be mapped to a different UNIX/Linux user name. The <code class="filename">smb.conf</code>
@@ -582,7 +582,7 @@ marygee: geeringm
<code class="constant">parsonsw</code>, and the Windows user account &#8220;<span class="quote">geeringm</span>&#8221; will be mapped to the
UNIX user <code class="constant">marygee</code>.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2594353"></a>Administering User Rights and Privileges</h2></div></div></div><p>
-<a class="indexterm" name="id2594361"></a>
+<a class="indexterm" name="id2594362"></a>
<a class="indexterm" name="id2594368"></a>
<a class="indexterm" name="id2594375"></a>
<a class="indexterm" name="id2594382"></a>
@@ -592,11 +592,11 @@ marygee: geeringm
problems for some users and was a frequent source of scorn over the necessity to hand out the
credentials for the most security-sensitive account on a UNIX/Linux system.
</p><p>
-<a class="indexterm" name="id2594408"></a>
-<a class="indexterm" name="id2594415"></a>
-<a class="indexterm" name="id2594422"></a>
-<a class="indexterm" name="id2594429"></a>
-<a class="indexterm" name="id2594436"></a>
+<a class="indexterm" name="id2594409"></a>
+<a class="indexterm" name="id2594416"></a>
+<a class="indexterm" name="id2594423"></a>
+<a class="indexterm" name="id2594430"></a>
+<a class="indexterm" name="id2594437"></a>
New to Samba version 3.0.11 is the ability to delegate administrative privileges as necessary to either
a normal user or to groups of users. The significance of the administrative privileges is documented
in <a class="link" href="rights.html" title="Chapter 15. User Rights and Privileges">&#8220;User Rights and Privileges&#8221;</a>. Examples of use of the <code class="literal">net</code> for user rights and privilege
@@ -632,15 +632,15 @@ No privileges assigned
</p><p>
The <code class="literal">net</code> command can be used to obtain the currently supported capabilities for rights
and privileges using this method:
-<a class="indexterm" name="id2594510"></a>
-<a class="indexterm" name="id2594517"></a>
-<a class="indexterm" name="id2594524"></a>
-<a class="indexterm" name="id2594531"></a>
-<a class="indexterm" name="id2594538"></a>
-<a class="indexterm" name="id2594545"></a>
-<a class="indexterm" name="id2594552"></a>
-<a class="indexterm" name="id2594559"></a>
-<a class="indexterm" name="id2594566"></a>
+<a class="indexterm" name="id2594511"></a>
+<a class="indexterm" name="id2594518"></a>
+<a class="indexterm" name="id2594525"></a>
+<a class="indexterm" name="id2594532"></a>
+<a class="indexterm" name="id2594539"></a>
+<a class="indexterm" name="id2594546"></a>
+<a class="indexterm" name="id2594553"></a>
+<a class="indexterm" name="id2594560"></a>
+<a class="indexterm" name="id2594567"></a>
</p><pre class="screen">
<code class="prompt">root# </code> net rpc rights list -U root%not24get
SeMachineAccountPrivilege Add machines to domain
@@ -659,7 +659,7 @@ No privileges assigned
In this example, all rights are assigned to the <code class="constant">Domain Admins</code> group. This is a good
idea since members of this group are generally expected to be all-powerful. This assignment makes that
the reality:
-<a class="indexterm" name="id2594612"></a>
+<a class="indexterm" name="id2594613"></a>
</p><pre class="screen">
<code class="prompt">root# </code> net rpc rights grant "MIDEARTH\Domain Admins" \
SeMachineAccountPrivilege SePrintOperatorPrivilege \
@@ -678,7 +678,7 @@ Successfully granted rights.
</pre><p>
</p><p>
The following step permits validation of the changes just made:
-<a class="indexterm" name="id2594663"></a>
+<a class="indexterm" name="id2594664"></a>
</p><pre class="screen">
<code class="prompt">root# </code> net rpc rights list accounts -U root%not24get
MIDEARTH\jht
@@ -717,12 +717,12 @@ SeDiskOperatorPrivilege
member machines (network clients), the second is between domains (called interdomain trusts). All
Samba servers that participate in domain security require a domain membership trust account, as do like
Windows NT/200x/XP workstations.
- </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2594713"></a>Machine Trust Accounts</h3></div></div></div><p>
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2594714"></a>Machine Trust Accounts</h3></div></div></div><p>
The net command looks in the <code class="filename">smb.conf</code> file to obtain its own configuration settings. Thus, the following
command 'knows' which domain to join from the <code class="filename">smb.conf</code> file.
</p><p>
A Samba server domain trust account can be validated as shown in this example:
-<a class="indexterm" name="id2594740"></a>
+<a class="indexterm" name="id2594741"></a>
</p><pre class="screen">
<code class="prompt">root# </code> net rpc testjoin
Join to 'MIDEARTH' is OK
@@ -735,7 +735,7 @@ Join to domain 'WORLDOCEAN' is not valid
</pre><p>
</p><p>
The equivalent command for joining a Samba server to a Windows ADS domain is shown here:
-<a class="indexterm" name="id2594777"></a>
+<a class="indexterm" name="id2594778"></a>
</p><pre class="screen">
<code class="prompt">root# </code> net ads testjoin
Using short domain name -- TAKEAWAY
@@ -773,7 +773,7 @@ Joined domain MIDEARTH.
Note that the command-line parameter <code class="constant">member</code> makes this join specific. By default
the type is deduced from the <code class="filename">smb.conf</code> file configuration. To specifically join as a PDC or BDC, the
command-line parameter will be <code class="constant">[PDC | BDC]</code>. For example:
-<a class="indexterm" name="id2594907"></a>
+<a class="indexterm" name="id2594908"></a>
</p><pre class="screen">
<code class="prompt">root# </code> net rpc join bdc -S FRODO -Uroot%not24get
Joined domain MIDEARTH.
@@ -781,7 +781,7 @@ Joined domain MIDEARTH.
It is best to let Samba figure out the domain join type from the settings in the <code class="filename">smb.conf</code> file.
</p><p>
The command to join a Samba server to a Windows ADS domain is shown here:
-<a class="indexterm" name="id2594943"></a>
+<a class="indexterm" name="id2594944"></a>
</p><pre class="screen">
<code class="prompt">root# </code> net ads join -UAdministrator%not24get
Using short domain name -- GDANSK
@@ -792,7 +792,7 @@ Joined 'FRANDIMITZ' to realm 'GDANSK.ABMAS.BIZ'
Windows machine is withdrawn from the domain, the domain membership account is not automatically removed
either. Inactive domain member accounts can be removed using any convenient tool. If necessary, the
machine account can be removed using the following <code class="literal">net</code> command:
-<a class="indexterm" name="id2594983"></a>
+<a class="indexterm" name="id2594984"></a>
</p><pre class="screen">
<code class="prompt">root# </code> net rpc user delete HERRING\$ -Uroot%not24get
Deleted user account.
@@ -802,14 +802,14 @@ Deleted user account.
</p><p>
A Samba-3 server that is a Windows ADS domain member can execute the following command to detach from the
domain:
-<a class="indexterm" name="id2595015"></a>
+<a class="indexterm" name="id2595016"></a>
</p><pre class="screen">
<code class="prompt">root# </code> net ads leave
</pre><p>
</p><p>
Detailed information regarding an ADS domain can be obtained by a Samba DMS machine by executing the
following:
-<a class="indexterm" name="id2595043"></a>
+<a class="indexterm" name="id2595044"></a>
</p><pre class="screen">
<code class="prompt">root# </code> net ads status
</pre><p>
@@ -821,7 +821,7 @@ Deleted user account.
access rights and privileges in another domain.
</p><p>
To discover what trust relationships are in effect, execute this command:
-<a class="indexterm" name="id2595097"></a>
+<a class="indexterm" name="id2595098"></a>
</p><pre class="screen">
<code class="prompt">root# </code> net rpc trustdom list -Uroot%not24get
Trusted domains list:
@@ -837,7 +837,7 @@ none
It is necessary to create a trust account in the local domain. A domain controller in a second domain can
create a trusted connection with this account. That means that the foreign domain is being trusted
to access resources in the local domain. This command creates the local trust account:
-<a class="indexterm" name="id2595131"></a>
+<a class="indexterm" name="id2595132"></a>
</p><pre class="screen">
<code class="prompt">root# </code> net rpc trustdom add DAMNATION f00db4r -Uroot%not24get
</pre><p>
@@ -876,7 +876,7 @@ DAMNATION domain controller is not responding
Where a trust account has been created on a foreign domain, Samba is able to establish the trust (connect with)
the foreign account. In the process it creates a one-way trust to the resources on the remote domain. This
command achieves the objective of joining the trust relationship:
-<a class="indexterm" name="id2595226"></a>
+<a class="indexterm" name="id2595227"></a>
</p><pre class="screen">
<code class="prompt">root# </code> net rpc trustdom establish DAMNATION
Password: xxxxxxx == f00db4r
@@ -908,20 +908,20 @@ DAMNATION S-1-5-21-1385457007-882775198-1210191635
</pre><p>
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2595316"></a>Managing Security Identifiers (SIDS)</h2></div></div></div><p>
-<a class="indexterm" name="id2595324"></a>
-<a class="indexterm" name="id2595331"></a>
-<a class="indexterm" name="id2595337"></a>
-<a class="indexterm" name="id2595344"></a>
-<a class="indexterm" name="id2595351"></a>
+<a class="indexterm" name="id2595325"></a>
+<a class="indexterm" name="id2595332"></a>
+<a class="indexterm" name="id2595338"></a>
+<a class="indexterm" name="id2595345"></a>
+<a class="indexterm" name="id2595352"></a>
The basic security identifier that is used by all Windows networking operations is the Windows security
identifier (SID). All Windows network machines (servers and workstations), users, and groups are
identified by their respective SID. All desktop profiles are also encoded with user and group SIDs that
are specific to the SID of the domain to which the user belongs.
</p><p>
-<a class="indexterm" name="id2595374"></a>
+<a class="indexterm" name="id2595375"></a>
<a class="indexterm" name="id2595381"></a>
<a class="indexterm" name="id2595388"></a>
-<a class="indexterm" name="id2595394"></a>
+<a class="indexterm" name="id2595395"></a>
It is truly prudent to store the machine and/or domain SID in a file for safekeeping. Why? Because
a change in hostname or in the domain (workgroup) name may result in a change in the SID. When you
have the SID on hand, it is a simple matter to restore it. The alternative is to suffer the pain of
@@ -929,7 +929,7 @@ DAMNATION S-1-5-21-1385457007-882775198-1210191635
</p><p>
First, do not forget to store the local SID in a file. It is a good idea to put this in the directory
in which the <code class="filename">smb.conf</code> file is also stored. Here is a simple action to achieve this:
-<a class="indexterm" name="id2595420"></a>
+<a class="indexterm" name="id2595421"></a>
</p><pre class="screen">
<code class="prompt">root# </code> net getlocalsid &gt; /etc/samba/my-sid
</pre><p>
@@ -945,7 +945,7 @@ SID for domain MERLIN is: S-1-5-21-726309263-4128913605-1168186429
If ever it becomes necessary to restore the SID that has been stored in the <code class="filename">my-sid</code>
file, simply copy the SID (the string of characters that begins with <code class="constant">S-1-5-21</code>) to
the command line shown here:
-<a class="indexterm" name="id2595482"></a>
+<a class="indexterm" name="id2595483"></a>
</p><pre class="screen">
<code class="prompt">root# </code> net setlocalsid S-1-5-21-1385457007-882775198-1210191635
</pre><p>
@@ -956,7 +956,7 @@ SID for domain MERLIN is: S-1-5-21-726309263-4128913605-1168186429
DMS and workstation clients should have their own machine SID to avoid
any potential namespace collision. Here is the way that the BDC SID can be synchronized to that
of the PDC (this is the default NT4 domain practice also):
-<a class="indexterm" name="id2595514"></a>
+<a class="indexterm" name="id2595515"></a>
</p><pre class="screen">
<code class="prompt">root# </code> net rpc getsid -S FRODO -Uroot%not24get
Storing SID S-1-5-21-726309263-4128913605-1168186429 \
@@ -969,7 +969,7 @@ Storing SID S-1-5-21-726309263-4128913605-1168186429 \
</p><div class="itemizedlist"><ul type="disc"><li><p>Creation/change/deletion of shares</p></li><li><p>Setting/changing ACLs on shares</p></li><li><p>Moving shares from one server to another</p></li><li><p>Change of permissions of share contents</p></li></ul></div><p>
Each of these are dealt with here insofar as they involve the use of the <code class="literal">net</code>
command. Operations outside of this command are covered elsewhere in this document.
- </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2595589"></a>Creating, Editing, and Removing Shares</h3></div></div></div><p>
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2595590"></a>Creating, Editing, and Removing Shares</h3></div></div></div><p>
A share can be added using the <code class="literal">net rpc share</code> command capabilities.
The target machine may be local or remote and is specified by the -S option. It must be noted
that the addition and deletion of shares using this tool depends on the availability of a suitable
@@ -982,7 +982,7 @@ Storing SID S-1-5-21-726309263-4128913605-1168186429 \
utility. In the first step a share called <code class="constant">Bulge</code> is added. The sharepoint within the
file system is the directory <code class="filename">/data</code>. The command that can be executed to perform the
addition of this share is shown here:
-<a class="indexterm" name="id2595685"></a>
+<a class="indexterm" name="id2595686"></a>
</p><pre class="screen">
<code class="prompt">root# </code> net rpc share add Bulge=/data -S MERLIN -Uroot%not24get
</pre><p>
@@ -1003,7 +1003,7 @@ ADMIN$
</p><p>
Often it is desirable also to permit a share to be removed using a command-line tool.
The following step permits the share that was previously added to be removed:
-<a class="indexterm" name="id2595737"></a>
+<a class="indexterm" name="id2595738"></a>
</p><pre class="screen">
<code class="prompt">root# </code> net rpc share delete Bulge -S MERLIN -Uroot%not24get
</pre><p>
@@ -1019,7 +1019,7 @@ IPC$
ADMIN$
kyocera
</pre><p>
- </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2595777"></a>Creating and Changing Share ACLs</h3></div></div></div><p>
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2595778"></a>Creating and Changing Share ACLs</h3></div></div></div><p>
At this time the <code class="literal">net</code> tool cannot be used to manage ACLs on Samba shares. In MS Windows
language this is called Share Permissions.
</p><p>
@@ -1027,7 +1027,7 @@ kyocera
or using the Computer Management MMC snap-in. Neither is covered here,
but see <a class="link" href="AccessControls.html" title="Chapter 16. File, Directory, and Share Access Controls">&#8220;File, Directory, and Share Access Controls&#8221;</a>.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2595808"></a>Share, Directory, and File Migration</h3></div></div></div><p>
-<a class="indexterm" name="id2595815"></a>
+<a class="indexterm" name="id2595816"></a>
Shares and files can be migrated in the same manner as user, machine, and group accounts.
It is possible to preserve access control settings (ACLs) as well as security settings
throughout the migration process. The <code class="literal">net rpc vampire</code> facility is used
@@ -1091,7 +1091,7 @@ net rpc share MIGRATE SHARES &lt;share-name&gt; -S &lt;source&gt;
When the parameter &lt;share-name&gt; is omitted, all shares will be migrated. The potentially
large list of available shares on the system that is being migrated can be limited using the
<em class="parameter"><code>--exclude</code></em> switch. For example:
-<a class="indexterm" name="id2596031"></a>
+<a class="indexterm" name="id2596032"></a>
</p><pre class="screen">
<code class="prompt">root# </code> net rpc share migrate shares myshare\
-S win2k -U administrator%secret"
@@ -1110,7 +1110,7 @@ net rpc share MIGRATE SHARES &lt;share-name&gt; -S &lt;source&gt;
</pre><p>
The steps taken so far perform only the migration of shares. Directories and directory contents
are not migrated by the steps covered up to this point.
- </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2596114"></a>File and Directory Migration</h4></div></div></div><p>
+ </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2596115"></a>File and Directory Migration</h4></div></div></div><p>
Everything covered to this point has been done in preparation for the migration of file and directory
data. For many people preparation is potentially boring and the real excitement only begins when file
data can be used. The next steps demonstrate the techniques that can be used to transfer (migrate)
@@ -1174,13 +1174,13 @@ net rpc share MIGRATE FILES &lt;share-name&gt; -S &lt;source&gt;
It is possible to have share-ACLs (security descriptors) that won't allow you, even as Administrator, to
copy any files or directories into it. Therefor the migration of the share-ACLs has been put into a separate
function:
-<a class="indexterm" name="id2596340"></a>
+<a class="indexterm" name="id2596341"></a>
</p><pre class="screen">
<code class="prompt">root# </code> net rpc share migrate security -S nt4box -U administrator%secret
</pre><p>
</p><p>
This command will only copy the share-ACL of each share on nt4box to your local samba-system.
- </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2596371"></a>Simultaneous Share and File Migration</h4></div></div></div><p>
+ </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2596372"></a>Simultaneous Share and File Migration</h4></div></div></div><p>
The operating mode shown here is just a combination of the previous three. It first migrates
share definitions and then all shared files and directories and finally migrates the share-ACLs:
</p><pre class="screen">
@@ -1189,12 +1189,12 @@ net rpc share MIGRATE ALL &lt;share-name&gt; -S &lt;source&gt;
</pre><p>
</p><p>
An example of simultaneous migration is shown here:
-<a class="indexterm" name="id2596396"></a>
+<a class="indexterm" name="id2596397"></a>
</p><pre class="screen">
<code class="prompt">root# </code> net rpc share migrate all -S w2k3server -U administrator%secret
</pre><p>
This will generate a complete server clone of the <em class="parameter"><code>w2k3server</code></em> server.
- </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2596430"></a>Printer Migration</h3></div></div></div><p>
+ </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2596431"></a>Printer Migration</h3></div></div></div><p>
The installation of a new server, as with the migration to a new network environment, often is similar to
building a house; progress is very rapid from the laying of foundations up to the stage at which
the house can be locked up, but the finishing off appears to take longer and longer as building
@@ -1231,7 +1231,7 @@ net rpc share MIGRATE ALL &lt;share-name&gt; -S &lt;source&gt;
</p><p>
Printer migration from a Windows print server (NT4 or 200x) is shown. This instruction causes the
printer share to be created together with the underlying print queue:
-<a class="indexterm" name="id2596571"></a>
+<a class="indexterm" name="id2596572"></a>
</p><pre class="screen">
net rpc printer MIGRATE PRINTERS [printer] [misc. options] [targets]
</pre><p>
@@ -1242,12 +1242,12 @@ net rpc printer MIGRATE PRINTERS [printer] [misc. options] [targets]
net rpc printer MIGRATE DRIVERS [printer] [misc. options] [targets]
</pre><p>
Printer forms can be migrated with the following operation:
-<a class="indexterm" name="id2596611"></a>
+<a class="indexterm" name="id2596612"></a>
</p><pre class="screen">
net rpc printer MIGRATE FORMS [printer] [misc. options] [targets]
</pre><p>
Printer security settings (ACLs) can be migrated from the Windows server to the Samba server using this command:
-<a class="indexterm" name="id2596631"></a>
+<a class="indexterm" name="id2596632"></a>
</p><pre class="screen">
net rpc printer MIGRATE SECURITY [printer] [misc. options] [targets]
</pre><p>
@@ -1267,7 +1267,7 @@ net rpc printer MIGRATE ALL [printer] [misc. options] [targets]
The man page documents the <code class="literal">net file</code> function suite, which provides the tools to
close open files using either RAP or RPC function calls. Please refer to the man page for specific
usage information.
- </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2596706"></a>Session and Connection Management</h2></div></div></div><p>
+ </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2596707"></a>Session and Connection Management</h2></div></div></div><p>
The session management interface of the <code class="literal">net session</code> command uses the old RAP
method to obtain the list of connections to the Samba server, as shown here:
<a class="indexterm" name="id2596722"></a>
@@ -1289,7 +1289,7 @@ Computer User name Client Type Opens Idle time
When Samba-3 is used within an MS Windows ADS environment, printers shared via Samba will not be browseable
until they have been published to the ADS domain. Information regarding published printers may be obtained
from the ADS server by executing the <code class="literal">net ads print info</code> command following this syntax:
-<a class="indexterm" name="id2596790"></a>
+<a class="indexterm" name="id2596791"></a>
</p><pre class="screen">
net ads printer info &lt;printer_name&gt; &lt;server_name&gt; -Uadministrator%secret
</pre><p>
@@ -1297,14 +1297,14 @@ net ads printer info &lt;printer_name&gt; &lt;server_name&gt; -Uadministrator%se
returned.
</p><p>
To publish (make available) a printer to ADS, execute the following command:
-<a class="indexterm" name="id2596816"></a>
+<a class="indexterm" name="id2596817"></a>
</p><pre class="screen">
net ads printer publish &lt;printer_name&gt; -Uadministrator%secret
</pre><p>
This publishes a printer from the local Samba server to ADS.
</p><p>
Removal of a Samba printer from ADS is achieved by executing this command:
-<a class="indexterm" name="id2596841"></a>
+<a class="indexterm" name="id2596842"></a>
</p><pre class="screen">
net ads printer remove &lt;printer_name&gt; -Uadministrator%secret
</pre><p>
@@ -1314,9 +1314,9 @@ net ads printer remove &lt;printer_name&gt; -Uadministrator%secret
</p><pre class="screen">
net ads printer search &lt;printer_name&gt; -Uadministrator%secret
</pre><p>
- </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2596887"></a>Manipulating the Samba Cache</h2></div></div></div><p>
+ </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2596888"></a>Manipulating the Samba Cache</h2></div></div></div><p>
Please refer to the <code class="literal">net</code> command man page for information regarding cache management.
- </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2596905"></a>Managing IDMAP UID/SID Mappings</h2></div></div></div><p>
+ </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2596906"></a>Managing IDMAP UID/SID Mappings</h2></div></div></div><p>
The IDMAP UID to SID, and SID to UID, mappings that are created by <code class="literal">winbindd</code> can be
backed up to a text file. The text file can be manually edited, although it is highly recommended that
you attempt this only if you know precisely what you are doing.
@@ -1337,7 +1337,7 @@ net idmap dump &lt;full_path_and_tdb_filename&gt; &gt; dumpfile.txt
</p><pre class="screen">
net idmap dump /var/lib/samba/winbindd_idmap.tdb &gt; idmap_dump.txt
</pre><p>
- </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2596984"></a>Restoring the IDMAP Database Dump File</h3></div></div></div><p>
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2596985"></a>Restoring the IDMAP Database Dump File</h3></div></div></div><p>
The IDMAP dump file can be restored using the following command:
</p><pre class="screen">
net idmap restore &lt;full_path_and_tdb_filename&gt; &lt; dumpfile.txt
@@ -1363,7 +1363,7 @@ Num local groups: 6
</p><p>
Another useful tool is the <code class="literal">net time</code> tool set. This tool may be used to query the
current time on the target server as shown here:
-<a class="indexterm" name="id2597072"></a>
+<a class="indexterm" name="id2597073"></a>
</p><pre class="screen">
<code class="prompt">root# </code> net time -S SAURON
Tue May 17 00:50:43 2005
@@ -1371,13 +1371,13 @@ Tue May 17 00:50:43 2005
In the event that it is the intent to pass the time information obtained to the UNIX
<code class="literal">/bin/time</code>, it is a good idea to obtain the time from the target server in a format
that is ready to be passed through. This may be done by executing:
-<a class="indexterm" name="id2597103"></a>
+<a class="indexterm" name="id2597104"></a>
</p><pre class="screen">
<code class="prompt">root# </code> net time system -S FRODO
051700532005.16
</pre><p>
The time can be set on a target server by executing:
-<a class="indexterm" name="id2597128"></a>
+<a class="indexterm" name="id2597129"></a>
</p><pre class="screen">
<code class="prompt">root# </code> net time set -S MAGGOT -U Administrator%not24get
Tue May 17 00:55:30 MDT 2005
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-04 08:35:42 +0000