Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Samba HowTo Guide
Prev Home Next

Nested Group Support

It is possible in Windows (and now in Samba also) to create a local group that has members (contains), domain users, and domain global groups. Creation of the local group demo is achieved by executing: 

root#  net rpc group add demo -L -S MORDON -Uroot%not24get

The -L switch means create a local group. Use the -S argument to direct the operation to a particular server. The parameters to the -U argument should be for a user who has appropriate administrative right and privileges on the machine.

Addition and removal of group members can be achieved using the addmem and delmem subcommands of net rpc group command. For example, addition of “DOM\Domain Users” to the local group demo would be done by executing: 

root#  net rpc group addmem demo "DOM\Domain Users" -Uroot%not24get

The members of a nested group can be listed by executing the following: 

root#  net rpc group members demo -Uroot%not24get
DOM\Domain Users
DOM\Engineers
DOM\jamesf
DOM\jht

Nested group members can be removed (deleted) as shown here: 

root#  net rpc group delmem demo "DOM\jht" -Uroot%not24get

Managing Nest Groups on Workstations from the Samba Server

Windows network administrators often ask on the Samba mailing list how it is possible to grant everyone administrative rights on their own workstation. This is of course a very bad practice, but commonly done to avoid user complaints. Here is how it can be done remotely from a Samba PDC or BDC: 

root#  net rpc group addmem "Administrators" "Domain Users" \
    -S WINPC032 -Uadministrator%secret

This can be scripted, and can therefore be performed as a user logs onto the domain from a Windows workstation. Here is a simple example that shows how this can be done.

Procedure12.1.Automating User Addition to the Workstation Power Users Group

Example12.1.Script to Auto-add Domain Users to Workstation Power Users Group 

#!/bin/bash

/usr/bin/net rpc group addmem "Power Users" "DOMAIN_NAME\$1" \
                   -UAdministrator%secret -S $2

exit 0

Example12.2.A Magic Netlogon Share

[netlogon]
comment = Netlogon Share
path = /var/lib/samba/netlogon
root preexec = /etc/samba/scripts/autopoweruser.sh %U %m
read only = Yes
guest ok = Yes

  1. Create the script shown in ??? and locate it in the directory /etc/samba/scripts, named as autopoweruser.sh.

  2. Set the permissions on this script to permit it to be executed as part of the logon process: 

    root#  chown root:root /etc/samba/autopoweruser.sh
root#  chmod 755 /etc/samba/autopoweruser.sh

  3. Modify the smb.conf file so the NETLOGON stanza contains the parameters shown in the Netlogon Example smb.conf file.

  4. Ensure that every Windows workstation Administrator account has the same password that you have used in the script shown in the Netlogon Example smb.conf file

This script will be executed every time a user logs on to the network. Therefore every user will have local Windows workstation management rights. This could of course be assigned using a group, in which case there is little justification for the use of this procedure. The key justification for the use of this method is that it will guarantee that all users have appropriate rights on the workstation.

Samba HowTo Guide
Prev Home Next

 
 
  Published under the terms fo the GNU General Public License Design by Interspire