summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn Terpstra <jht@samba.org>2005-06-22 07:01:29 +0000
committerGerald W. Carter <jerry@samba.org>2008-04-23 08:46:52 -0500
commit99587b2b3cd4eb6699b1480f0559da9b393777ea (patch)
treee70e58d687895c29f0fb00e94c31023c9fa19842
parentbbb2d583fe7760270e23824c3be24f39d5b6d986 (diff)
downloadsamba-99587b2b3cd4eb6699b1480f0559da9b393777ea.tar.gz
samba-99587b2b3cd4eb6699b1480f0559da9b393777ea.tar.bz2
samba-99587b2b3cd4eb6699b1480f0559da9b393777ea.zip
Relocating Privilege info.
(This used to be commit 78ad3dd24b2b6bbd747b6c1d3ddf9cd803cc20de)
-rw-r--r--docs/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml58
-rw-r--r--docs/Samba3-HOWTO/TOSHARG-TheNetCommand.xml39
2 files changed, 57 insertions, 40 deletions
diff --git a/docs/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml b/docs/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml
index 15a963943b..be83542129 100644
--- a/docs/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml
+++ b/docs/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml
@@ -57,7 +57,7 @@ access to the UNIX host system.
<title>Rights Management Capabilities</title>
<para>
-Samba 3.0.11 introduces support for the Windows privilege model. This model
+Samba 3.0.11 introduced support for the Windows privilege model. This model
allows certain rights to be assigned to a user or group SID. In order to enable
this feature, <smbconfoption name="enable privileges">yes</smbconfoption>
must be defined in the <smbconfsection name="global"/> section of the &smb.conf; file.
@@ -100,6 +100,18 @@ The remainder of this chapter explains how to manage and use these privileges on
<entry><para>SeDiskOperatorPrivilege</para></entry>
<entry><para>Manage disk share</para></entry>
</row>
+ <row>
+ <entry><para>SeBackupPrivilege</para></entry>
+ <entry><para>Back up files and directories</para></entry>
+ </row>
+ <row>
+ <entry><para>SeRestorePrivilege</para></entry>
+ <entry><para>Restore files and directories</para></entry>
+ </row>
+ <row>
+ <entry><para>SeTakeOwnershipPrivilege</para></entry>
+ <entry><para>Take ownership of files or other objects</para></entry>
+ </row>
</tbody>
</tgroup>
</table>
@@ -249,6 +261,50 @@ on the Samba mailing lists.
</sect2>
+<sect2>
+<title>Privileges Suppored by Windows 2000 Domain Controllers</title>
+
+<para>
+ For reference purposes, a Windows 2000 Domain Controller reports that it supports the following
+ privileges:
+<screen>
+ SeCreateTokenPrivilege Create a token object
+ SeAssignPrimaryTokenPrivilege Replace a process level token
+ SeLockMemoryPrivilege Lock pages in memory
+ SeIncreaseQuotaPrivilege Increase quotas
+ SeMachineAccountPrivilege Add workstations to domain
+ SeTcbPrivilege Act as part of the operating system
+ SeSecurityPrivilege Manage auditing and security log
+ SeTakeOwnershipPrivilege Take ownership of files or other objects
+ SeLoadDriverPrivilege Load and unload device drivers
+ SeSystemProfilePrivilege Profile system performance
+ SeSystemtimePrivilege Change the system time
+SeProfileSingleProcessPrivilege Profile single process
+SeIncreaseBasePriorityPrivilege Increase scheduling priority
+ SeCreatePagefilePrivilege Create a pagefile
+ SeCreatePermanentPrivilege Create permanent shared objects
+ SeBackupPrivilege Back up files and directories
+ SeRestorePrivilege Restore files and directories
+ SeShutdownPrivilege Shut down the system
+ SeDebugPrivilege Debug programs
+ SeAuditPrivilege Generate security audits
+ SeSystemEnvironmentPrivilege Modify firmware environment values
+ SeChangeNotifyPrivilege Bypass traverse checking
+ SeRemoteShutdownPrivilege Force shutdown from a remote system
+ SeUndockPrivilege Remove computer from docking station
+ SeSyncAgentPrivilege Synchronize directory service data
+ SeEnableDelegationPrivilege Enable computer and user accounts to
+ be trusted for delegation
+ SeManageVolumePrivilege Perform volume maintenance tasks
+ SeImpersonatePrivilege Impersonate a client after authentication
+ SeCreateGlobalPrivilege Create global objects
+</screen>
+ The Samba Team are implementing only those privileges that are logical and useful in the UNIX/Linux
+ envronment. Many of the Windows 200X/XP privileges have no direct equivalence in UNIX.
+ </para>
+
+</sect2>
+
</sect1>
<sect1>
diff --git a/docs/Samba3-HOWTO/TOSHARG-TheNetCommand.xml b/docs/Samba3-HOWTO/TOSHARG-TheNetCommand.xml
index 01060955dc..fd3830ee9f 100644
--- a/docs/Samba3-HOWTO/TOSHARG-TheNetCommand.xml
+++ b/docs/Samba3-HOWTO/TOSHARG-TheNetCommand.xml
@@ -880,45 +880,6 @@ No privileges assigned
</para>
<para>
- For reference purposes, a Windows 2000 Domain Controller reports that it supports the following
- privileges:
-<screen>
- SeCreateTokenPrivilege Create a token object
- SeAssignPrimaryTokenPrivilege Replace a process level token
- SeLockMemoryPrivilege Lock pages in memory
- SeIncreaseQuotaPrivilege Increase quotas
- SeMachineAccountPrivilege Add workstations to domain
- SeTcbPrivilege Act as part of the operating system
- SeSecurityPrivilege Manage auditing and security log
- SeTakeOwnershipPrivilege Take ownership of files or other objects
- SeLoadDriverPrivilege Load and unload device drivers
- SeSystemProfilePrivilege Profile system performance
- SeSystemtimePrivilege Change the system time
-SeProfileSingleProcessPrivilege Profile single process
-SeIncreaseBasePriorityPrivilege Increase scheduling priority
- SeCreatePagefilePrivilege Create a pagefile
- SeCreatePermanentPrivilege Create permanent shared objects
- SeBackupPrivilege Back up files and directories
- SeRestorePrivilege Restore files and directories
- SeShutdownPrivilege Shut down the system
- SeDebugPrivilege Debug programs
- SeAuditPrivilege Generate security audits
- SeSystemEnvironmentPrivilege Modify firmware environment values
- SeChangeNotifyPrivilege Bypass traverse checking
- SeRemoteShutdownPrivilege Force shutdown from a remote system
- SeUndockPrivilege Remove computer from docking station
- SeSyncAgentPrivilege Synchronize directory service data
- SeEnableDelegationPrivilege Enable computer and user accounts to
- be trusted for delegation
- SeManageVolumePrivilege Perform volume maintenance tasks
- SeImpersonatePrivilege Impersonate a client after authentication
- SeCreateGlobalPrivilege Create global objects
-</screen>
- The Samba Team are implementing only those privileges that are logical and useful in the UNIX/Linux
- envronment. Many of the Windows 200X/XP privileges have no direct equivalence in UNIX.
- </para>
-
- <para>
In this example, all rights are assigned to the <constant>Domain Admins</constant> group. This is a good
idea since members of this group are generally expected to be all-powerful. This assignment makes that
the reality: