1
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter�13.�User Rights and Privileges</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.66.1"><link rel="start" href="index.html" title="The Official Samba-3 HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part�III.�Advanced Configuration"><link rel="prev" href="idmapper.html" title="Chapter�12.�Identity Mapping (IDMAP)"><link rel="next" href="AccessControls.html" title="Chapter�14.�File, Directory and Share Access Controls"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter�13.�User Rights and Privileges</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="idmapper.html">Prev</a>�</td><th width="60%" align="center">Part�III.�Advanced Configuration</th><td width="20%" align="right">�<a accesskey="n" href="AccessControls.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="rights"></a>Chapter�13.�User Rights and Privileges</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="rights.html#id2560797">Rights Management Capabilities</a></span></dt><dd><dl><dt><span class="sect2"><a href="rights.html#id2560952">Using the “<span class="quote"><span class="emphasis"><em>net rpc rights</em></span></span>” Utility</a></span></dt><dt><span class="sect2"><a href="rights.html#id2561101">Description of Privileges</a></span></dt></dl></dd><dt><span class="sect1"><a href="rights.html#id2561242">The Administrator Domain SID</a></span></dt></dl></div><p>
2
The administration of Windows user, group and machine accounts in the Samba
3
domain controlled network necessitates interfacing between the MS Windows
4
networking environment and the UNIX operating system environment. The right
5
(permission) to add machines to the Windows security domain can be assigned
6
(set) to non-administrative users both in Windows NT4 domains as well as in
7
Active Directory domains.
9
The addition of Windows NT4/2kX/XPPro machines to the domain necessitates the
10
creation of a machine account for each machine added. The machine account is
11
a necessity that is used to validate that the machine can be trusted to permit
14
Machine accounts are analogous to user accounts, and thus in implementing them
15
on a UNIX machine that is hosting Samba (i.e.: On which Samba is running) it is
16
necessary to create a special type of user account. Machine accounts differ from
17
a normal user account in that the account name (login ID) is terminated with a $
18
sign. An additional difference is that this type of account should not ever be able
19
to log into the UNIX environment as a system user and therefore is set to have a
20
shell of <span><b class="command">/bin/false</b></span> and a home directory of
21
<span><b class="command">/dev/null.</b></span>
23
The creation of UNIX system accounts has traditionally been the sole right of
24
the system administrator, better known as the <tt class="constant">root</tt> account.
25
It is possible in the UNIX environment to create multiple users who have the
26
same UID. Any UNIX user who has a UID=0 is inherently the same as the
27
<tt class="constant">root</tt> account.
29
All versions of Samba call system interface scripts that permit CIFS function
30
calls that are used to manage users, groups and machine accounts to be affected
31
in the UNIX environment. All versions of Samba up to and including version 3.0.10
32
required the use of a Windows Administrator account that unambiguously maps to
33
the UNIX <tt class="constant">root</tt> account to permit the execution of these
34
interface scripts. The reuqirement to do this has understandably met with some
35
disdain and consternation among Samba administrators, particularly where it became
36
necessary to permit people who should not posses <tt class="constant">root</tt> level
37
access to the UNIX host system.
38
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2560797"></a>Rights Management Capabilities</h2></div></div></div><p>
39
Samba 3.0.11 introduces support for the Windows privilege model. This model
40
allows certain rights to be assigned to a user or group SID. In order to enable
41
this feature, <a class="indexterm" name="id2560808"></a>enable privileges = yes
42
must be defined in the <i class="parameter"><tt>global</tt></i> section of the <tt class="filename">smb.conf</tt> file.
44
Currently, the rights supported in Samba 3 are listed in <a href="rights.html#rp-privs" title="Table�13.1.�Current Privilege Capabilities">???</a>.
45
The remainder of this chapter explains how to manage and use these privileges on Samba servers.
46
</p><div class="table"><a name="rp-privs"></a><p class="title"><b>Table�13.1.�Current Privilege Capabilities</b></p><table summary="Current Privilege Capabilities" border="1"><colgroup><col align="right"><col align="left"></colgroup><thead><tr><th align="center">Privilege</th><th align="center">Description</th></tr></thead><tbody><tr><td align="right"><p>SeMachineAccountPrivilege</p></td><td align="left"><p>Add machines to domain</p></td></tr><tr><td align="right"><p>SePrintOperatorPrivilege</p></td><td align="left"><p>Manage printers</p></td></tr><tr><td align="right"><p>SeAddUsersPrivilege</p></td><td align="left"><p>Add users and groups to the domain</p></td></tr><tr><td align="right"><p>SeRemoteShutdownPrivilege</p></td><td align="left"><p>Force shutdown from a remote system</p></td></tr><tr><td align="right"><p>SeDiskOperatorPrivilege</p></td><td align="left"><p>Manage disk share</p></td></tr></tbody></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2560952"></a>Using the “<span class="quote"><span class="emphasis"><em>net rpc rights</em></span></span>” Utility</h3></div></div></div><p>
47
There are two primary means of managing the rights assigned to users and groups
48
on a Samba server. The <span><b class="command">NT4 User Manager for Domains</b></span> may be
49
used from any Windows NT4, 2000 or XP Professional domain member client to
50
connect to a Samba domain controller and view/modify the rights assignments.
51
This application, however, appears to have bugs when run on a client running
52
Windows 2000 or later, therefore Samba provides a command line utility for
53
performing the necessary administrative actions.
55
The <span><b class="command">net rpc rights</b></span> utility in Samba 3.0.11 has 3 new subcommands:
56
</p><div class="variablelist"><dl><dt><span class="term">list [name|accounts]</span></dt><dd><p>
57
When called with no arguments, <span><b class="command">net rpc list</b></span>
58
will simply list the available rights on the server. When passed
59
a specific user or group name, the tool lists the privileges
60
currently assigned to the specified account. When invoked using
61
the special string <tt class="constant">accounts</tt>,
62
<span><b class="command">net rpc rights list</b></span> will return a list of all
63
privileged accounts on the server and the assigned rights.
64
</p></dd><dt><span class="term">grant <user> <right [right ...]></span></dt><dd><p>
65
When called with no arguments, This function is used to assign
66
a list of rights to a specified user or group. For example,
67
to grant the members of the Domain Admins group on a Samba DC
68
the capability to add client machines to the domain, one would run:
69
</p><pre class="screen">
70
<tt class="prompt">root# </tt> net -S server -U domadmin rpc rights grant \
71
'DOMAIN\Domain Admins' SeMachineAccountPrivilege
73
More than one privilege can be assigned by specifying a
74
list of rights separated by spaces. The parameter 'Domain\Domain Admins'
75
must be quoted with single ticks or using double-quotes to prevent
76
the back-slash and the space from being interpreted by the system shell.
77
</p></dd><dt><span class="term">revoke <user> <right [right ...]></span></dt><dd><p>
78
This command is similar in format to <span><b class="command">net rpc rights grant</b></span>. It's
79
effect is to remove an assigned right (or list of rights) from a user or group.
80
</p></dd></dl></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
81
You must be connected as a member of the Domain Admins group to be able to
82
grant or revoke privileges assigned to an account. This capability is
83
inherent to the Domain Admins group and is not configurable.
85
By default, no privileges are initially assigned to any
86
account. The reason for this is that certain actions will
87
be performed as root once smbd determines that a user has
88
the necessary rights. For example, when joining a client to
89
a Windows domain, the 'add machine script' must be executed
90
with superuser rights in most cases. For this reason, you
91
should be very careful about handing out privileges to
94
Access as the root user (UID=0) bypasses all privilege checks.
95
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2561101"></a>Description of Privileges</h3></div></div></div><p>
96
The privileges that have been implemented in Samba-3.0.11 are shown below.
97
It is possible, and likely, that additional privileges may be implemented in
98
later releases of Samba. It is also likely that any privileges currently implemented
99
but not used may be removed from future releases, thus it is important that
100
the successful as well as unsuccessful use of these facilities should be reported
101
on the Samba mailing lists.
102
</p><div class="variablelist"><dl><dt><span class="term">SeAddUsersPrivilege</span></dt><dd><p>
103
This right determines whether or not smbd will allow the
104
user to create new user or group accounts via such tools
105
as <span><b class="command">net rpc user add</b></span> or
106
<span><b class="command">NT4 User Manager for Domains.</b></span>
107
</p></dd><dt><span class="term">SeDiskOperatorPrivilege</span></dt><dd><p>
108
Accounts which posses this right will be able to execute
109
scripts defined by the <span><b class="command">add/delete/change</b></span>
110
share command in <tt class="filename">smb.conf</tt> file as root. Such users will
111
also be able to modify the ACL associated with file shares
113
</p></dd><dt><span class="term">SeMachineAccountPrivilege</span></dt><dd><p>
114
Controls whether or not the user is able join client
115
machines to a Samba controlled domain.
116
</p></dd><dt><span class="term">SePrintOperatorPrivilege</span></dt><dd><p>
117
This privilege operates identically to the
118
<a class="indexterm" name="id2561191"></a>printer admin
119
option in the <tt class="filename">smb.conf</tt> file (see section 5 man page for <tt class="filename">smb.conf</tt>)
120
except that it is a global right (not on a per printer basis).
121
Eventually the smb.conf option will be deprecated and administrative
122
rights to printers will be controlled exclusively by this right and
123
the security descriptor associated with the printer object in the
124
<tt class="filename">ntprinters.tdb</tt> file.
125
</p></dd><dt><span class="term">SeRemoteShutdownPrivilege</span></dt><dd><p>
126
Samba provides two hooks for shutting down or rebooting
127
the server and for aborting a previously issued shutdown
128
command. Since this is an operation normally limited by
129
the operating system to the root user, an account must possess this
130
right to be able to execute either of these hooks to have any effect.
131
</p></dd></dl></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2561242"></a>The Administrator Domain SID</h2></div></div></div><p>
132
Please note that when configured as a DC, it is now required
133
that an account in the server's passdb backend be set to the
134
domain SID of the default Administrator account. To obtain the
135
domain SID on a Samba DC, run the following command:
137
</p><pre class="screen">
138
<tt class="prompt">root# </tt> net getlocalsid
139
SID for domain FOO is: S-1-5-21-4294955119-3368514841-2087710299
141
You may assign the Domain Administrator rid to an account using the <span><b class="command">pdbedit</b></span>
142
command as shown here:
143
</p><pre class="screen">
144
<tt class="prompt">root# </tt> pdbedit -U S-1-5-21-4294955119-3368514841-2087710299-500 -u root -r
146
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="idmapper.html">Prev</a>�</td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right">�<a accesskey="n" href="AccessControls.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter�12.�Identity Mapping (IDMAP)�</td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top">�Chapter�14.�File, Directory and Share Access Controls</td></tr></table></div></body></html>