--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 12. Remote and Local Management: The Net Command</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.68.1"><link rel="start" href="index.html" title="The Official Samba-3 HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="groupmapping.html" title="Chapter 11. Group Mapping: MS Windows and UNIX"><link rel="next" href="idmapper.html" title="Chapter 13. Identity Mapping (IDMAP)"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 12. Remote and Local Management: The Net Command</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="groupmapping.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="idmapper.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="NetCommand"></a>Chapter 12. Remote and Local Management: The Net Command</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Volker</span> <span class="surname">Lendecke</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:Volker.Lendecke@SerNet.DE">Volker.Lendecke@SerNet.DE</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Guenther</span> <span class="surname">Deschner</span></h3><div class="affiliation"><span class="orgname">SuSE<br></span><div class="address"><p><code class="email"><<a href="mailto:gd@suse.de">gd@suse.de</a>></code></p></div></div></div></div><div><p class="pubdate">May 9, 2005</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="NetCommand.html#id2566742">Overview</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2567036">Administrative Tasks and Methods</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2567118">UNIX and Windows Group Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2567276">Adding, Renaming, or Deletion of Group Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#grpmemshipchg">Manipulating Group Memberships</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#nestedgrpmgmgt">Nested Group Support</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2568648">UNIX and Windows User Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#sbeuseraddn">Adding User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2568855">Deletion of User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2568904">Managing User Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2568972">User Mapping</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2569056">Administering User Rights and Privileges</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2569401">Managing Trust Relationships</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2569416">Machine Trust Accounts</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2569785">Interdomain Trusts</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2570019">Managing Security Identifiers (SIDS)</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2570241">Share Management</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2570286">Creating, Editing, and Removing Shares</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2570458">Creating and Changing Share ACLs</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2570488">Share, Directory, and File Migration</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2571112">Printer Migration</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#id2571357">Controlling Open Files</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2571376">Session and Connection Management</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2571443">Printers and ADS</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2571558">Manipulating the Samba Cache</a></span></dt><dt><span class="sect1"><a href="NetCommand.html#id2571576">Managing IDMAP UID/SID Mappings</a></span></dt><dd><dl><dt><span class="sect2"><a href="NetCommand.html#id2571620">Creating an IDMAP Database Dump File</a></span></dt><dt><span class="sect2"><a href="NetCommand.html#id2571655">Restoring the IDMAP Database Dump File</a></span></dt></dl></dd><dt><span class="sect1"><a href="NetCommand.html#netmisc1">Other Miscellaneous Operations</a></span></dt></dl></div><p>
+<a class="indexterm" name="id2566603"></a>
+<a class="indexterm" name="id2566610"></a>
+<a class="indexterm" name="id2566617"></a>
+<a class="indexterm" name="id2566624"></a>
+The <span><strong class="command">net</strong></span> command is one of the new features of Samba-3 and is an attempt to provide a useful
+tool for the majority of remote management operations necessary for common tasks. The <span><strong class="command">net</strong></span>
+tool is flexible by design and is intended for command-line use as well as for scripted control application.
+</p><p>
+<a class="indexterm" name="id2566650"></a>
+<a class="indexterm" name="id2566656"></a>
+<a class="indexterm" name="id2566664"></a>
+<a class="indexterm" name="id2566671"></a>
+Originally introduced with the intent to mimic the Microsoft Windows command that has the same name, the
+<span><strong class="command">net</strong></span> command has morphed into a very powerful instrument that has become an essential part
+of the Samba network administrator's toolbox. The Samba Team has introduced tools, such as
+<span><strong class="command">smbgroupedit</strong></span> and <span><strong class="command">rpcclient</strong></span>, from which really useful capabilities have
+been integrated into the <span><strong class="command">net</strong></span>. The <span><strong class="command">smbgroupedit</strong></span> command was absorbed
+entirely into the <span><strong class="command">net</strong></span>, while only some features of the <span><strong class="command">rpcclient</strong></span> command
+have been ported to it. Anyone who finds older references to these utilities and to the functionality they
+provided should look at the <span><strong class="command">net</strong></span> command before searching elsewhere.
+</p><p>
+A Samba-3 administrator cannot afford to gloss over this chapter because to do so will almost certainly cause
+the infliction of self-induced pain, agony, and desperation. Be warned: this is an important chapter.
+</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2566742"></a>Overview</h2></div></div></div><p>
+<a class="indexterm" name="id2566750"></a>
+<a class="indexterm" name="id2566757"></a>
+<a class="indexterm" name="id2566764"></a>
+<a class="indexterm" name="id2566770"></a>
+<a class="indexterm" name="id2566777"></a>
+<a class="indexterm" name="id2566783"></a>
+ The tasks that follow the installation of a Samba-3 server, whether standalone or domain member, of a
+ domain controller (PDC or BDC) begins with the need to create administrative rights. Of course, the
+ creation of user and group accounts is essential for both a standalone server and a PDC.
+ In the case of a BDC or a Domain Member server (DMS), domain user and group accounts are obtained from
+ the central domain authentication backend.
+ </p><p>
+<a class="indexterm" name="id2566801"></a>
+<a class="indexterm" name="id2566808"></a>
+<a class="indexterm" name="id2566815"></a>
+<a class="indexterm" name="id2566821"></a>
+<a class="indexterm" name="id2566828"></a>
+<a class="indexterm" name="id2566835"></a>
+<a class="indexterm" name="id2566841"></a>
+<a class="indexterm" name="id2566848"></a>
+ Regardless of the type of server being installed, local UNIX groups must be mapped to the Windows
+ networking domain global group accounts. Do you ask why? Because Samba always limits its access to
+ the resources of the host server by way of traditional UNIX UID and GID controls. This means that local
+ groups must be mapped to domain global groups so that domain users who are members of the domain
+ global groups can be given access rights based on UIDs and GIDs local to the server that is hosting
+ Samba. Such mappings are implemented using the <span><strong class="command">net</strong></span> command.
+ </p><p>
+<a class="indexterm" name="id2566873"></a>
+<a class="indexterm" name="id2566880"></a>
+<a class="indexterm" name="id2566886"></a>
+<a class="indexterm" name="id2566893"></a>
+<a class="indexterm" name="id2566900"></a>
+<a class="indexterm" name="id2566907"></a>
+<a class="indexterm" name="id2566914"></a>
+ UNIX systems that are hosting a Samba-3 server that is running as a member (PDC, BDC, or DMS) must have
+ a machine security account in the domain authentication database (or directory). The creation of such
+ security (or trust) accounts is also handled using the <span><strong class="command">net</strong></span> command.
+ </p><p>
+<a class="indexterm" name="id2566934"></a>
+<a class="indexterm" name="id2566941"></a>
+<a class="indexterm" name="id2566947"></a>
+<a class="indexterm" name="id2566954"></a>
+<a class="indexterm" name="id2566961"></a>
+<a class="indexterm" name="id2566968"></a>
+<a class="indexterm" name="id2566975"></a>
+<a class="indexterm" name="id2566982"></a>
+<a class="indexterm" name="id2566989"></a>
+ The establishment of interdomain trusts is achieved using the <span><strong class="command">net</strong></span> command also, as
+ may a plethora of typical administrative duties such as user management, group management, share and
+ printer management, file and printer migration, security identifier management, and so on.
+ </p><p>
+<a class="indexterm" name="id2567009"></a>
+<a class="indexterm" name="id2567016"></a>
+ The overall picture should be clear now: the <span><strong class="command">net</strong></span> command plays a central role
+ on the Samba-3 stage. This role will continue to be developed. The inclusion of this chapter is
+ evidence of its importance, one that has grown in complexity to the point that it is no longer considered
+ prudent to cover its use fully in the online UNIX man pages.
+ </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2567036"></a>Administrative Tasks and Methods</h2></div></div></div><p>
+<a class="indexterm" name="id2567044"></a>
+<a class="indexterm" name="id2567051"></a>
+<a class="indexterm" name="id2567058"></a>
+<a class="indexterm" name="id2567067"></a>
+ The basic operations of the <span><strong class="command">net</strong></span> command are documented here. This documentation is not
+ exhaustive, and thus it is incomplete. Since the primary focus is on migration from Windows servers to a Samba
+ server, the emphasis is on the use of the Distributed Computing Environment Remote Procedure Call (DCE RPC)
+ mode of operation. When used against a server that is a member of an Active Directory domain, it is preferable
+ (and often necessary) to use ADS mode operations. The <span><strong class="command">net</strong></span> command supports both, but not
+ for every operation. For most operations, if the mode is not specified, <span><strong class="command">net</strong></span> will
+ automatically fall back via the <code class="constant">ads</code>, <code class="constant">rpc</code>, and
+ <code class="constant">rap</code> modes. Please refer to the man page for a more comprehensive overview of the
+ capabilities of this utility.
+ </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2567118"></a>UNIX and Windows Group Management</h2></div></div></div><p>
+<a class="indexterm" name="id2567126"></a>
+<a class="indexterm" name="id2567133"></a>
+<a class="indexterm" name="id2567142"></a>
+<a class="indexterm" name="id2567150"></a>
+<a class="indexterm" name="id2567159"></a>
+ As stated, the focus in most of this chapter is on use of the <span><strong class="command">net rpc</strong></span> family of
+ operations that are supported by Samba. Most of them are supported by the <span><strong class="command">net ads</strong></span>
+ mode when used in connection with Active Directory. The <span><strong class="command">net rap</strong></span> operating mode is
+ also supported for some of these operations. RAP protocols are used by IBM OS/2 and by several
+ earlier SMB servers.
+ </p><p>
+<a class="indexterm" name="id2567192"></a>
+<a class="indexterm" name="id2567199"></a>
+<a class="indexterm" name="id2567206"></a>
+ Samba's <span><strong class="command">net</strong></span> tool implements sufficient capability to permit all common administrative
+ tasks to be completed from the command line. In this section each of the essential user and group management
+ facilities are explored.
+ </p><p>
+<a class="indexterm" name="id2567226"></a>
+<a class="indexterm" name="id2567232"></a>
+<a class="indexterm" name="id2567242"></a>
+<a class="indexterm" name="id2567251"></a>
+ Samba-3 recognizes two types of groups: <span class="emphasis"><em>domain groups</em></span> and <span class="emphasis"><em>local
+ groups</em></span>. Domain groups can contain (have as members) only domain user accounts. Local groups
+ can contain local users, domain users, and domain groups as members.
+ </p><p>
+ The purpose of a local group is to permit file permission to be set for a group account that, like the
+ usual UNIX/Linux group, is persistent across redeployment of a Windows file server.
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2567276"></a>Adding, Renaming, or Deletion of Group Accounts</h3></div></div></div><p>
+ Samba provides file and print services to Windows clients. The file system resources it makes available
+ to the Windows environment must, of necessity, be provided in a manner that is compatible with the
+ Windows networking environment. UNIX groups are created and deleted as required to serve operational
+ needs in the UNIX operating system and its file systems.
+ </p><p>
+ In order to make available to the Windows environment, Samba has a facility by which UNIX groups can
+ be mapped to a logical entity, called a Windows (or domain) group. Samba supports two types of Windows
+ groups, local and global. Global groups can contain as members, global users. This membership is
+ affected in the normal UNIX manner, but adding UNIX users to UNIX groups. Windows user accounts consist
+ of a mapping between a user SambaSAMAccount (logical entity) and a UNIX user account. Therefore,
+ a UNIX user is mapped to a Windows user (i.e., is given a Windows user account and password) and the
+ UNIX groups to which that user belongs, is mapped to a Windows group account. The result is that in
+ the Windows account environment that user is also a member of the Windows group account by virtue
+ of UNIX group memberships.
+ </p><p>
+ The following sub-sections that deal with management of Windows groups demonstrates the relationship
+ between the UNIX group account and its members to the respective Windows group accounts. It goes on to
+ show how UNIX group members automatically pass-through to Windows group membership as soon as a logical
+ mapping has been created.
+ </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2567333"></a>Adding or Creating a New Group</h4></div></div></div><p>
+ Before attempting to add a Windows group account, the currently available groups can be listed as shown
+ here:
+<a class="indexterm" name="id2567343"></a>
+<a class="indexterm" name="id2567354"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc group list -Uroot%not24get
+Password:
+Domain Admins
+Domain Users
+Domain Guests
+Print Operators
+Backup Operators
+Replicator
+Domain Computers
+Engineers
+</pre><p>
+ </p><p>
+ A Windows group account called “<span class="quote">SupportEngrs</span>” can be added by executing the following
+command:
+<a class="indexterm" name="id2567390"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc group add "SupportEngrs" -Uroot%not24get
+</pre><p>
+ The addition will result in immediate availability of the new group account as validated by executing
+this command:
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc group list -Uroot%not24get
+Password:
+Domain Admins
+Domain Users
+Domain Guests
+Print Operators
+Backup Operators
+Replicator
+Domain Computers
+Engineers
+SupportEngrs
+</pre><p>
+ </p><p>
+<a class="indexterm" name="id2567433"></a>
+<a class="indexterm" name="id2567440"></a>
+<a class="indexterm" name="id2567446"></a>
+ The following demonstrates that the POSIX (UNIX/Linux system account) group has been created by calling
+ the <a class="indexterm" name="id2567455"></a>add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g" interface
+ script:
+</p><pre class="screen">
+<code class="prompt">root# </code> getent group
+...
+Domain Admins:x:512:root
+Domain Users:x:513:jht,lct,ajt,met
+Domain Guests:x:514:
+Print Operators:x:550:
+Backup Operators:x:551:
+Replicator:x:552:
+Domain Computers:x:553:
+Engineers:x:1002:jht
+SupportEngrs:x:1003:
+</pre><p>
+ The following demonstrates that the use of the <span><strong class="command">net</strong></span> command to add a group account
+results in immediate mapping of the POSIX group that has been created to the Windows group account as shown
+here:
+<a class="indexterm" name="id2567488"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net groupmap list
+Domain Admins (S-1-5-21-72630-4128915-11681869-512) -> Domain Admins
+Domain Users (S-1-5-21-72630-4128915-11681869-513) -> Domain Users
+Domain Guests (S-1-5-21-72630-4128915-11681869-514) -> Domain Guests
+Print Operators (S-1-5-21-72630-4128915-11681869-550) -> Print Operators
+Backup Operators (S-1-5-21-72630-4128915-11681869-551) -> Backup Operators
+Replicator (S-1-5-21-72630-4128915-11681869-552) -> Replicator
+Domain Computers (S-1-5-21-72630-4128915-11681869-553) -> Domain Computers
+Engineers (S-1-5-21-72630-4128915-11681869-3005) -> Engineers
+SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -> SupportEngrs
+</pre><p>
+ </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2567529"></a>Mapping Windows Groups to UNIX Groups</h4></div></div></div><p>
+<a class="indexterm" name="id2567538"></a>
+<a class="indexterm" name="id2567544"></a>
+<a class="indexterm" name="id2567551"></a>
+<a class="indexterm" name="id2567558"></a>
+ Windows groups must be mapped to UNIX system (POSIX) groups so that file system access controls
+ can be asserted in a manner that is consistent with the methods appropriate to the operating
+ system that is hosting the Samba server.
+ </p><p>
+<a class="indexterm" name="id2567572"></a>
+<a class="indexterm" name="id2567579"></a>
+<a class="indexterm" name="id2567586"></a>
+<a class="indexterm" name="id2567592"></a>
+ All file system (file and directory) access controls, within the file system of a UNIX/Linux server that is
+ hosting a Samba server, are implemented using a UID/GID identity tuple. Samba does not in any way override
+ or replace UNIX file system semantics. Thus it is necessary that all Windows networking operations that
+ access the file system provide a mechanism that maps a Windows user to a particular UNIX/Linux group
+ account. The user account must also map to a locally known UID. Note that the <span><strong class="command">net</strong></span>
+ command does not call any RPC-functions here but directly accesses the passdb.
+ </p><p>
+<a class="indexterm" name="id2567618"></a>
+<a class="indexterm" name="id2567625"></a>
+<a class="indexterm" name="id2567632"></a>
+<a class="indexterm" name="id2567639"></a>
+<a class="indexterm" name="id2567646"></a>
+<a class="indexterm" name="id2567653"></a>
+<a class="indexterm" name="id2567660"></a>
+ Samba depends on default mappings for the <code class="constant">Domain Admins, Domain Users</code>, and
+ <code class="constant">Domain Guests</code> global groups. Additional groups may be added as shown in the
+ examples just given. There are times when it is necessary to map an existing UNIX group account
+ to a Windows group. This operation, in effect, creates a Windows group account as a consequence
+ of creation of the mapping.
+ </p><p>
+<a class="indexterm" name="id2567683"></a>
+<a class="indexterm" name="id2567694"></a>
+<a class="indexterm" name="id2567705"></a>
+ The operations that are permitted include: <code class="constant">add</code>, <code class="constant">modify</code>,
+ and <code class="constant">delete</code>. An example of each operation is shown here.
+ </p><p>
+ An existing UNIX group may be mapped to an existing Windows group by this example:
+</p><pre class="screen">
+<code class="prompt">root# </code> net groupmap modify ntgroup="Domain Users" unixgroup=users
+</pre><p>
+ An existing UNIX group may be mapped to a new Windows group as shown here:
+</p><pre class="screen">
+<code class="prompt">root# </code> net groupmap add ntgroup="EliteEngrs" unixgroup=Engineers type=d
+</pre><p>
+ Supported mapping types are 'd' (domain global) and 'l' (domain local).
+ A Windows group may be deleted, and then a new Windows group can be mapped to the UNIX group by
+ executing these commands:
+</p><pre class="screen">
+<code class="prompt">root# </code> net groupmap delete ntgroup=Engineers
+<code class="prompt">root# </code> net groupmap add ntgroup=EngineDrivers unixgroup=Engineers type=d
+</pre><p>
+ The deletion and addition operations affected only the logical entities known as Windows groups, or domain
+ groups. These operations are inert to UNIX system groups, meaning that they neither delete nor create UNIX
+ system groups. The mapping of a UNIX group to a Windows group makes the UNIX group available as Windows
+ groups so that files and folders on domain member clients (workstations and servers) can be given
+ domain-wide access controls for domain users and groups.
+ </p><p>
+ Two types of Windows groups can be created: <code class="constant">domain (global)</code> and <code class="constant">local</code>.
+ In the previous examples the Windows groups created were of type <code class="constant">domain</code> or global. The
+ following command will create a Windows group of type <code class="constant">local</code>.
+</p><pre class="screen">
+<code class="prompt">root# </code> net groupmap add ntgroup=Pixies unixgroup=pixies type=l
+</pre><p>
+ Supported mapping types are 'd' (domain global) and 'l' (domain local), a domain local group in Samba is
+ treated as local to the individual Samba server. Local groups can be used with Samba to enable multiple
+ nested group support.
+ </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2567831"></a>Deleting a Group Account</h4></div></div></div><p>
+<a class="indexterm" name="id2567839"></a>
+ A group account may be deleted by executing the following command:
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc group delete SupportEngineers -Uroot%not24get
+</pre><p>
+ </p><p>
+ Validation of the deletion is advisable. The same commands may be executed as shown above.
+ </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2567871"></a>Rename Group Accounts</h4></div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ This command is not documented in the man pages; it is implemented in the source code, but it does not
+ work at this time. The example given documents, from the source code, how it should work. Watch the
+ release notes of a future release to see when this may have been fixed.
+ </p></div><p>
+ Sometimes it is necessary to rename a group account. Good administrators know how painful some managers'
+ demands can be if this simple request is ignored. The following command demonstrates how the Windows group
+ “<span class="quote">SupportEngrs</span>” can be renamed to “<span class="quote">CustomerSupport</span>”:
+<a class="indexterm" name="id2567899"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc group rename SupportEngrs \
+ CustomerSupport -Uroot%not24get
+</pre><p>
+ </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="grpmemshipchg"></a>Manipulating Group Memberships</h3></div></div></div><p>
+ Three operations can be performed regarding group membership. It is possible to (1) add Windows users
+ to a Windows group, to (2) delete Windows users from Windows groups, and to (3) list the Windows users that are
+ members of a Windows group.
+ </p><p>
+ To avoid confusion, it makes sense to check group membership before attempting to make any changes.
+ The <span><strong class="command">getent group</strong></span> will list UNIX/Linux group membership. UNIX/Linux group members are
+ seen also as members of a Windows group that has been mapped using the <span><strong class="command">net groupmap</strong></span>
+ command (see <a href="groupmapping.html" title="Chapter 11. Group Mapping: MS Windows and UNIX">???</a>). The following list of UNIX/Linux group membership shows
+ that the user <code class="constant">ajt</code> is a member of the UNIX/Linux group <code class="constant">Engineers</code>.
+</p><pre class="screen">
+<code class="prompt">root# </code> getent group
+...
+Domain Admins:x:512:root
+Domain Users:x:513:jht,lct,ajt,met,vlendecke
+Domain Guests:x:514:
+Print Operators:x:550:
+Backup Operators:x:551:
+Replicator:x:552:
+Domain Computers:x:553:
+Engineers:x:1000:jht,ajt
+</pre><p>
+ The UNIX/Linux groups have been mapped to Windows groups, as is shown here:
+</p><pre class="screen">
+<code class="prompt">root# </code> net groupmap list
+Domain Admins (S-1-5-21-72630-412605-116429-512) -> Domain Admins
+Domain Users (S-1-5-21-72630-412605-116429-513) -> Domain Users
+Domain Guests (S-1-5-21-72630-412605-116429-514) -> Domain Guests
+Print Operators (S-1-5-21-72630-412605-116429-550) -> Print Operators
+Backup Operators (S-1-5-21-72630-412605-116429-551) -> Backup Operators
+Replicator (S-1-5-21-72630-412605-116429-552) -> Replicator
+Domain Computers (S-1-5-21-72630-412605-116429-553) -> Domain Computers
+Engineers (S-1-5-21-72630-412605-116429-3001) -> Engineers
+</pre><p>
+ </p><p>
+ Given that the user <code class="constant">ajt</code> is already a member of the UNIX/Linux group and, via the
+ group mapping, a member of the Windows group, an attempt to add this account again should fail. This is
+ demonstrated here:
+<a class="indexterm" name="id2568031"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc group addmem "MIDEARTH\Engineers" ajt -Uroot%not24get
+Could not add ajt to MIDEARTH\Engineers: NT_STATUS_MEMBER_IN_GROUP
+</pre><p>
+ This shows that the group mapping between UNIX/Linux groups and Windows groups is effective and
+ transparent.
+ </p><p>
+ To permit the user <code class="constant">ajt</code> to be added using the <span><strong class="command">net rpc group</strong></span> utility,
+ this account must first be removed. The removal and confirmation of its effect is shown here:
+<a class="indexterm" name="id2568073"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc group delmem "MIDEARTH\Engineers" ajt -Uroot%not24get
+<code class="prompt">root# </code> getent group Engineers
+Engineers:x:1000:jht
+<code class="prompt">root# </code> net rpc group members Engineers -Uroot%not24get
+MIDEARTH\jht
+</pre><p>
+ In this example both at the UNIX/Linux system level, the group no longer has the <code class="constant">ajt</code>
+ as a member. The above also shows this to be the case for Windows group membership.
+ </p><p>
+ The account is now added again, using the <span><strong class="command">net rpc group</strong></span> utility:
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc group addmem "MIDEARTH\Engineers" ajt -Uroot%not24get
+<code class="prompt">root# </code> getent group Engineers
+Engineers:x:1000:jht,ajt
+<code class="prompt">root# </code> net rpc group members Engineers -Uroot%not24get
+MIDEARTH\jht
+MIDEARTH\ajt
+</pre><p>
+ </p><p>
+ In this example the members of the Windows <code class="constant">Domain Users</code> account are validated using
+ the <span><strong class="command">net rpc group</strong></span> utility. Note the this contents of the UNIX/Linux group was shown
+ four paragraphs earlier. The Windows (domain) group membership is shown here:
+<a class="indexterm" name="id2568170"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc group members "Domain Users" -Uroot%not24get
+MIDEARTH\jht
+MIDEARTH\lct
+MIDEARTH\ajt
+MIDEARTH\met
+MIDEARTH\vlendecke
+</pre><p>
+ This express example shows that Windows group names are treated by Samba (as with
+ MS Windows) in a case-insensitive manner:
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc group members "DomAiN USerS" -Uroot%not24get
+MIDEARTH\jht
+MIDEARTH\lct
+MIDEARTH\ajt
+MIDEARTH\met
+MIDEARTH\vlendecke
+</pre><p>
+ </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ An attempt to specify the group name as <code class="constant">MIDEARTH\Domain Users</code> in place of
+ just simply <code class="constant">Domain Users</code> will fail. The default behavior of the net rpc group
+ is to direct the command at the local machine. The Windows group is treated as being local to the machine.
+ If it is necessary to query another machine, its name can be specified using the <code class="constant">-S
+ servername</code> parameter to the <span><strong class="command">net</strong></span> command.
+ </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="nestedgrpmgmgt"></a>Nested Group Support</h3></div></div></div><p>
+ It is possible in Windows (and now in Samba also) to create a local group that has members (contains),
+ domain users, and domain global groups. Creation of the local group <code class="constant">demo</code> is
+ achieved by executing:
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc group add demo -L -S MORDON -Uroot%not24get
+</pre><p>
+ The -L switch means create a local group. Use the -S argument to direct the operation to a particular
+ server. The parameters to the -U argument should be for a user who has appropriate administrative right
+ and privileges on the machine.
+ </p><p>
+ Addition and removal of group members can be achieved using the <code class="constant">addmem</code> and
+ <code class="constant">delmem</code> subcommands of <span><strong class="command">net rpc group</strong></span> command. For example,
+ addition of “<span class="quote">DOM\Domain Users</span>” to the local group <code class="constant">demo</code> would be
+ done by executing:
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc group addmem demo "DOM\Domain Users" -Uroot%not24get
+</pre><p>
+ </p><p>
+ The members of a nested group can be listed by executing the following:
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc group members demo -Uroot%not24get
+DOM\Domain Users
+DOM\Engineers
+DOM\jamesf
+DOM\jht
+</pre><p>
+ </p><p>
+ Nested group members can be removed (deleted) as shown here:
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc group delmem demo "DOM\jht" -Uroot%not24get
+</pre><p>
+ </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2568350"></a>Managing Nest Groups on Workstations from the Samba Server</h4></div></div></div><p>
+ Windows network administrators often ask on the Samba mailing list how it is possible to grant everyone
+ administrative rights on their own workstation. This is of course a very bad practice, but commonly done
+ to avoid user complaints. Here is how it can be done remotely from a Samba PDC or BDC:
+<a class="indexterm" name="id2568364"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc group addmem "Administrators" "Domain Users" \
+ -S WINPC032 -Uadministrator%secret
+</pre><p>
+ </p><p>
+ This can be scripted, and can therefore be performed as a user logs onto the domain from a Windows
+ workstation. Here is a simple example that shows how this can be done.
+ </p><div class="procedure"><a name="id2568396"></a><p class="title"><b>Procedure 12.1. Automating User Addition to the Workstation Power Users Group</b></p><div class="example"><a name="autopoweruserscript"></a><p class="title"><b>Example 12.1. Script to Auto-add Domain Users to Workstation Power Users Group</b></p><pre class="screen">
+#!/bin/bash
+
+/usr/bin/net rpc group addmem "Power Users" "DOMAIN_NAME\$1" \
+ -UAdministrator%secret -S $2
+
+exit 0
+</pre></div><div class="example"><a name="magicnetlogon"></a><p class="title"><b>Example 12.2. A Magic Netlogon Share</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id2568552"></a><em class="parameter"><code>comment = Netlogon Share</code></em></td></tr><tr><td><a class="indexterm" name="id2568564"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id2568577"></a><em class="parameter"><code>root preexec = /etc/samba/scripts/autopoweruser.sh %U %m</code></em></td></tr><tr><td><a class="indexterm" name="id2568590"></a><em class="parameter"><code>read only = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2568603"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr></table></div><ol type="1"><li><p>
+ Create the script shown in <a href="NetCommand.html#autopoweruserscript" title="Example 12.1. Script to Auto-add Domain Users to Workstation Power Users Group">???</a> and locate it in
+ the directory <code class="filename">/etc/samba/scripts</code>, named as <code class="filename">autopoweruser.sh</code>.
+<a class="indexterm" name="id2568427"></a>
+<a class="indexterm" name="id2568439"></a>
+<a class="indexterm" name="id2568446"></a>
+ </p></li><li><p>
+ Set the permissions on this script to permit it to be executed as part of the logon process:
+</p><pre class="screen">
+<code class="prompt">root# </code> chown root:root /etc/samba/autopoweruser.sh
+<code class="prompt">root# </code> chmod 755 /etc/samba/autopoweruser.sh
+</pre><p>
+ </p></li><li><p>
+ Modify the <code class="filename">smb.conf</code> file so the <code class="literal">NETLOGON</code> stanza contains the parameters
+ shown in <a href="NetCommand.html#magicnetlogon" title="Example 12.2. A Magic Netlogon Share">the Netlogon Example smb.conf file</a>.
+ </p></li><li><p>
+ Ensure that every Windows workstation Administrator account has the same password that you
+ have used in the script shown in <a href="NetCommand.html#magicnetlogon" title="Example 12.2. A Magic Netlogon Share">the Netlogon Example smb.conf
+ file</a>
+ </p></li></ol></div><p>
+ This script will be executed every time a user logs on to the network. Therefore every user will
+ have local Windows workstation management rights. This could of course be assigned using a group,
+ in which case there is little justification for the use of this procedure. The key justification
+ for the use of this method is that it will guarantee that all users have appropriate rights on
+ the workstation.
+ </p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2568648"></a>UNIX and Windows User Management</h2></div></div></div><p>
+<a class="indexterm" name="id2568656"></a>
+<a class="indexterm" name="id2568663"></a>
+<a class="indexterm" name="id2568670"></a>
+<a class="indexterm" name="id2568676"></a>
+<a class="indexterm" name="id2568683"></a>
+<a class="indexterm" name="id2568690"></a>
+<a class="indexterm" name="id2568697"></a>
+<a class="indexterm" name="id2568704"></a>
+ Every Windows network user account must be translated to a UNIX/Linux user account. In actual fact,
+ the only account information the UNIX/Linux Samba server needs is a UID. The UID is available either
+ from a system (POSIX) account or from a pool (range) of UID numbers that is set aside for the purpose
+ of being allocated for use by Windows user accounts. In the case of the UID pool, the UID for a
+ particular user will be allocated by <span><strong class="command">winbindd</strong></span>.
+ </p><p>
+ Although this is not the appropriate place to discuss the <a class="indexterm" name="id2568728"></a>username map facility,
+ this interface is an important method of mapping a Windows user account to a UNIX account that has a
+ different name. Refer to the man page for the <code class="filename">smb.conf</code> file for more information regarding this
+ facility. User name mappings cannot be managed using the <span><strong class="command">net</strong></span> utility.
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="sbeuseraddn"></a>Adding User Accounts</h3></div></div></div><p>
+ The syntax for adding a user account via the <span><strong class="command">net</strong></span> (according to the man page) is shown
+ here:
+</p><pre class="screen">
+net [<method>] user ADD <name> [-c container] [-F user flags] \
+ [misc. options] [targets]
+</pre><p>
+ The user account password may be set using this syntax:
+</p><pre class="screen">
+net rpc password <username> [<password>] -Uadmin_username%admin_pass
+</pre><p>
+ </p><p>
+ The following demonstrates the addition of an account to the server <code class="constant">FRODO</code>:
+<a class="indexterm" name="id2568797"></a>
+<a class="indexterm" name="id2568808"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc user add jacko -S FRODO -Uroot%not24get
+Added user jacko
+</pre><p>
+ The account password can be set with the following methods (all show the same operation):
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc password jacko f4sth0rse -S FRODO -Uroot%not24get
+<code class="prompt">root# </code> net rpc user password jacko f4sth0rse \
+ -S FRODO -Uroot%not24get
+</pre><p>
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2568855"></a>Deletion of User Accounts</h3></div></div></div><p>
+ Deletion of a user account can be done using the following syntax:
+</p><pre class="screen">
+net [<method>] user DELETE <name> [misc. options] [targets]
+</pre><p>
+ The following command will delete the user account <code class="constant">jacko</code>:
+<a class="indexterm" name="id2568878"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc user delete jacko -Uroot%not24get
+Deleted user account
+</pre><p>
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2568904"></a>Managing User Accounts</h3></div></div></div><p>
+ Two basic user account operations are routinely used: change of password and querying which groups a user
+ is a member of. The change of password operation is shown in <a href="NetCommand.html#sbeuseraddn" title="Adding User Accounts">???</a>.
+ </p><p>
+ The ability to query Windows group membership can be essential. Here is how a remote server may be
+ interrogated to find which groups a user is a member of:
+<a class="indexterm" name="id2568927"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc user info jacko -S SAURON -Uroot%not24get
+net rpc user info jacko -S SAURON -Uroot%not24get
+Domain Users
+Domain Admins
+Engineers
+TorridGroup
+BOP Shop
+Emergency Services
+</pre><p>
+ </p><p>
+ It is also possible to rename user accounts:
+<a class="indexterm" name="id2568956"></a>oldusername newusername
+ Note that this operation does not yet work against Samba Servers. It is, however, possible to rename useraccounts on
+ Windows Servers.
+
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2568972"></a>User Mapping</h3></div></div></div><p>
+<a class="indexterm" name="id2568980"></a>
+<a class="indexterm" name="id2568987"></a>
+<a class="indexterm" name="id2568994"></a>
+ In some situations it is unavoidable that a user's Windows logon name will differ from the login ID
+ that user has on the Samba server. It is possible to create a special file on the Samba server that
+ will permit the Windows user name to be mapped to a different UNIX/Linux user name. The <code class="filename">smb.conf</code>
+ file must also be amended so that the <code class="constant">[global]</code> stanza contains the parameter:
+</p><pre class="screen">
+username map = /etc/samba/smbusers
+</pre><p>
+ The content of the <code class="filename">/etc/samba/smbusers</code> file is shown here:
+</p><pre class="screen">
+parsonsw: "William Parsons"
+marygee: geeringm
+</pre><p>
+ In this example the Windows user account “<span class="quote">William Parsons</span>” will be mapped to the UNIX user
+ <code class="constant">parsonsw</code>, and the Windows user account “<span class="quote">geeringm</span>” will be mapped to the
+ UNIX user <code class="constant">marygee</code>.
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2569056"></a>Administering User Rights and Privileges</h2></div></div></div><p>
+<a class="indexterm" name="id2569064"></a>
+<a class="indexterm" name="id2569071"></a>
+<a class="indexterm" name="id2569078"></a>
+<a class="indexterm" name="id2569085"></a>
+<a class="indexterm" name="id2569092"></a>
+ With all versions of Samba earlier than 3.0.11 the only account on a Samba server that could
+ manage users, groups, shares, printers, and such was the <code class="constant">root</code> account. This caused
+ problems for some users and was a frequent source of scorn over the necessity to hand out the
+ credentials for the most security-sensitive account on a UNIX/Linux system.
+ </p><p>
+<a class="indexterm" name="id2569112"></a>
+<a class="indexterm" name="id2569119"></a>
+<a class="indexterm" name="id2569126"></a>
+<a class="indexterm" name="id2569133"></a>
+<a class="indexterm" name="id2569140"></a>
+ New to Samba version 3.0.11 is the ability to delegate administrative privileges as necessary to either
+ a normal user or to groups of users. The significance of the administrative privileges is documented
+ in <a href="rights.html" title="Chapter 14. User Rights and Privileges">???</a>. Examples of use of the <span><strong class="command">net</strong></span> for user rights and privilege
+ management is appropriate to this chapter.
+ </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ When user rights and privileges are correctly set, there is no longer a need for a Windows
+ network account for the <code class="constant">root</code> user (nor for any synonym of it) with a UNIX UID=0.
+ Initial user rights and privileges can be assigned by any account that is a member of the <code class="constant">
+ Domain Admins</code> group. Rights can be assigned to user as well as group accounts.
+ </p></div><p>
+ By default, no privileges and rights are assigned. This is demonstrated by executing the command
+ shown here:
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc rights list accounts -U root%not24get
+BUILTIN\Print Operators
+No privileges assigned
+
+BUILTIN\Account Operators
+No privileges assigned
+
+BUILTIN\Backup Operators
+No privileges assigned
+
+BUILTIN\Server Operators
+No privileges assigned
+
+BUILTIN\Administrators
+No privileges assigned
+
+Everyone
+No privileges assigned
+</pre><p>
+ </p><p>
+ The <span><strong class="command">net</strong></span> command can be used to obtain the currently supported capabilities for rights
+ and privileges using this method:
+<a class="indexterm" name="id2569213"></a>
+<a class="indexterm" name="id2569220"></a>
+<a class="indexterm" name="id2569228"></a>
+<a class="indexterm" name="id2569234"></a>
+<a class="indexterm" name="id2569242"></a>
+<a class="indexterm" name="id2569249"></a>
+<a class="indexterm" name="id2569256"></a>
+<a class="indexterm" name="id2569262"></a>
+<a class="indexterm" name="id2569270"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc rights list -U root%not24get
+ SeMachineAccountPrivilege Add machines to domain
+ SePrintOperatorPrivilege Manage printers
+ SeAddUsersPrivilege Add users and groups to the domain
+ SeRemoteShutdownPrivilege Force shutdown from a remote system
+ SeDiskOperatorPrivilege Manage disk shares
+ SeBackupPrivilege Back up files and directories
+ SeRestorePrivilege Restore files and directories
+ SeTakeOwnershipPrivilege Take ownership of files or other objects
+</pre><p>
+ Machine account privilege is necessary to permit a Windows NT4 or later network client to be added to the
+ domain. The disk operator privilege is necessary to permit the user to manage share ACLs and file and
+ directory ACLs for objects not owned by the user.
+ </p><p>
+ In this example, all rights are assigned to the <code class="constant">Domain Admins</code> group. This is a good
+ idea since members of this group are generally expected to be all-powerful. This assignment makes that
+ the reality:
+<a class="indexterm" name="id2569316"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc rights grant "MIDEARTH\Domain Admins" \
+ SeMachineAccountPrivilege SePrintOperatorPrivilege \
+ SeAddUsersPrivilege SeRemoteShutdownPrivilege \
+ SeDiskOperatorPrivilege -U root%not24get
+Successfully granted rights.
+</pre><p>
+ Next, the domain user <code class="constant">jht</code> is given the privileges needed for day-to-day
+ administration:
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc rights grant "MIDEARTH\jht" \
+ SeMachineAccountPrivilege SePrintOperatorPrivilege \
+ SeAddUsersPrivilege SeDiskOperatorPrivilege \
+ -U root%not24get
+Successfully granted rights.
+</pre><p>
+ </p><p>
+ The following step permits validation of the changes just made:
+<a class="indexterm" name="id2569367"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc rights list accounts -U root%not24get
+MIDEARTH\jht
+SeMachineAccountPrivilege
+SePrintOperatorPrivilege
+SeAddUsersPrivilege
+SeDiskOperatorPrivilege
+
+BUILTIN\Print Operators
+No privileges assigned
+
+BUILTIN\Account Operators
+No privileges assigned
+
+BUILTIN\Backup Operators
+No privileges assigned
+
+BUILTIN\Server Operators
+No privileges assigned
+
+BUILTIN\Administrators
+No privileges assigned
+
+Everyone
+No privileges assigned
+
+MIDEARTH\Domain Admins
+SeMachineAccountPrivilege
+SePrintOperatorPrivilege
+SeAddUsersPrivilege
+SeRemoteShutdownPrivilege
+SeDiskOperatorPrivilege
+</pre><p>
+ </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2569401"></a>Managing Trust Relationships</h2></div></div></div><p>
+ There are essentially two types of trust relationships: the first is between domain controllers and domain
+ member machines (network clients), the second is between domains (called interdomain trusts). All
+ Samba servers that participate in domain security require a domain membership trust account, as do like
+ Windows NT/200x/XP workstations.
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2569416"></a>Machine Trust Accounts</h3></div></div></div><p>
+ The net command looks in the <code class="filename">smb.conf</code> file to obtain its own configuration settings. Thus, the following
+ command 'knows' which domain to join from the <code class="filename">smb.conf</code> file.
+ </p><p>
+ A Samba server domain trust account can be validated as shown in this example:
+<a class="indexterm" name="id2569444"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc testjoin
+Join to 'MIDEARTH' is OK
+</pre><p>
+ Where there is no domain membership account, or when the account credentials are not valid, the following
+ results will be observed:
+</p><pre class="screen">
+net rpc testjoin -S DOLPHIN
+Join to domain 'WORLDOCEAN' is not valid
+</pre><p>
+ </p><p>
+ The equivalent command for joining a Samba server to a Windows ADS domain is shown here:
+<a class="indexterm" name="id2569481"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net ads testjoin
+Using short domain name -- TAKEAWAY
+Joined 'LEMONADE' to realm 'TAKEAWAY.BIZ'
+</pre><p>
+ In the event that the ADS trust was not established, or is broken for one reason or another, the following
+ error message may be obtained:
+</p><pre class="screen">
+<code class="prompt">root# </code> net ads testjoin -UAdministrator%secret
+Join to domain is not valid
+</pre><p>
+ </p><p>
+ The following demonstrates the process of creating a machine trust account in the target domain for the
+ Samba server from which the command is executed:
+<a class="indexterm" name="id2569526"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc join -S FRODO -Uroot%not24get
+Joined domain MIDEARTH.
+</pre><p>
+ The joining of a Samba server to a Samba domain results in the creation of a machine account. An example
+ of this is shown here:
+</p><pre class="screen">
+<code class="prompt">root# </code> pdbedit -Lw merlin\$
+merlin$:1009:9B4489D6B90461FD6A3EC3AB96147E16:\
+176D8C554E99914BDF3407DEA2231D80:[S ]:LCT-42891919:
+</pre><p>
+ The S in the square brackets means this is a server (PDC/BDC) account. The domain join can be cast to join
+ purely as a workstation, in which case the S is replaced with a W (indicating a workstation account). The
+ following command can be used to affect this:
+<a class="indexterm" name="id2569570"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc join member -S FRODO -Uroot%not24get
+Joined domain MIDEARTH.
+</pre><p>
+ Note that the command-line parameter <code class="constant">member</code> makes this join specific. By default
+ the type is deduced from the <code class="filename">smb.conf</code> file configuration. To specifically join as a PDC or BDC, the
+ command-line parameter will be <code class="constant">[PDC | BDC]</code>. For example:
+<a class="indexterm" name="id2569611"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc join bdc -S FRODO -Uroot%not24get
+Joined domain MIDEARTH.
+</pre><p>
+ It is best to let Samba figure out the domain join type from the settings in the <code class="filename">smb.conf</code> file.
+ </p><p>
+ The command to join a Samba server to a Windows ADS domain is shown here:
+<a class="indexterm" name="id2569647"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net ads join -UAdministrator%not24get
+Using short domain name -- GDANSK
+Joined 'FRANDIMITZ' to realm 'GDANSK.ABMAS.BIZ'
+</pre><p>
+ </p><p>
+ There is no specific option to remove a machine account from an NT4 domain. When a domain member that is a
+ Windows machine is withdrawn from the domain, the domain membership account is not automatically removed
+ either. Inactive domain member accounts can be removed using any convenient tool. If necessary, the
+ machine account can be removed using the following <span><strong class="command">net</strong></span> command:
+<a class="indexterm" name="id2569686"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc user delete HERRING\$ -Uroot%not24get
+Deleted user account.
+</pre><p>
+ The removal is made possible because machine accounts are just like user accounts with a trailing $
+ character. The account management operations treat user and machine accounts in like manner.
+ </p><p>
+ A Samba-3 server that is a Windows ADS domain member can execute the following command to detach from the
+ domain:
+<a class="indexterm" name="id2569719"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net ads leave
+</pre><p>
+ </p><p>
+ Detailed information regarding an ADS domain can be obtained by a Samba DMS machine by executing the
+ following:
+<a class="indexterm" name="id2569747"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net ads status
+</pre><p>
+ The volume of information is extensive. Please refer to the book “<span class="quote">Samba-3 by Example</span>”,
+ Chapter 7 for more information regarding its use. This book may be obtained either in print or online from
+ the <a href="http://www.samba.org/samba/docs/Samba3-ByExample.pdf" target="_top">Samba-3 by Example</a>.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2569785"></a>Interdomain Trusts</h3></div></div></div><p>
+ Interdomain trust relationships form the primary mechanism by which users from one domain can be granted
+ access rights and privileges in another domain.
+ </p><p>
+ To discover what trust relationships are in effect, execute this command:
+<a class="indexterm" name="id2569801"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc trustdom list -Uroot%not24get
+Trusted domains list:
+
+none
+
+Trusting domains list:
+
+none
+</pre><p>
+ There are no interdomain trusts at this time; the following steps will create them.
+ </p><p>
+ It is necessary to create a trust account in the local domain. A domain controller in a second domain can
+ create a trusted connection with this account. That means that the foreign domain is being trusted
+ to access resources in the local domain. This command creates the local trust account:
+<a class="indexterm" name="id2569835"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc trustdom add DAMNATION f00db4r -Uroot%not24get
+</pre><p>
+ The account can be revealed by using the <span><strong class="command">pdbedit</strong></span> as shown here:
+</p><pre class="screen">
+<code class="prompt">root# </code> pdbedit -Lw DAMNATION\$
+DAMNATION$:1016:9AC1F121DF897688AAD3B435B51404EE: \
+7F845808B91BB9F7FEF44B247D9DC9A6:[I ]:LCT-428934B1:
+</pre><p>
+ A trust account will always have an I in the field within the square brackets.
+ </p><p>
+ If the trusting domain is not capable of being reached, the following command will fail:
+<a class="indexterm" name="id2569885"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc trustdom list -Uroot%not24get
+Trusted domains list:
+
+none
+
+Trusting domains list:
+
+DAMNATION S-1-5-21-1385457007-882775198-1210191635
+</pre><p>
+ The above command executed successfully; a failure is indicated when the following response is obtained:
+</p><pre class="screen">
+net rpc trustdom list -Uroot%not24get
+Trusted domains list:
+
+DAMNATION S-1-5-21-1385457007-882775198-1210191635
+
+Trusting domains list:
+
+DAMNATION domain controller is not responding
+</pre><p>
+ </p><p>
+ Where a trust account has been created on a foreign domain, Samba is able to establish the trust (connect with)
+ the foreign account. In the process it creates a one-way trust to the resources on the remote domain. This
+ command achieves the objective of joining the trust relationship:
+<a class="indexterm" name="id2569930"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc trustdom establish DAMNATION
+Password: xxxxxxx == f00db4r
+Could not connect to server TRANSGRESSION
+Trust to domain DAMNATION established
+</pre><p>
+ Validation of the two-way trust now established is possible as shown here:
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc trustdom list -Uroot%not24get
+Trusted domains list:
+
+DAMNATION S-1-5-21-1385457007-882775198-1210191635
+
+Trusting domains list:
+
+DAMNATION S-1-5-21-1385457007-882775198-1210191635
+</pre><p>
+ </p><p>
+ Sometimes it is necessary to remove the ability for local users to access a foreign domain. The trusting
+ connection can be revoked as shown here:
+<a class="indexterm" name="id2569977"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc trustdom revoke DAMNATION -Uroot%not24get
+</pre><p>
+ At other times it becomes necessary to remove the ability for users from a foreign domain to be able to
+ access resources in the local domain. The command shown here will do that:
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc trustdom del DAMNATION -Uroot%not24get
+</pre><p>
+
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2570019"></a>Managing Security Identifiers (SIDS)</h2></div></div></div><p>
+<a class="indexterm" name="id2570027"></a>
+<a class="indexterm" name="id2570034"></a>
+<a class="indexterm" name="id2570041"></a>
+<a class="indexterm" name="id2570048"></a>
+<a class="indexterm" name="id2570055"></a>
+ The basic security identifier that is used by all Windows networking operations is the Windows security
+ identifier (SID). All Windows network machines (servers and workstations), users, and groups are
+ identified by their respective SID. All desktop profiles are also encoded with user and group SIDs that
+ are specific to the SID of the domain to which the user belongs.
+ </p><p>
+<a class="indexterm" name="id2570071"></a>
+<a class="indexterm" name="id2570078"></a>
+<a class="indexterm" name="id2570085"></a>
+<a class="indexterm" name="id2570091"></a>
+ It is truly prudent to store the machine and/or domain SID in a file for safekeeping. Why? Because
+ a change in hostname or in the domain (workgroup) name may result in a change in the SID. When you
+ have the SID on hand, it is a simple matter to restore it. The alternative is to suffer the pain of
+ having to recover user desktop profiles and perhaps rejoin all member machines to the domain.
+ </p><p>
+ First, do not forget to store the local SID in a file. It is a good idea to put this in the directory
+ in which the <code class="filename">smb.conf</code> file is also stored. Here is a simple action to achieve this:
+<a class="indexterm" name="id2570117"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net getlocalsid > /etc/samba/my-sid
+</pre><p>
+ Good, there is now a safe copy of the local machine SID. On a PDC/BDC this is the domain SID also.
+ </p><p>
+ The following command reveals what the former one should have placed into the file called
+ <code class="filename">my-sid</code>:
+</p><pre class="screen">
+<code class="prompt">root# </code> net getlocalsid
+SID for domain MERLIN is: S-1-5-21-726309263-4128913605-1168186429
+</pre><p>
+ </p><p>
+ If ever it becomes necessary to restore the SID that has been stored in the <code class="filename">my-sid</code>
+ file, simply copy the SID (the string of characters that begins with <code class="constant">S-1-5-21</code>) to
+ the command line shown here:
+<a class="indexterm" name="id2570180"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net setlocalsid S-1-5-21-1385457007-882775198-1210191635
+</pre><p>
+ Restoration of a machine SID is a simple operation, but the absence of a backup copy can be very
+ problematic.
+ </p><p>
+ The following operation is useful only for machines that are being configured as a PDC or a BDC.
+ DMS and workstation clients should have their own machine SID to avoid
+ any potential namespace collision. Here is the way that the BDC SID can be synchronized to that
+ of the PDC (this is the default NT4 domain practice also):
+<a class="indexterm" name="id2570212"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc getsid -S FRODO -Uroot%not24get
+Storing SID S-1-5-21-726309263-4128913605-1168186429 \
+ for Domain MIDEARTH in secrets.tdb
+</pre><p>
+ Usually it is not necessary to specify the target server (-S FRODO) or the administrator account
+ credentials (-Uroot%not24get).
+ </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2570241"></a>Share Management</h2></div></div></div><p>
+ Share management is central to all file serving operations. Typical share operations include:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>Creation/change/deletion of shares</p></li><li><p>Setting/changing ACLs on shares</p></li><li><p>Moving shares from one server to another</p></li><li><p>Change of permissions of share contents</p></li></ul></div><p>
+ Each of these are dealt with here insofar as they involve the use of the <span><strong class="command">net</strong></span>
+ command. Operations outside of this command are covered elsewhere in this document.
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2570286"></a>Creating, Editing, and Removing Shares</h3></div></div></div><p>
+ A share can be added using the <span><strong class="command">net rpc share</strong></span> command capabilities.
+ The target machine may be local or remote and is specified by the -S option. It must be noted
+ that the addition and deletion of shares using this tool depends on the availability of a suitable
+ interface script. The interface scripts Sambas <span><strong class="command">smbd</strong></span> uses are called
+ <a class="indexterm" name="id2570312"></a>add share command, <a class="indexterm" name="id2570319"></a>delete share command and
+ <a class="indexterm" name="id2570327"></a>change share command A set of example scripts are provided in the Samba source
+ code tarball in the directory <code class="filename">~samba/examples/scripts</code>.
+ </p><p>
+ The following steps demonstrate the use of the share management capabilities of the <span><strong class="command">net</strong></span>
+ utility. In the first step a share called <code class="constant">Bulge</code> is added. The sharepoint within the
+ file system is the directory <code class="filename">/data</code>. The command that can be executed to perform the
+ addition of this share is shown here:
+<a class="indexterm" name="id2570365"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc share add Bulge=/data -S MERLIN -Uroot%not24get
+</pre><p>
+ Validation is an important process, and by executing the command <span><strong class="command">net rpc share</strong></span>
+ with no other operators it is possible to obtain a listing of available shares, as shown here:
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc share -S MERLIN -Uroot%not24get
+profdata
+archive
+Bulge <--- This one was added
+print$
+netlogon
+profiles
+IPC$
+kyocera
+ADMIN$
+</pre><p>
+ </p><p>
+ Often it is desirable also to permit a share to be removed using a command-line tool.
+ The following step permits the share that was previously added to be removed:
+<a class="indexterm" name="id2570417"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc share delete Bulge -S MERLIN -Uroot%not24get
+</pre><p>
+ A simple validation shown here demonstrates that the share has been removed:
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc share -S MERLIN -Uroot%not24get
+profdata
+archive
+print$
+netlogon
+profiles
+IPC$
+ADMIN$
+kyocera
+</pre><p>
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2570458"></a>Creating and Changing Share ACLs</h3></div></div></div><p>
+ At this time the <span><strong class="command">net</strong></span> tool cannot be used to manage ACLs on Samba shares. In MS Windows
+ language this is called Share Permissions.
+ </p><p>
+ It is possible to set ACLs on Samba shares using either the SRVTOOLS NT4 Domain Server Manager
+ or using the Computer Management MMC snap-in. Neither is covered here,
+ but see <a href="AccessControls.html" title="Chapter 15. File, Directory, and Share Access Controls">???</a>.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2570488"></a>Share, Directory, and File Migration</h3></div></div></div><p>
+<a class="indexterm" name="id2570496"></a>
+ Shares and files can be migrated in the same manner as user, machine, and group accounts.
+ It is possible to preserve access control settings (ACLs) as well as security settings
+ throughout the migration process. The <span><strong class="command">net rpc vampire</strong></span> facility is used
+ to migrate accounts from a Windows NT4 (or later) domain to a Samba server. This process
+ preserves passwords and account security settings and is a precursor to the migration
+ of shares and files.
+ </p><p>
+ The <span><strong class="command">net rpc share</strong></span> command may be used to migrate shares, directories,
+ files, and all relevant data from a Windows server to a Samba server.
+ </p><p>
+ A set of command-line switches permit the creation of almost direct clones of Windows file
+ servers. For example, when migrating a fileserver, file ACLs and DOS file attributes from
+ the Windows server can be included in the migration process and will reappear, almost identically,
+ on the Samba server when the migration has been completed.
+ </p><p>
+ The migration process can be completed only with the Samba server already being fully operational.
+ The user and group accounts must be migrated before attempting to migrate data
+ share, files, and printers. The migration of files and printer configurations involves the use
+ of both SMB and MS DCE RPC services. The benefit of the manner in which the migration process has
+ been implemented is that the possibility now exists to use a Samba server as a man-in-middle migration
+ service that affects a transfer of data from one server to another. For example, if the Samba
+ server is called MESSER, the source Windows NT4 server is called PEPPY, and the target Samba
+ server is called GONZALES, the machine MESSER can be used to effect the migration of all data
+ (files and shares) from PEPPY to GONZALES. If the target machine is not specified, the local
+ server is assumed by default - as net's general rule of thumb .
+ </p><p>
+ The success of server migration requires a firm understanding of the structure of the source
+ server (or domain) as well as the processes on which the migration is critically dependant.
+ </p><p>
+ There are two known limitations to the migration process:
+ </p><div class="orderedlist"><ol type="1"><li><p>
+ The <span><strong class="command">net</strong></span> command requires that the user credentials provided exist on both
+ the migration source and the migration target.
+ </p></li><li><p>
+ Printer settings may not be fully or may be incorrectly migrated. This might in particular happen
+ when migrating a Windows 2003 print server to Samba.
+ </p></li></ol></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2570599"></a>Share Migration</h4></div></div></div><p>
+ The <span><strong class="command">net rpc share migrate</strong></span> command operation permits the migration of plain
+ share stanzas. A stanza contains the parameters within which a file or print share are defined.
+ The use of this migration method will create share stanzas that have as parameters the file
+ system directory path, an optional description, and simple security settings that permit write
+ access to files. One of the first steps necessary following migration is to review the share
+ stanzas to ensure that the settings are suitable for use.
+ </p><p>
+ The shares are created on the fly as part of the migration process. The <span><strong class="command">smbd</strong></span>
+ application does this by calling on the operating system to execute the script specified by the
+ <code class="filename">smb.conf</code> parameter <em class="parameter"><code>add share command</code></em>.
+ </p><p>
+ There is a suitable example script for the <em class="parameter"><code>add share command</code></em> in the
+ <code class="filename">$SAMBA_SOURCES/examples/scripts</code> directory. It should be noted that
+ the account that is used to drive the migration must, of necessity, have appropriate file system
+ access privileges and have the right to create shares and to set ACLs on them. Such rights are
+ conferred by these rights: <em class="parameter"><code>SeAddUsersPrivilege</code></em> and <em class="parameter"><code>SeDiskOperatorPrivilege</code></em>.
+ For more information regarding rights and privileges please refer to <a href="rights.html" title="Chapter 14. User Rights and Privileges">???</a>.
+ </p><p>
+ The syntax of the share migration command is shown here:
+</p><pre class="screen">
+net rpc share MIGRATE SHARES <share-name> -S <source>
+ [--destination=localhost] [--exclude=share1,share2] [-v]
+</pre><p>
+ When the parameter <share-name> is omitted, all shares will be migrated. The potentially
+ large list of available shares on the system that is being migrated can be limited using the
+ <em class="parameter"><code>--exclude</code></em> switch. For example:
+<a class="indexterm" name="id2570712"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc share migrate shares myshare\
+ -S win2k -U administrator%secret"
+</pre><p>
+ This will migrate the share <code class="constant">myshare</code> from the server <code class="constant">win2k</code>
+ to the Samba Server using the permissions that are tied to the account <code class="constant">administrator</code>
+ with the password <code class="constant">secret</code>. The account that is used must be the same on both the
+ migration source server and the target Samba server. The use of the <span><strong class="command">net rpc
+ vampire</strong></span>, prior to attempting the migration of shares, will ensure that accounts will be
+ identical on both systems. One precaution worth taking before commencement of migration of shares is
+ to validate that the migrated accounts (on the Samba server) have the needed rights and privileges.
+ This can be done as shown here:
+<a class="indexterm" name="id2570767"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc right list accounts -Uroot%not24get
+</pre><p>
+ The steps taken so far perform only the migration of shares. Directories and directory contents
+ are not migrated by the steps covered up to this point.
+ </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2570795"></a>File and Directory Migration</h4></div></div></div><p>
+ Everything covered to this point has been done in preparation for the migration of file and directory
+ data. For many people preparation is potentially boring and the real excitement only begins when file
+ data can be used. The next steps demonstrate the techniques that can be used to transfer (migrate)
+ data files using the <span><strong class="command">net</strong></span> command.
+ </p><p>
+ Transfer of files from one server to another has always been a challenge for MS Windows
+ administrators because Windows NT and 200X servers do not always include the tools needed. The
+ <span><strong class="command">xcopy</strong></span> from Windows NT is not capable of preserving file and directory ACLs,
+ it does so only with Windows 200x. Microsoft does provide a
+ utility that can copy ACLs (security settings) called <span><strong class="command">scopy</strong></span>, but it is provided only
+ as part of the Windows NT or 200X Server Resource Kit.
+ </p><p>
+ There are several tools, both commercial and freeware, that can be used from a Windows server to copy files
+ and directories with full preservation of security settings. One of the best known of the free tools is
+ called <span><strong class="command">robocopy</strong></span>.
+ </p><p>
+ The <span><strong class="command">net</strong></span> utility can be used to copy files and directories with full preservation of
+ ACLs as well as DOS file attributes. Note that including ACLs makes sense only where the destination
+ system will operate within the same security context as the source system. This applies both to a
+ DMS and to domain controllers that result from a vampired domain.
+ Before file and directory migration, all shares must already exist.
+ </p><p>
+ The syntax for the migration commands is shown here:
+</p><pre class="screen">
+net rpc share MIGRATE FILES <share-name> -S <source>
+ [--destination=localhost] [--exclude=share1,share2]
+ [--acls] [--attrs] [--timestamps] [-v]
+</pre><p>
+ If the <share-name> parameter is omitted, all shares will be migrated. The potentially large
+ list of shares on the source system can be restricted using the <em class="parameter"><code>--exclude</code></em> command
+ switch.
+ </p><p>
+ Where it is necessary to preserve all file ACLs, the <em class="parameter"><code>--acls</code></em> switch should be added
+ to the above command line. Original file timestamps can be preserved by specifying the
+ <em class="parameter"><code>--timestamps</code></em> switch, and the DOS file attributes (i.e., hidden, archive, etc.) can
+ be preserved by specifying the <em class="parameter"><code>--attrs</code></em> switch.
+ </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ The ability to preserve ACLs depends on appropriate support for ACLs as well as the general file system
+ semantics of the host operating system on the target server. A migration from one Windows file server to
+ another will perfectly preserve all file attributes. Because of the difficulty of mapping Windows ACLs
+ onto a POSIX ACLs-supporting system, there can be no perfect migration of Windows ACLs to a Samba server.
+ </p></div><p>
+ The ACLs that result on a Samba server will most probably not match the originating ACLs. Windows supports
+ the possibility of files that are owned only by a group. Group-alone file ownership is not possible under
+ UNIX/Linux. Errors in migrating group-owned files can be avoided by using the <code class="filename">smb.conf</code> file
+ <a class="indexterm" name="id2570950"></a>force unknown acl user = yes parameter. This facility will
+ automatically convert group-owned files into correctly user-owned files on the Samba server.
+ </p><p>
+ An example for migration of files from a machine called <code class="constant">nt4box</code> to the Samba server
+ from which the process will be handled is shown here:
+<a class="indexterm" name="id2570969"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc share migrate files -S nt4box --acls \
+ --attrs -U administrator%secret
+</pre><p>
+ </p><p>
+ This command will migrate all files and directories from all file shares on the Windows server called
+ <code class="constant">nt4box</code> to the Samba server from which migration is initiated. Files that are group-owned
+ will be owned by the user account <code class="constant">administrator</code>.
+ </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2571009"></a>Share-ACL Migration</h4></div></div></div><p>
+ It is possible to have share-ACLs (security descriptors) that won't allow you, even as Administrator, to
+ copy any files or directories into it. Therefor the migration of the share-ACLs has been put into a separate
+ function:
+<a class="indexterm" name="id2571021"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc share migrate security -S nt4box -U administrator%secret
+</pre><p>
+ </p><p>
+ This command will only copy the share-ACL of each share on nt4box to your local samba-system.
+ </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2571052"></a>Simultaneous Share and File Migration</h4></div></div></div><p>
+ The operating mode shown here is just a combination of the previous three. It first migrates
+ share definitions and then all shared files and directories and finally migrates the share-ACLs:
+</p><pre class="screen">
+net rpc share MIGRATE ALL <share-name> -S <source>
+ [--exclude=share1, share2] [--acls] [--attrs] [--timestamps] [-v]
+</pre><p>
+ </p><p>
+ An example of simultaneous migration is shown here:
+<a class="indexterm" name="id2571078"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc share migrate all -S w2k3server -U administrator%secret
+</pre><p>
+ This will generate a complete server clone of the <em class="parameter"><code>w2k3server</code></em> server.
+ </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2571112"></a>Printer Migration</h3></div></div></div><p>
+ The installation of a new server, as with the migration to a new network environment, often is similar to
+ building a house; progress is very rapid from the laying of foundations up to the stage at which
+ the house can be locked up, but the finishing off appears to take longer and longer as building
+ approaches completion.
+ </p><p>
+ Printing needs vary greatly depending on the network environment and may be very simple or complex. If
+ the need is very simple, the best solution to the implementation of printing support may well be to
+ re-install everything from a clean slate instead of migrating older configurations. On the other hand,
+ a complex network that is integrated with many international offices and a multiplexity of local branch
+ offices, each of which form an inter-twined maze of printing possibilities, the ability to migrate all
+ printer configurations is decidedly beneficial. To manually re-establish a complex printing network
+ will take much time and frustration. Often it will not be possible to find driver files that are
+ currently in use, necessitating the installation of newer drivers. Newer drivers often implement
+ printing features that will necessitate a change in the printer usage. Additionally, with very complex
+ printer configurations it becomes almost impossible to re-create the same environment no matter
+ how extensively it has been documented.
+ </p><p>
+ The migration of an existing printing architecture involves the following:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>Establishment of print queues.</p></li><li><p>Installation of printer drivers (both for the print server and for Windows clients.</p></li><li><p>Configuration of printing forms.</p></li><li><p>Implementation of security settings.</p></li><li><p>Configuration of printer settings.</p></li></ul></div><p>
+ The Samba <span><strong class="command">net</strong></span> utility permits printer migration from one Windows print server
+ to another. When this tool is used to migrate printers to a Samba server <span><strong class="command">smbd</strong></span>,
+ the application that receives the network requests to create the necessary services must call out
+ to the operating system in order to create the underlying printers. The call-out is implemented
+ by way of an interface script that can be specified by the <code class="filename">smb.conf</code> file parameter
+ <a class="indexterm" name="id2571210"></a>. This script is essential to the migration process.
+ A suitable example script may be obtained from the <code class="filename">$SAMBA_SOURCES/examples/scripts</code>
+ directory. Take note that this script must be customized to suit the operating system environment
+ and may use its tools to create a print queue.
+ </p><p>
+ Each of the components listed above can be completed separately, or they can be completed as part of an
+ automated operation. Many network administrators prefer to deal with migration issues in a manner that
+ gives them the most control, particularly when things go wrong. The syntax for each operation is now
+ briefly described.
+ </p><p>
+ Printer migration from a Windows print server (NT4 or 200x) is shown. This instruction causes the
+ printer share to be created together with the underlying print queue:
+<a class="indexterm" name="id2571241"></a>
+</p><pre class="screen">
+net rpc printer MIGRATE PRINTERS [printer] [misc. options] [targets]
+</pre><p>
+ Printer drivers can be migrated from the Windows print server to the Samba server using this
+ command-line instruction:
+<a class="indexterm" name="id2571262"></a>
+</p><pre class="screen">
+net rpc printer MIGRATE DRIVERS [printer] [misc. options] [targets]
+</pre><p>
+ Printer forms can be migrated with the following operation:
+<a class="indexterm" name="id2571281"></a>
+</p><pre class="screen">
+net rpc printer MIGRATE FORMS [printer] [misc. options] [targets]
+</pre><p>
+ Printer security settings (ACLs) can be migrated from the Windows server to the Samba server using this command:
+<a class="indexterm" name="id2571301"></a>
+</p><pre class="screen">
+net rpc printer MIGRATE SECURITY [printer] [misc. options] [targets]
+</pre><p>
+ Printer configuration settings include factors such as paper size and default paper orientation.
+ These can be migrated from the Windows print server to the Samba server with this command:
+<a class="indexterm" name="id2571323"></a>
+</p><pre class="screen">
+net rpc printer MIGRATE SETTINGS [printer] [misc. options] [targets]
+</pre><p>
+ </p><p>
+ Migration of printers including the above-mentioned sets of information may be completed
+ with a single command using this syntax:
+</p><pre class="screen">
+net rpc printer MIGRATE ALL [printer] [misc. options] [targets]
+</pre><p>
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2571357"></a>Controlling Open Files</h2></div></div></div><p>
+ The man page documents the <span><strong class="command">net file</strong></span> function suite, which provides the tools to
+ close open files using either RAP or RPC function calls. Please refer to the man page for specific
+ usage information.
+ </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2571376"></a>Session and Connection Management</h2></div></div></div><p>
+ The session management interface of the <span><strong class="command">net session</strong></span> command uses the old RAP
+ method to obtain the list of connections to the Samba server, as shown here:
+<a class="indexterm" name="id2571393"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net rap session -S MERLIN -Uroot%not24get
+Computer User name Client Type Opens Idle time
+------------------------------------------------------------------------------
+\\merlin root Unknown Client 0 00:00:00
+\\marvel jht Unknown Client 0 00:00:00
+\\maggot jht Unknown Client 0 00:00:00
+\\marvel jht Unknown Client 0 00:00:00
+</pre><p>
+ </p><p>
+ A session can be closed by executing a command as shown here:
+</p><pre class="screen">
+<code class="prompt">root# </code> net rap session close marvel -Uroot%not24get
+</pre><p>
+ </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2571443"></a>Printers and ADS</h2></div></div></div><p>
+ When Samba-3 is used within an MS Windows ADS environment, printers shared via Samba will not be browseable
+ until they have been published to the ADS domain. Information regarding published printers may be obtained
+ from the ADS server by executing the <span><strong class="command">net ads print info</strong></span> command following this syntax:
+<a class="indexterm" name="id2571461"></a>
+</p><pre class="screen">
+net ads printer info <printer_name> <server_name> -Uadministrator%secret
+</pre><p>
+ If the asterisk (*) is used in place of the printer_name argument, a list of all printers will be
+ returned.
+ </p><p>
+ To publish (make available) a printer to ADS, execute the following command:
+<a class="indexterm" name="id2571487"></a>
+</p><pre class="screen">
+net ads printer publish <printer_name> -Uadministrator%secret
+</pre><p>
+ This publishes a printer from the local Samba server to ADS.
+ </p><p>
+ Removal of a Samba printer from ADS is achieved by executing this command:
+<a class="indexterm" name="id2571512"></a>
+</p><pre class="screen">
+net ads printer remove <printer_name> -Uadministrator%secret
+</pre><p>
+ </p><p>
+ A generic search (query) can also be made to locate a printer across the entire ADS domain by executing:
+<a class="indexterm" name="id2571537"></a>
+</p><pre class="screen">
+net ads printer search <printer_name> -Uadministrator%secret
+</pre><p>
+ </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2571558"></a>Manipulating the Samba Cache</h2></div></div></div><p>
+ Please refer to the <span><strong class="command">net</strong></span> command man page for information regarding cache management.
+ </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2571576"></a>Managing IDMAP UID/SID Mappings</h2></div></div></div><p>
+ The IDMAP UID to SID, and SID to UID, mappings that are created by <span><strong class="command">winbindd</strong></span> can be
+ backed up to a text file. The text file can be manually edited, although it is highly recommended that
+ you attempt this only if you know precisely what you are doing.
+ </p><p>
+ An IDMAP text dump file can be restored (or reloaded). There are two situations that may necessitate
+ this action: a) The existing IDMAP file is corrupt, b) It is necessary to install an editted version
+ of the mapping information.
+ </p><p>
+ Winbind must be shut down to dump the IDMAP file. Before restoring a dump file, shut down
+ <span><strong class="command">winbindd</strong></span> and delete the old <code class="filename">winbindd_idmap.tdb</code> file.
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2571620"></a>Creating an IDMAP Database Dump File</h3></div></div></div><p>
+ The IDMAP database can be dumped to a text file as shown here:
+</p><pre class="screen">
+net idmap dump <full_path_and_tdb_filename> > dumpfile.txt
+</pre><p>
+ Where a particular build of Samba the run-time tdb files are stored in the
+ <code class="filename">/var/lib/samba</code> directory the following commands to create the dump file will suffice:
+</p><pre class="screen">
+net idmap dump /var/lib/samba/winbindd_idmap.tdb > idmap_dump.txt
+</pre><p>
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2571655"></a>Restoring the IDMAP Database Dump File</h3></div></div></div><p>
+ The IDMAP dump file can be restored using the following command:
+</p><pre class="screen">
+net idmap restore <full_path_and_tdb_filename> < dumpfile.txt
+</pre><p>
+ Where the Samba run-time tdb files are stored in the <code class="filename">/var/lib/samba</code> directory
+ the following command can be used to restore the data to the tdb file:
+</p><pre class="screen">
+net idmap restore /var/lib/samba/winbindd_idmap.tdb < idmap_dump.txt
+</pre><p>
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="netmisc1"></a>Other Miscellaneous Operations</h2></div></div></div><p>
+ The following command is useful for obtaining basic statistics regarding a Samba domain. This command does
+ not work with current Windows XP Professional clients.
+<a class="indexterm" name="id2571707"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc info
+Domain Name: RAPIDFLY
+Domain SID: S-1-5-21-399034208-633907489-3292421255
+Sequence number: 1116312355
+Num users: 720
+Num domain groups: 27
+Num local groups: 6
+</pre><p>
+ </p><p>
+ Another useful tool is the <span><strong class="command">net time</strong></span> tool set. This tool may be used to query the
+ current time on the target server as shown here:
+<a class="indexterm" name="id2571743"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net time -S SAURON
+Tue May 17 00:50:43 2005
+</pre><p>
+ In the event that it is the intent to pass the time information obtained to the UNIX
+ <span><strong class="command">/bin/time</strong></span>, it is a good idea to obtain the time from the target server in a format
+ that is ready to be passed through. This may be done by executing:
+<a class="indexterm" name="id2571774"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net time system -S FRODO
+051700532005.16
+</pre><p>
+ The time can be set on a target server by executing:
+<a class="indexterm" name="id2571799"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net time set -S MAGGOT -U Administrator%not24get
+Tue May 17 00:55:30 MDT 2005
+</pre><p>
+ It is possible to obtain the time zone of a server by executing the following command against it:
+<a class="indexterm" name="id2571825"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net time zone -S SAURON
+-0600
+</pre><p>
+ </p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="groupmapping.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="idmapper.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 11. Group Mapping: MS Windows and UNIX </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 13. Identity Mapping (IDMAP)</td></tr></table></div></body></html>
projects / samba / blobdiff