diff options
author | Gerald W. Carter <jerry@samba.org> | 2008-04-22 10:09:40 -0500 |
---|---|---|
committer | Gerald W. Carter <jerry@samba.org> | 2008-04-23 08:47:48 -0500 |
commit | 8f8a9f01909ba29e2b781310baeeaaddc3f15f0d (patch) | |
tree | 90c6b720ad3a7bc815245c0ef28820424f89d658 /docs-xml/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml | |
parent | 197238246389c40edc60c6630d18d6913086e630 (diff) | |
download | samba-8f8a9f01909ba29e2b781310baeeaaddc3f15f0d.tar.gz samba-8f8a9f01909ba29e2b781310baeeaaddc3f15f0d.tar.bz2 samba-8f8a9f01909ba29e2b781310baeeaaddc3f15f0d.zip |
Moving docs tree to docs-xml to make room for generated docs in the release tarball.
(This used to be commit 9f672c26d63955f613088489c6efbdc08b5b2d14)
Diffstat (limited to 'docs-xml/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml')
-rw-r--r-- | docs-xml/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml | 600 |
1 files changed, 600 insertions, 0 deletions
diff --git a/docs-xml/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml b/docs-xml/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml new file mode 100644 index 0000000000..5ce64ddffd --- /dev/null +++ b/docs-xml/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml @@ -0,0 +1,600 @@ +<?xml version="1.0" encoding="iso-8859-1"?> +<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc"> +<chapter id="rights"> +<chapterinfo> + &author.jerry; + &author.jht; +</chapterinfo> + +<title>User Rights and Privileges</title> + +<para> +<indexterm><primary>Windows user</primary></indexterm> +<indexterm><primary>Windows group</primary></indexterm> +<indexterm><primary>machine accounts</primary></indexterm> +<indexterm><primary>ADS</primary></indexterm> +The administration of Windows user, group, and machine accounts in the Samba +domain-controlled network necessitates interfacing between the MS Windows +networking environment and the UNIX operating system environment. The right +(permission) to add machines to the Windows security domain can be assigned +(set) to non-administrative users both in Windows NT4 domains and +Active Directory domains. +</para> + +<para> +<indexterm><primary>Windows NT4/2kX/XPPro</primary></indexterm> +<indexterm><primary>machine account</primary></indexterm> +<indexterm><primary>trusted</primary></indexterm> +<indexterm><primary>user logons</primary></indexterm> +The addition of Windows NT4/2kX/XPPro machines to the domain necessitates the +creation of a machine account for each machine added. The machine account is +a necessity that is used to validate that the machine can be trusted to permit +user logons. +</para> + +<para> +<indexterm><primary>user accounts</primary></indexterm> +<indexterm><primary>special account</primary></indexterm> +<indexterm><primary>account name</primary></indexterm> +<indexterm><primary>/bin/false</primary></indexterm> +<indexterm><primary>/dev/null</primary></indexterm> +<indexterm><primary>man-in-the-middle</primary></indexterm> +Machine accounts are analogous to user accounts, and thus in implementing them on a UNIX machine that is +hosting Samba (i.e., on which Samba is running), it is necessary to create a special type of user account. +Machine accounts differ from normal user accounts in that the account name (login ID) is terminated with a +<literal>$</literal> sign. An additional difference is that this type of account should not ever be able to +log into the UNIX environment as a system user and therefore is set to have a shell of +<command>/bin/false</command> and a home directory of <command>/dev/null.</command> The machine +account is used only to authenticate domain member machines during start-up. This security measure +is designed to block man-in-the-middle attempts to violate network integrity. +</para> + +<note><para> +<indexterm><primary>computer accounts</primary></indexterm> +<indexterm><primary>domain member servers</primary></indexterm> +<indexterm><primary>domain controller</primary></indexterm> +<indexterm><primary>credentials</primary></indexterm> +<indexterm><primary>secure authentication</primary></indexterm> +Machine (computer) accounts are used in the Windows NT OS family to store security +credentials for domain member servers and workstations. When the domain member +starts up, it goes through a validation process that includes an exchange of +credentials with a domain controller. If the domain member fails to authenticate +using the credentials known for it by domain controllers, the machine will be refused +all access by domain users. The computer account is essential to the way that MS +Windows secures authentication. +</para></note> + +<para> +<indexterm><primary>UNIX system accounts</primary></indexterm> +<indexterm><primary>system administrator</primary></indexterm> +<indexterm><primary>root</primary></indexterm> +<indexterm><primary>UID</primary></indexterm> +The creation of UNIX system accounts has traditionally been the sole right of +the system administrator, better known as the <constant>root</constant> account. +It is possible in the UNIX environment to create multiple users who have the +same UID. Any UNIX user who has a UID=0 is inherently the same as the +<constant>root</constant> account user. +</para> + +<para> +<indexterm><primary>system interface scripts</primary></indexterm> +<indexterm><primary>CIFS function calls</primary></indexterm> +<indexterm><primary>root account</primary></indexterm> +<indexterm><primary>UNIX host system</primary></indexterm> +All versions of Samba call system interface scripts that permit CIFS function +calls that are used to manage users, groups, and machine accounts +in the UNIX environment. All versions of Samba up to and including version 3.0.10 +required the use of a Windows administrator account that unambiguously maps to +the UNIX <constant>root</constant> account to permit the execution of these +interface scripts. The requirement to do this has understandably met with some +disdain and consternation among Samba administrators, particularly where it became +necessary to permit people who should not possess <constant>root</constant>-level +access to the UNIX host system. +</para> + +<sect1> +<title>Rights Management Capabilities</title> + +<para> +<indexterm><primary>Windows privilege model</primary></indexterm> +<indexterm><primary>privilege model</primary></indexterm> +<indexterm><primary>rights assigned</primary></indexterm> +<indexterm><primary>SID</primary></indexterm> +Samba 3.0.11 introduced support for the Windows privilege model. This model +allows certain rights to be assigned to a user or group SID. In order to enable +this feature, <smbconfoption name="enable privileges">yes</smbconfoption> +must be defined in the <smbconfsection name="global"/> section of the &smb.conf; file. +</para> + +<para> +<indexterm><primary>rights</primary></indexterm> +<indexterm><primary>privileges</primary></indexterm> +<indexterm><primary>manage privileges</primary></indexterm> +Currently, the rights supported in Samba-3 are listed in <link linkend="rp-privs"/>. +The remainder of this chapter explains how to manage and use these privileges on Samba servers. +</para> + +<indexterm><primary>SeMachineAccountPrivilege</primary></indexterm> +<indexterm><primary>SePrintOperatorPrivilege</primary></indexterm> +<indexterm><primary>SeAddUsersPrivilege</primary></indexterm> +<indexterm><primary>SeRemoteShutdownPrivilege</primary></indexterm> +<indexterm><primary>SeDiskOperatorPrivilege</primary></indexterm> +<indexterm><primary>SeTakeOwnershipPrivilege</primary></indexterm> +<table id="rp-privs"> + <title>Current Privilege Capabilities</title> + <tgroup cols="2"> + <colspec align="right"/> + <colspec align="left"/> + <thead> + <row> + <entry align="left">Privilege</entry> + <entry align="left">Description</entry> + </row> + </thead> + <tbody> + <row> + <entry><para>SeMachineAccountPrivilege</para></entry> + <entry><para>Add machines to domain</para></entry> + </row> + <row> + <entry><para>SePrintOperatorPrivilege</para></entry> + <entry><para>Manage printers</para></entry> + </row> + <row> + <entry><para>SeAddUsersPrivilege</para></entry> + <entry><para>Add users and groups to the domain</para></entry> + </row> + <row> + <entry><para>SeRemoteShutdownPrivilege</para></entry> + <entry><para>Force shutdown from a remote system</para></entry> + </row> + <row> + <entry><para>SeDiskOperatorPrivilege</para></entry> + <entry><para>Manage disk share</para></entry> + </row> +<!-- These are not used at this time - so void them from the docs. + <row> + <entry><para>SeBackupPrivilege</para></entry> + <entry><para>Back up files and directories</para></entry> + </row> + <row> + <entry><para>SeRestorePrivilege</para></entry> + <entry><para>Restore files and directories</para></entry> + </row> +**** End of commented out section **** --> + <row> + <entry><para>SeTakeOwnershipPrivilege</para></entry> + <entry><para>Take ownership of files or other objects</para></entry> + </row> + </tbody> + </tgroup> +</table> + +<sect2> +<title>Using the <quote>net rpc rights</quote> Utility</title> + +<para> +<indexterm><primary>managing rights</primary></indexterm> +<indexterm><primary>rights assigned</primary></indexterm> +<indexterm><primary>NT4 User Manager for Domains</primary></indexterm> +<indexterm><primary>command-line utility</primary></indexterm> +<indexterm><primary>administrative actions</primary></indexterm> +There are two primary means of managing the rights assigned to users and groups +on a Samba server. The <command>NT4 User Manager for Domains</command> may be +used from any Windows NT4, 2000, or XP Professional domain member client to +connect to a Samba domain controller and view/modify the rights assignments. +This application, however, appears to have bugs when run on a client running +Windows 2000 or later; therefore, Samba provides a command-line utility for +performing the necessary administrative actions. +</para> + +<para> +The <command>net rpc rights</command> utility in Samba 3.0.11 has three new subcommands: +</para> + +<variablelist> + <varlistentry><term>list [name|accounts]</term> + <listitem><para> +<indexterm><primary>net</primary><secondary>rpc</secondary><tertiary>list</tertiary></indexterm> +<indexterm><primary>available rights</primary></indexterm> +<indexterm><primary>privileges assigned</primary></indexterm> +<indexterm><primary>privileged accounts</primary></indexterm> + When called with no arguments, <command>net rpc list</command> + simply lists the available rights on the server. When passed + a specific user or group name, the tool lists the privileges + currently assigned to the specified account. When invoked using + the special string <constant>accounts</constant>, + <command>net rpc rights list</command> returns a list of all + privileged accounts on the server and the assigned rights. + </para></listitem> + </varlistentry> + + <varlistentry><term>grant <user> <right [right ...]></term> + <listitem><para> +<indexterm><primary>assign rights</primary></indexterm> +<indexterm><primary>grant rights</primary></indexterm> +<indexterm><primary>add client machines</primary></indexterm> +<indexterm><primary>user or group</primary></indexterm> + When called with no arguments, this function is used to assign + a list of rights to a specified user or group. For example, + to grant the members of the Domain Admins group on a Samba domain controller, + the capability to add client machines to the domain, one would run: +<screen> +&rootprompt; net -S server -U domadmin rpc rights grant \ + 'DOMAIN\Domain Admins' SeMachineAccountPrivilege +</screen> + The following syntax has the same result: +<indexterm><primary>net</primary><secondary>rpc</secondary><tertiary>rights grant</tertiary></indexterm> +<screen> +&rootprompt; net rpc rights grant 'DOMAIN\Domain Admins' \ + SeMachineAccountPrivilege -S server -U domadmin +</screen> + More than one privilege can be assigned by specifying a + list of rights separated by spaces. The parameter 'Domain\Domain Admins' + must be quoted with single ticks or using double-quotes to prevent + the backslash and the space from being interpreted by the system shell. + </para></listitem> + </varlistentry> + + <varlistentry><term>revoke <user> <right [right ...]></term> + <listitem><para> + This command is similar in format to <command>net rpc rights grant</command>. Its + effect is to remove an assigned right (or list of rights) from a user or group. + </para></listitem> + </varlistentry> + +</variablelist> + +<note><para> +<indexterm><primary>member</primary></indexterm> +<indexterm><primary>Domain Admins</primary></indexterm> +<indexterm><primary>revoke privileges</primary></indexterm> +You must be connected as a member of the Domain Admins group to be able to grant or revoke privileges assigned +to an account. This capability is inherent to the Domain Admins group and is not configurable. There are no +default rights and privileges, except the ability for a member of the Domain Admins group to assign them. +This means that all administrative rights and privileges (other than the ability to assign them) must be +explicitly assigned, even for the Domain Admins group. +</para></note> + +<para> +<indexterm><primary>performed as root</primary></indexterm> +<indexterm><primary>necessary rights</primary></indexterm> +<indexterm><primary>add machine script</primary></indexterm> +<indexterm><primary></primary></indexterm> +By default, no privileges are initially assigned to any account because certain actions will be performed as +root once smbd determines that a user has the necessary rights. For example, when joining a client to a +Windows domain, <parameter>add machine script</parameter> must be executed with superuser rights in most +cases. For this reason, you should be very careful about handing out privileges to accounts. +</para> + +<para> +<indexterm><primary>Access</primary></indexterm> +<indexterm><primary>root user</primary></indexterm> +<indexterm><primary>bypasses privilege</primary></indexterm> +Access as the root user (UID=0) bypasses all privilege checks. +</para> + +</sect2> + +<sect2> +<title>Description of Privileges</title> + +<para> +<indexterm><primary>privileges</primary></indexterm> +<indexterm><primary>additional privileges</primary></indexterm> +<indexterm><primary>house-keeping</primary></indexterm> +The privileges that have been implemented in Samba-3.0.11 are shown below. It is possible, and likely, that +additional privileges may be implemented in later releases of Samba. It is also likely that any privileges +currently implemented but not used may be removed from future releases as a housekeeping matter, so it is +important that the successful as well as unsuccessful use of these facilities should be reported on the Samba +mailing lists. +</para> + +<variablelist> + <varlistentry><term>SeAddUsersPrivilege</term> + <listitem><para> +<indexterm><primary>SeAddUsersPrivilege</primary></indexterm> +<indexterm><primary>smbd</primary></indexterm> +<indexterm><primary>net rpc user add</primary></indexterm> + This right determines whether or not smbd will allow the + user to create new user or group accounts via such tools + as <command>net rpc user add</command> or + <command>NT4 User Manager for Domains.</command> + </para></listitem> + </varlistentry> + + <varlistentry><term>SeDiskOperatorPrivilege</term> + <listitem><para> +<indexterm><primary>SeDiskOperatorPrivilege</primary></indexterm> +<indexterm><primary>add/delete/change share</primary></indexterm> +<indexterm><primary>ACL</primary></indexterm> + Accounts that possess this right will be able to execute + scripts defined by the <command>add/delete/change</command> + share command in &smb.conf; file as root. Such users will + also be able to modify the ACL associated with file shares + on the Samba server. + </para></listitem> + </varlistentry> + + <varlistentry><term>SeMachineAccountPrivilege</term> + <listitem><para> +<indexterm><primary>SeMachineAccountPrivilege</primary></indexterm> +<indexterm><primary>right to join domain</primary></indexterm> +<indexterm><primary>join client</primary></indexterm> + This right controls whether or not the user can join client + machines to a Samba-controlled domain. + </para></listitem> + </varlistentry> + + <varlistentry><term>SePrintOperatorPrivilege</term> + <listitem><para> +<indexterm><primary>SePrintOperatorPrivilege</primary></indexterm> +<indexterm><primary>privilege</primary></indexterm> +<indexterm><primary>global right</primary></indexterm> +<indexterm><primary>administrative rights</primary></indexterm> +<indexterm><primary>printers admin</primary></indexterm> + This privilege operates identically to the <smbconfoption name="printer admin"/> + option in the &smb.conf; file (see section 5 man page for &smb.conf;) + except that it is a global right (not on a per-printer basis). + Eventually the smb.conf option will be deprecated and administrative + rights to printers will be controlled exclusively by this right and + the security descriptor associated with the printer object in the + <filename>ntprinters.tdb</filename> file. + </para></listitem> + </varlistentry> + + <varlistentry><term>SeRemoteShutdownPrivilege</term> + <listitem><para> +<indexterm><primary>SeRemoteShutdownPrivilege</primary></indexterm> +<indexterm><primary>rebooting server</primary></indexterm> +<indexterm><primary>aborting shutdown</primary></indexterm> + Samba provides two hooks for shutting down or rebooting + the server and for aborting a previously issued shutdown + command. Since this is an operation normally limited by + the operating system to the root user, an account must possess this + right to be able to execute either of these hooks. + </para></listitem> + </varlistentry> + + <varlistentry><term>SeTakeOwnershipPrivilege</term> + <listitem><para> +<indexterm><primary>SeTakeOwnershipPrivilege</primary></indexterm> +<indexterm><primary>take ownership</primary></indexterm> + This right permits users to take ownership of files and directories. + </para></listitem> + </varlistentry> + +</variablelist> + +</sect2> + +<sect2> +<title>Privileges Suppored by Windows 2000 Domain Controllers</title> + +<para> + For reference purposes, a Windows NT4 Primary Domain Controller reports support for the following + privileges: +<indexterm><primary>SeCreateTokenPrivilege</primary></indexterm> +<indexterm><primary>SeAssignPrimaryTokenPrivilege</primary></indexterm> +<indexterm><primary>SeLockMemoryPrivilege</primary></indexterm> +<indexterm><primary>SeIncreaseQuotaPrivilege</primary></indexterm> +<indexterm><primary>SeMachineAccountPrivilege</primary></indexterm> +<indexterm><primary>SeTcbPrivilege</primary></indexterm> +<indexterm><primary>SeSecurityPrivilege</primary></indexterm> +<indexterm><primary>SeTakeOwnershipPrivilege</primary></indexterm> +<indexterm><primary>SeLoadDriverPrivilege</primary></indexterm> +<indexterm><primary>SeSystemProfilePrivilege</primary></indexterm> +<indexterm><primary>SeSystemtimePrivilege</primary></indexterm> +<indexterm><primary>SeProfileSingleProcessPrivilege</primary></indexterm> +<indexterm><primary>SeIncreaseBasePriorityPrivilege</primary></indexterm> +<indexterm><primary>SeCreatePagefilePrivilege</primary></indexterm> +<indexterm><primary>SeCreatePermanentPrivilege</primary></indexterm> +<indexterm><primary>SeBackupPrivilege</primary></indexterm> +<indexterm><primary>SeRestorePrivilege</primary></indexterm> +<indexterm><primary>SeShutdownPrivilege</primary></indexterm> +<indexterm><primary>SeDebugPrivilege</primary></indexterm> +<indexterm><primary>SeAuditPrivilege</primary></indexterm> +<indexterm><primary>SeSystemEnvironmentPrivilege</primary></indexterm> +<indexterm><primary>SeChangeNotifyPrivilege</primary></indexterm> +<indexterm><primary>SeRemoteShutdownPrivilege</primary></indexterm> +<screen> + SeCreateTokenPrivilege Create a token object + SeAssignPrimaryTokenPrivilege Replace a process level token + SeLockMemoryPrivilege Lock pages in memory + SeIncreaseQuotaPrivilege Increase quotas + SeMachineAccountPrivilege Add workstations to domain + SeTcbPrivilege Act as part of the operating system + SeSecurityPrivilege Manage auditing and security log + SeTakeOwnershipPrivilege Take ownership of files or other objects + SeLoadDriverPrivilege Load and unload device drivers + SeSystemProfilePrivilege Profile system performance + SeSystemtimePrivilege Change the system time +SeProfileSingleProcessPrivilege Profile single process +SeIncreaseBasePriorityPrivilege Increase scheduling priority + SeCreatePagefilePrivilege Create a pagefile + SeCreatePermanentPrivilege Create permanent shared objects + SeBackupPrivilege Back up files and directories + SeRestorePrivilege Restore files and directories + SeShutdownPrivilege Shut down the system + SeDebugPrivilege Debug programs + SeAuditPrivilege Generate security audits + SeSystemEnvironmentPrivilege Modify firmware environment values + SeChangeNotifyPrivilege Bypass traverse checking + SeRemoteShutdownPrivilege Force shutdown from a remote system +</screen> + And Windows 200x/XP Domain Controllers and workstations reports to support the following privileges: +<indexterm><primary>SeCreateTokenPrivilege</primary></indexterm> +<indexterm><primary>SeAssignPrimaryTokenPrivilege</primary></indexterm> +<indexterm><primary>SeLockMemoryPrivilege</primary></indexterm> +<indexterm><primary>SeIncreaseQuotaPrivilege</primary></indexterm> +<indexterm><primary>SeMachineAccountPrivilege</primary></indexterm> +<indexterm><primary>SeTcbPrivilege</primary></indexterm> +<indexterm><primary>SeSecurityPrivilege</primary></indexterm> +<indexterm><primary>SeTakeOwnershipPrivilege</primary></indexterm> +<indexterm><primary>SeLoadDriverPrivilege</primary></indexterm> +<indexterm><primary>SeSystemProfilePrivilege</primary></indexterm> +<indexterm><primary>SeSystemtimePrivilege</primary></indexterm> +<indexterm><primary>SeProfileSingleProcessPrivilege</primary></indexterm> +<indexterm><primary>SeIncreaseBasePriorityPrivilege</primary></indexterm> +<indexterm><primary>SeCreatePagefilePrivilege</primary></indexterm> +<indexterm><primary>SeCreatePermanentPrivilege</primary></indexterm> +<indexterm><primary>SeBackupPrivilege</primary></indexterm> +<indexterm><primary>SeRestorePrivilege</primary></indexterm> +<indexterm><primary>SeShutdownPrivilege</primary></indexterm> +<indexterm><primary>SeDebugPrivilege</primary></indexterm> +<indexterm><primary>SeAuditPrivilege</primary></indexterm> +<indexterm><primary>SeSystemEnvironmentPrivilege</primary></indexterm> +<indexterm><primary>SeChangeNotifyPrivilege</primary></indexterm> +<indexterm><primary>SeRemoteShutdownPrivilege</primary></indexterm> +<indexterm><primary>SeUndockPrivilege</primary></indexterm> +<indexterm><primary>SeSyncAgentPrivilege</primary></indexterm> +<indexterm><primary>SeEnableDelegationPrivilege</primary></indexterm> +<indexterm><primary>SeManageVolumePrivilege</primary></indexterm> +<indexterm><primary>SeImpersonatePrivilege</primary></indexterm> +<indexterm><primary>SeCreateGlobalPrivilege</primary></indexterm> +<screen> + SeCreateTokenPrivilege Create a token object + SeAssignPrimaryTokenPrivilege Replace a process level token + SeLockMemoryPrivilege Lock pages in memory + SeIncreaseQuotaPrivilege Increase quotas + SeMachineAccountPrivilege Add workstations to domain + SeTcbPrivilege Act as part of the operating system + SeSecurityPrivilege Manage auditing and security log + SeTakeOwnershipPrivilege Take ownership of files or other objects + SeLoadDriverPrivilege Load and unload device drivers + SeSystemProfilePrivilege Profile system performance + SeSystemtimePrivilege Change the system time +SeProfileSingleProcessPrivilege Profile single process +SeIncreaseBasePriorityPrivilege Increase scheduling priority + SeCreatePagefilePrivilege Create a pagefile + SeCreatePermanentPrivilege Create permanent shared objects + SeBackupPrivilege Back up files and directories + SeRestorePrivilege Restore files and directories + SeShutdownPrivilege Shut down the system + SeDebugPrivilege Debug programs + SeAuditPrivilege Generate security audits + SeSystemEnvironmentPrivilege Modify firmware environment values + SeChangeNotifyPrivilege Bypass traverse checking + SeRemoteShutdownPrivilege Force shutdown from a remote system + SeUndockPrivilege Remove computer from docking station + SeSyncAgentPrivilege Synchronize directory service data + SeEnableDelegationPrivilege Enable computer and user accounts to + be trusted for delegation + SeManageVolumePrivilege Perform volume maintenance tasks + SeImpersonatePrivilege Impersonate a client after authentication + SeCreateGlobalPrivilege Create global objects +</screen> +<indexterm><primary>equivalence</primary></indexterm> + The Samba Team is implementing only those privileges that are logical and useful in the UNIX/Linux + environment. Many of the Windows 200X/XP privileges have no direct equivalence in UNIX. + </para> + +</sect2> + +</sect1> + +<sect1> +<title>The Administrator Domain SID</title> + +<para> +<indexterm><primary>domain Administrator</primary></indexterm> +<indexterm><primary>User Rights and Privileges</primary></indexterm> +<indexterm><primary>passdb backend</primary></indexterm> +<indexterm><primary>SID</primary></indexterm> +<indexterm><primary>net getlocalsid</primary></indexterm> +Please note that every Windows NT4 and later server requires a domain Administrator account. Samba versions +commencing with 3.0.11 permit Administrative duties to be performed via assigned rights and privileges +(see <link linkend="rights">User Rights and Privileges</link>). An account in the server's passdb backend can +be set to the well-known RID of the default administrator account. To obtain the domain SID on a Samba domain +controller, run the following command: +<screen> +&rootprompt; net getlocalsid +SID for domain FOO is: S-1-5-21-4294955119-3368514841-2087710299 +</screen> +<indexterm><primary>RID</primary></indexterm> +You may assign the domain administrator RID to an account using the <command>pdbedit</command> +command as shown here: +<indexterm><primary>pdbedit</primary></indexterm> +<screen> +&rootprompt; pdbedit -U S-1-5-21-4294955119-3368514841-2087710299-500 -u root -r +</screen> +</para> + +<note><para> +<indexterm><primary>RID 500</primary></indexterm> +<indexterm><primary>well known RID</primary></indexterm> +<indexterm><primary>rights and privileges</primary></indexterm> +<indexterm><primary>root account</primary></indexterm> +The RID 500 is the well known standard value of the default Administrator account. It is the RID +that confers the rights and privileges that the Administrator account has on a Windows machine +or domain. Under UNIX/Linux the equivalent is UID=0 (the root account). +</para></note> + +<para> +<indexterm><primary>without Administrator account</primary></indexterm> +<indexterm><primary>equivalent rights and privileges</primary></indexterm> +<indexterm><primary>Windows group account</primary></indexterm> +<indexterm><primary>3.0.11</primary></indexterm> +Releases of Samba version 3.0.11 and later make it possible to operate without an Administrator account +provided equivalent rights and privileges have been established for a Windows user or a Windows +group account. +</para> + +</sect1> + +<sect1> +<title>Common Errors</title> + + <sect2> + <title>What Rights and Privileges Will Permit Windows Client Administration?</title> + + <para> +<indexterm><primary>domain global</primary></indexterm> +<indexterm><primary>local group</primary></indexterm> +<indexterm><primary>administrative rights</primary></indexterm> +<indexterm><primary>Windows client</primary></indexterm> + When a Windows NT4 (or later) client joins a domain, the domain global <literal>Domain Admins</literal> group + is added to the membership of the local <literal>Administrators</literal> group on the client. Any user who is + a member of the domain global <literal>Domain Admins</literal> group will have administrative rights on the + Windows client. + </para> + + <para> +<indexterm><primary>desirable solution</primary></indexterm> +<indexterm><primary>administrative rights and privileges</primary></indexterm> +<indexterm><primary>Power Users</primary></indexterm> +<indexterm><primary>domain global user</primary></indexterm> +<indexterm><primary>domain global group</primary></indexterm> + This is often not the most desirable solution because it means that the user will have administrative + rights and privileges on domain servers also. The <literal>Power Users</literal> group on Windows client + workstations permits local administration of the workstation alone. Any domain global user or domain global + group can be added to the membership of the local workstation group <literal>Power Users</literal>. + </para> + + <para> +<indexterm><primary>Nested Group Support</primary></indexterm> +<indexterm><primary>add domain users and groups to a local group</primary></indexterm> +<indexterm><primary>net</primary></indexterm> +<indexterm><primary>Windows workstation.</primary></indexterm> + See <link linkend="nestedgrpmgmgt">Nested Group Support</link> for an example of how to add domain users + and groups to a local group that is on a Windows workstation. The use of the <command>net</command> + command permits this to be done from the Samba server. + </para> + + <para> +<indexterm><primary>cmd</primary></indexterm> +<indexterm><primary>cmd shell</primary></indexterm> +<indexterm><primary>net</primary><secondary>localgroup</secondary></indexterm> + Another way this can be done is to log onto the Windows workstation as the user + <literal>Administrator</literal>, then open a <command>cmd</command> shell, then execute: +<screen> +&dosprompt; net localgroup administrators /add <userinput>domain_name\entity</userinput> +</screen> + where <literal>entity</literal> is either a domain user or a domain group account name. + </para> + + </sect2> + +</sect1> + +</chapter> |