HP CIFS Server Administrator's Guide Version A.03.01.04 (5900-2303), April 2012
cannot differentiate which user actually created the file or directory from a file system
perspective.
Why can’t I use the net groupmap utility to map a windows group to a UNIX group, then
add UNIX members to this group?
The net groupmap feature allows administrators to assign Windows group RIDs to UNIX groups,
so they can be recognized by Windows clients allowing them to be used when setting permissions
on the local server resources. A complete SID is generated by appending the entered RID to the
SID of the server, making local groups on CIFS member servers. You edit /etc/group to add
Windows or winbind names as members, but they are not recognized by the files system when
granting access.
Considering alternatives
The purpose of winbind is to automate the creation of UIDs and GIDs and maintain their
correspondence to the Windows SIDs in order to minimize identity management efforts but this
may not be required in all environments. Your environment may have few users or may already
have additional HP-UX user requirements for UNIX user activities in which separate Windows and
UNIX management is acceptable (consider the use of a user name map file, see SWAT help for
smb.conf parameter username map). Also, there are several alternatives that may meet your
requirements. Consider the following alternatives before deploying winbind:
• Username map script
One alternative to winbind for assigning UIDs is to create and configure a “username map
script” to selectively assign users. This allows you to write a script that potentially creates
and/or assigns a native UNIX user name based on the windows name requesting access. The
groups that a specific user belongs to depends on how the script is implemented, but it will
be a native UNIX group because the mapping is to a native UNIX user. The results of the user
name map script overwrite any match in the user name map file if the script provides an output
name.
• Create users on-the-fly
One alternative to winbind is to allow an HP-UX user to be added “on-the-fly” during a
Windows user’s first HP CIFS login. Set the add user script parameter in the smb.conf
file. For example:
add user script = /usr/sbin/useradd -g users –c "Auto_Account" -s
/bin/false %u
For the above example, the %u is a macro that specifies the Windows user name. The HP-UX
user name is created to match the Windows name. It is stored and is managed in the same
way as other UNIX users separate from Windows users
NOTE: On HP-UX 11v1 and v2, this solution is limited by the useradd command’s eight
character maximum name length. All the Windows user names have to be limited to eight
characters. The command fails if the %u macro user name does not meet the constraints of the
useradd command.
NOTE: On HP-UX 11v3, you can explicitly enable the system for expanded user and group
names by using the lugadmin command. Refer to the lugadmin man page for details. The
lugadmin –e option enables long user name. When the system is enabled for long user
and group names, it cannot be disabled. When the expanded user and group name feature
is enabled, all the user and group management commands (useradd, usermod, userdel,
groupadd, groupmod and groupdel) allow you to create and update users with long user
and group names. Some products have limitations, consult HP-UX 11v3 documentation before
enabling long name feature.
102 Winbind support