diff options
author | John Terpstra <jht@samba.org> | 2005-05-16 21:38:34 +0000 |
---|---|---|
committer | Gerald W. Carter <jerry@samba.org> | 2008-04-23 08:46:35 -0500 |
commit | d2dc286b2115d3629730276aa4246ee8ce6c5f4a (patch) | |
tree | ed8591a32831cf4f61f108ca78647db9a1bc9e8b | |
parent | 11fc47a68354353e08393f78462608a7b0ea570c (diff) | |
download | samba-d2dc286b2115d3629730276aa4246ee8ce6c5f4a.tar.gz samba-d2dc286b2115d3629730276aa4246ee8ce6c5f4a.tar.bz2 samba-d2dc286b2115d3629730276aa4246ee8ce6c5f4a.zip |
Progress update only.
(This used to be commit 471c811da4804c340a0982bdd7a20e80fd7c8008)
-rw-r--r-- | docs/Samba-HOWTO-Collection/TOSHARG-TheNetCommand.xml | 147 |
1 files changed, 135 insertions, 12 deletions
diff --git a/docs/Samba-HOWTO-Collection/TOSHARG-TheNetCommand.xml b/docs/Samba-HOWTO-Collection/TOSHARG-TheNetCommand.xml index 2675820164..b4fab1c978 100644 --- a/docs/Samba-HOWTO-Collection/TOSHARG-TheNetCommand.xml +++ b/docs/Samba-HOWTO-Collection/TOSHARG-TheNetCommand.xml @@ -83,8 +83,10 @@ the infliction of self induced pain, agony and desperation. Be warned, this is a exhaustive, and thus it is incomplete. Since the primary focus is on migration from Windows servers to a Samba server the emphasis is on the use of the DCE RPC mode of operation. When used against a server that is a member of an Active Directory domain it is preferable (and often necessary) to use ADS mode - operations. The <command>net</command> command supports both, but not for every operation. Please refer - to the man page for a more comprehensive overview of the capabilities of this utility. + operations. The <command>net</command> command supports both, but not for every operation. For most + operations, if the mode is not specified <command>net</command> will automatically fall back via + the <constant>ads, rpc, rap</constant> modes. Please refer to the man page for a more comprehensive + overview of the capabilities of this utility. </para> </sect1> @@ -181,7 +183,7 @@ SupportEngrs:x:1003: results in immediate mapping of the POSIX group that has been created to the Windows group account as whown here: <screen> -merlin:~ # net groupmap list +&rootprompt; net groupmap list Domain Admins (S-1-5-21-72630-4128915-11681869-512) -> Domain Admins Domain Users (S-1-5-21-72630-4128915-11681869-513) -> Domain Users Domain Guests (S-1-5-21-72630-4128915-11681869-514) -> Domain Guests @@ -340,7 +342,7 @@ Engineers (S-1-5-21-72630-412605-116429-3001) -> Engineers group mapping, a member of the Windows group, an attempt to add this account again should fail. This is demonstrated here: <screen> -merlin:~ # net rpc group addmem "MIDEARTH\Engineers" ajt -Uroot%not24get +&rootprompt; net rpc group addmem "MIDEARTH\Engineers" ajt -Uroot%not24get Could not add ajt to MIDEARTH\Engineers: NT_STATUS_MEMBER_IN_GROUP </screen> This showns that the group mapping between UNIX/Linux groups and Windows groups is effective and @@ -450,6 +452,16 @@ DOM\jht </screen> </para> + <para> + Windows network administrators often ask on the Samba mailing list how it is possible to grant everyone + administrative rights on their own workstation. This is of course a very bad practice, but commonly done + to avoid user complaints. Here is how it can be done remotely from a Samba PDC or BDC: +<screen> +&rootprompt; net rpc group addmem "Administrators" "Domain Users" \ + -S WINPC032 -Uadministrator%secret +</screen> + </para> + </sect2> </sect1> @@ -469,13 +481,37 @@ DOM\jht Although this is not the appropriate place to discuss the <smbconfoption name="username map"/> facility, this interface is an important method of mapping a Windows user account to a UNIX account that has a different name. Refer to the man page for the &smb.conf; file for more information regarding this - facility. User name mappings can not be managed usinf the <command>net</command> utility. + facility. User name mappings can not be managed using the <command>net</command> utility. </para> - <sect2> + <sect2 id="sbeuseraddn"> <title>Adding User Accounts</title> <para> + The syntax for adding a user account via the <command>net</command> (according to the man page) is shown + here: +<screen> +net [<method>] user ADD <name> [-c container] [-F user flags] \ + [misc. options] [targets] +</screen> + The user account password may be set using this syntax: +<screen> +net rpc password <username> [<password>] -Uadmin_username%admin_pass +</screen> + </para> + + <para> + The following demonstrates the addition of an account to the server <constant>FRODO</constant>: +<screen> +&rootprompt; net rpc user add jacko -S FRODO -Uroot%not24get +Added user jacko +</screen> + The account password can be set with the following methods (all show the same operation): +<screen> +&rootprompt; net rpc password jacko f4sth0rse -S FRODO -Uroot%not24get +&rootprompt; net rpc user password jacko f4sth0rse \ + -S FRODO -Uroot%not24get +</screen> </para> </sect2> @@ -484,14 +520,40 @@ DOM\jht <title>Deletion of User Accounts</title> <para> + Deletion of a user account can be done using the following syntax: +<screen> +net [<method>] user DELETE <name> [misc. options] [targets] +</screen> + The following command will delete the user account <constant>jacko</constant>: +<screen> +&rootprompt; net rpc user delete jacko -Uroot%not24get +Deleted user account +</screen> </para> </sect2> <sect2> - <title>Modification of User Accounts</title> + <title>Managing User Accounts</title> + + <para> + Two basic user accont operations are routinely used, change of password and querying which groups a user + is a member of. The change of password operation is shown in <link linkend="sbeuseraddn"/>. + </para> <para> + The ability to query Windows group membership can be essential. Here is how a remote server may be + interrogated to find which groups a user is a member of: +<screen> +&rootprompt; net rpc user info jacko -S SAURON -Uroot%not24get +net rpc user info jacko -S SAURON -Uroot%not24get +Domain Users +Domain Admins +Engineers +TorridGroup +BOP Shop +Emergency Services +</screen> </para> </sect2> @@ -500,6 +562,21 @@ DOM\jht <title>User Mapping</title> <para> + In some situations it is unavoidable that a users' Windows logon name will differ from the login ID + that user has on the Samba server. It is possible to create a special file on the Samba server that + will permit the Windows user name to be mapped to a different UNIX/Linux user name. The &smb.conf; + file must also be ammended so that the <constant>[global]</constant> stanza contains the parameter: +<screen> +username map = /etc/samba/smbusers +</screen> + The content of the <filename>/etc/samba/smbusers</filename> file is shown here: +<screen> +parsonsw: "William Parsons" +marygee: geeringm +</screen> + In this example the Windows user account <quote>William Parsons</quote> will be mapped to the UNIX user + <constant>parsonsw</constant>, and the Windows user account <quote>geeringm</quote> will be mapped to the + UNIX user <constant>marygee</constant>. </para> </sect2> @@ -510,6 +587,29 @@ DOM\jht <title>Administering User Rights and Privileges</title> <para> + With all versions of Samba earlier than 3.0.11 the only account on a Samba server that had the ability + to manage users, groups, shares, printers, etc. is the <constant>root</constant> account. This caused + immense problems for some users and was a frequent source of scorn over the necessity to hand out the + credentials for the most security sensitive account on a UNIX/Linux system. + </para> + + <para> + New to Samba version 3.0.11 is the ability to delegate administrative privileges as necessary to either + a normal user, or to groups of users. The significance of the administrative privileges is documented + in <link linkend="rights"/>. Examples of use of the <command>net</command> for user rights and privilege + management is appropriate to this chapter. + </para> + + <note><para> + When user rights and privileges are correctly set there is no longer a need for there to be a Windows + network account for the <constant>root</constant> user (nor for any synonym of it) with a UNIX UID=0. + Initial user rights and privileges can be assigned by any account that is a member of the <constant> + Domain Admins</constant> group. Rights can be assigned to user as well as group accounts. + </para></note> + + <para> + By default, no privileges and rights are assigned. This is demonstrated by executing the command + shown here: <screen> &rootprompt; net rpc rights list accounts -U root%not24get BUILTIN\Print Operators @@ -529,26 +629,49 @@ No privileges assigned Everyone No privileges assigned +</screen> + </para> + <para> + The <command>net</command> command can be used to obtain the currently supported capabilities for rights + and privileges using this method: +<screen> &rootprompt; net rpc rights list -U root%not24get SeMachineAccountPrivilege Add machines to domain SePrintOperatorPrivilege Manage printers SeAddUsersPrivilege Add users and groups to the domain SeRemoteShutdownPrivilege Force shutdown from a remote system SeDiskOperatorPrivilege Manage disk shares +</screen> + Machine account privilege is necessary to permit a Windows NT4 or later network client to be added to the + domain. The disk operator privilege is necessary to permit the user to manage share ACLs and file and + directory ACLs for objects not owned by the user. + </para> + <para> + In this example, all rights are assigned to the <constant>Domain Admins</constant> group. This is a good + idea since members of this group are generally expected to be all-powerful. This assignment makes that + the reality: +<screen> &rootprompt; net rpc rights grant "MIDEARTH\Domain Admins" \ SeMachineAccountPrivilege SePrintOperatorPrivilege \ SeAddUsersPrivilege SeRemoteShutdownPrivilege \ SeDiskOperatorPrivilege -U root%not24get Successfully granted rights. - +</screen> + Next, the domain user <constant>jht</constant> is given the privileges needed for day to day + administration: &rootprompt; net rpc rights grant "MIDEARTH\jht" \ SeMachineAccountPrivilege SePrintOperatorPrivilege \ SeAddUsersPrivilege SeDiskOperatorPrivilege \ -U root%not24get Successfully granted rights. +</screen> + </para> + <para> + The following step permits validation of the changes just made: +<screen> &rootprompt; net rpc rights list accounts -U root%not24get MIDEARTH\jht SeMachineAccountPrivilege @@ -650,12 +773,12 @@ Join to 'MIDEARTH' is OK file system is the directory <filename>/data</filename>. The command that can be executed to perform the addition of this share is shown here: <screen> -&rootprompt; net rpc share add Bulge=/data -S merlin -Uroot%not24get +&rootprompt; net rpc share add Bulge=/data -S MERLIN -Uroot%not24get </screen> Validation is an important process, and by executing the command <command>net rpc share</command> with no other operators a listing of available shares is shown here: <screen> -&rootprompt; net rpc share -S merlin -Uroot%not24get +&rootprompt; net rpc share -S MERLIN -Uroot%not24get profdata archive Bulge <--- This one was added @@ -672,11 +795,11 @@ ADMIN$ Often times it is desirable also to permit a share to be removed using a command-line tool. The following step permits the share that was previously added to be removed: <screen> -&rootprompt; net rpc share delete Bulge -S merlin -Uroot%not24get +&rootprompt; net rpc share delete Bulge -S MERLIN -Uroot%not24get </screen> A simple validation shown here demonstrates that the share has been removed: <screen> -&rootprompt; net rpc share -S merlin -Uroot%not24get +&rootprompt; net rpc share -S MERLIN -Uroot%not24get profdata archive print$ |