Moving docs tree to docs-xml to make room for generated docs in the release tarball.

(This used to be commit 9f672c26d63955f613088489c6efbdc08b5b2d14)

1 files changed, 600 insertions, 0 deletions

diff --git a/docs-xml/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml b/docs-xml/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml
new file mode 100644
index 0000000000..5ce64ddffd
--- /dev/null
+++ b/docs-xml/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml
@@ -0,0 +1,600 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
+<chapter id="rights">
+<chapterinfo>
+        &author.jerry;
+        &author.jht;
+</chapterinfo>
+
+<title>User Rights and Privileges</title>
+
+<para>
+<indexterm><primary>Windows user</primary></indexterm>
+<indexterm><primary>Windows group</primary></indexterm>
+<indexterm><primary>machine accounts</primary></indexterm>
+<indexterm><primary>ADS</primary></indexterm>
+The administration of Windows user, group, and machine accounts in the Samba
+domain-controlled network necessitates interfacing between the MS Windows
+networking environment and the UNIX operating system environment. The right
+(permission) to add machines to the Windows security domain can be assigned
+(set) to non-administrative users both in Windows NT4 domains and
+Active Directory domains.
+</para>
+
+<para>
+<indexterm><primary>Windows NT4/2kX/XPPro</primary></indexterm>
+<indexterm><primary>machine account</primary></indexterm>
+<indexterm><primary>trusted</primary></indexterm>
+<indexterm><primary>user logons</primary></indexterm>
+The addition of Windows NT4/2kX/XPPro machines to the domain necessitates the
+creation of a machine account for each machine added. The machine account is
+a necessity that is used to validate that the machine can be trusted to permit
+user logons.
+</para>
+
+<para>
+<indexterm><primary>user accounts</primary></indexterm>
+<indexterm><primary>special account</primary></indexterm>
+<indexterm><primary>account name</primary></indexterm>
+<indexterm><primary>/bin/false</primary></indexterm>
+<indexterm><primary>/dev/null</primary></indexterm>
+<indexterm><primary>man-in-the-middle</primary></indexterm>
+Machine accounts are analogous to user accounts, and thus in implementing them on a UNIX machine that is
+hosting Samba (i.e., on which Samba is running), it is necessary to create a special type of user account.
+Machine accounts differ from  normal user accounts in that the account name (login ID) is terminated with a
+<literal>$</literal> sign. An additional difference is that this type of account should not ever be able to
+log into the UNIX environment as a system user and therefore is set to have a shell of
+<command>/bin/false</command> and a home directory of <command>/dev/null.</command> The machine
+account is used only to authenticate domain member machines during start-up. This security measure
+is designed to block man-in-the-middle attempts to violate network integrity.
+</para>
+
+<note><para>
+<indexterm><primary>computer accounts</primary></indexterm>
+<indexterm><primary>domain member servers</primary></indexterm>
+<indexterm><primary>domain controller</primary></indexterm>
+<indexterm><primary>credentials</primary></indexterm>
+<indexterm><primary>secure authentication</primary></indexterm>
+Machine (computer) accounts are used in the Windows NT OS family to store security
+credentials for domain member servers and workstations. When the domain member
+starts up, it goes through a validation process that includes an exchange of
+credentials with a domain controller. If the domain member fails to authenticate
+using the credentials known for it by domain controllers, the machine will be refused
+all access by domain users. The computer account is essential to the way that MS 
+Windows secures authentication.
+</para></note>
+
+<para>
+<indexterm><primary>UNIX system accounts</primary></indexterm>
+<indexterm><primary>system administrator</primary></indexterm>
+<indexterm><primary>root</primary></indexterm>
+<indexterm><primary>UID</primary></indexterm>
+The creation of UNIX system accounts has traditionally been the sole right of
+the system administrator, better known as the <constant>root</constant> account.
+It is possible in the UNIX environment to create multiple users who have the
+same UID. Any UNIX user who has a UID=0 is inherently the same as the
+<constant>root</constant> account user.
+</para>
+
+<para>
+<indexterm><primary>system interface scripts</primary></indexterm>
+<indexterm><primary>CIFS function calls</primary></indexterm>
+<indexterm><primary>root account</primary></indexterm>
+<indexterm><primary>UNIX host system</primary></indexterm>
+All versions of Samba call system interface scripts that permit CIFS function
+calls that are used to manage users, groups, and machine accounts
+in the UNIX environment. All versions of Samba up to and including version 3.0.10
+required the use of a Windows administrator account that unambiguously maps to
+the UNIX <constant>root</constant> account to permit the execution of these
+interface scripts. The requirement to do this has understandably met with some
+disdain and consternation among Samba administrators, particularly where it became
+necessary to permit people who should not possess <constant>root</constant>-level
+access to the UNIX host system.
+</para>
+
+<sect1>
+<title>Rights Management Capabilities</title>
+
+<para>
+<indexterm><primary>Windows privilege model</primary></indexterm>
+<indexterm><primary>privilege model</primary></indexterm>
+<indexterm><primary>rights assigned</primary></indexterm>
+<indexterm><primary>SID</primary></indexterm>
+Samba 3.0.11 introduced support for the Windows privilege model.  This model
+allows certain rights to be assigned to a user or group SID.  In order to enable
+this feature, <smbconfoption name="enable privileges">yes</smbconfoption>
+must be defined in the <smbconfsection name="global"/> section of the &smb.conf; file.
+</para>
+
+<para>
+<indexterm><primary>rights</primary></indexterm>
+<indexterm><primary>privileges</primary></indexterm>
+<indexterm><primary>manage privileges</primary></indexterm>
+Currently, the rights supported in Samba-3 are listed in <link linkend="rp-privs"/>.
+The remainder of this chapter explains how to manage and use these privileges on Samba servers.
+</para>
+
+<indexterm><primary>SeMachineAccountPrivilege</primary></indexterm>
+<indexterm><primary>SePrintOperatorPrivilege</primary></indexterm>
+<indexterm><primary>SeAddUsersPrivilege</primary></indexterm>
+<indexterm><primary>SeRemoteShutdownPrivilege</primary></indexterm>
+<indexterm><primary>SeDiskOperatorPrivilege</primary></indexterm>
+<indexterm><primary>SeTakeOwnershipPrivilege</primary></indexterm>
+<table id="rp-privs">
+        <title>Current Privilege Capabilities</title>
+        <tgroup cols="2">
+                <colspec align="right"/>
+                <colspec align="left"/>
+                <thead>
+                        <row>
+                                <entry align="left">Privilege</entry>
+                                <entry align="left">Description</entry>
+                        </row>
+                </thead>
+                <tbody>
+                        <row>
+                                <entry><para>SeMachineAccountPrivilege</para></entry>
+                                <entry><para>Add machines to domain</para></entry>
+                        </row>
+                        <row>
+                                <entry><para>SePrintOperatorPrivilege</para></entry>
+                                <entry><para>Manage printers</para></entry>
+                        </row>
+                        <row>
+                                <entry><para>SeAddUsersPrivilege</para></entry>
+                                <entry><para>Add users and groups to the domain</para></entry>
+                        </row>
+                        <row>
+                                <entry><para>SeRemoteShutdownPrivilege</para></entry>
+                                <entry><para>Force shutdown from a remote system</para></entry>
+                        </row>
+                        <row>
+                                <entry><para>SeDiskOperatorPrivilege</para></entry>
+                                <entry><para>Manage disk share</para></entry>
+                        </row>
+<!-- These are not used at this time - so void them from the docs.
+                        <row>
+                                <entry><para>SeBackupPrivilege</para></entry>
+                                <entry><para>Back up files and directories</para></entry>
+                        </row>
+                        <row>
+                                <entry><para>SeRestorePrivilege</para></entry>
+                                <entry><para>Restore files and directories</para></entry>
+                        </row>
+**** End of commented out section **** -->    
+                        <row>
+                                <entry><para>SeTakeOwnershipPrivilege</para></entry>
+                                <entry><para>Take ownership of files or other objects</para></entry>
+                        </row>
+            </tbody>
+        </tgroup>
+</table>
+
+<sect2>
+<title>Using the <quote>net rpc rights</quote> Utility</title>
+
+<para>
+<indexterm><primary>managing rights</primary></indexterm>
+<indexterm><primary>rights assigned</primary></indexterm>
+<indexterm><primary>NT4 User Manager for Domains</primary></indexterm>
+<indexterm><primary>command-line utility</primary></indexterm>
+<indexterm><primary>administrative actions</primary></indexterm>
+There are two primary means of managing the rights assigned to users and groups
+on a Samba server.  The <command>NT4 User Manager for Domains</command> may be
+used from any Windows NT4, 2000, or XP Professional domain member client to
+connect to a Samba domain controller and view/modify the rights assignments.
+This application, however, appears to have bugs when run on a client running
+Windows 2000 or later; therefore, Samba provides a command-line utility for
+performing the necessary administrative actions.
+</para>
+
+<para>
+The <command>net rpc rights</command> utility in Samba 3.0.11 has three new subcommands:
+</para>
+
+<variablelist>
+	<varlistentry><term>list [name|accounts]</term>
+		<listitem><para>
+<indexterm><primary>net</primary><secondary>rpc</secondary><tertiary>list</tertiary></indexterm>
+<indexterm><primary>available rights</primary></indexterm>
+<indexterm><primary>privileges assigned</primary></indexterm>
+<indexterm><primary>privileged accounts</primary></indexterm>
+		When called with no arguments, <command>net rpc list</command>
+		simply lists the available rights on the server.  When passed
+		a specific user or group name, the tool lists the privileges
+		currently assigned to the specified account.  When invoked using
+		the special string <constant>accounts</constant>,
+		<command>net rpc rights list</command> returns a list of all
+		privileged accounts on the server and the assigned rights.
+		</para></listitem>
+	</varlistentry>
+
+	<varlistentry><term>grant &lt;user&gt; &lt;right [right ...]&gt;</term>
+		<listitem><para>
+<indexterm><primary>assign rights</primary></indexterm>
+<indexterm><primary>grant rights</primary></indexterm>
+<indexterm><primary>add client machines</primary></indexterm>
+<indexterm><primary>user or group</primary></indexterm>
+		When called with no arguments, this function is used to assign
+		a list of rights to a specified user or group.  For example,
+		to grant the members of the Domain Admins group on a Samba domain controller,
+		the capability to add client machines to the domain, one would run:
+<screen>
+&rootprompt; net -S server -U domadmin rpc rights grant \
+	 'DOMAIN\Domain Admins' SeMachineAccountPrivilege
+</screen>
+		The following syntax has the same result:
+<indexterm><primary>net</primary><secondary>rpc</secondary><tertiary>rights grant</tertiary></indexterm>
+<screen>
+&rootprompt; net rpc rights grant 'DOMAIN\Domain Admins' \
+     SeMachineAccountPrivilege -S server -U domadmin
+</screen>
+		More than one privilege can be assigned by specifying a
+		list of rights separated by spaces. The parameter 'Domain\Domain Admins'
+		must be quoted with single ticks or using double-quotes to prevent
+		the backslash and the space from being interpreted by the system shell.
+		</para></listitem>
+	</varlistentry>
+
+	<varlistentry><term>revoke &lt;user&gt; &lt;right [right ...]&gt;</term>
+		<listitem><para>
+		This command is similar in format to <command>net rpc rights grant</command>.  Its
+		effect is to remove an assigned right (or list of rights) from a user or group.
+		</para></listitem>
+	</varlistentry>
+
+</variablelist>
+
+<note><para>
+<indexterm><primary>member</primary></indexterm>
+<indexterm><primary>Domain Admins</primary></indexterm>
+<indexterm><primary>revoke privileges</primary></indexterm>
+You must be connected as a member of the Domain Admins group to be able to grant or revoke privileges assigned
+to an account.  This capability is inherent to the Domain Admins group and is not configurable. There are no
+default rights and privileges, except the ability for a member of the Domain Admins group to assign them.
+This means that all administrative rights and privileges (other than the ability to assign them) must be 
+explicitly assigned, even for the Domain Admins group.
+</para></note>
+
+<para>
+<indexterm><primary>performed as root</primary></indexterm>
+<indexterm><primary>necessary rights</primary></indexterm>
+<indexterm><primary>add machine script</primary></indexterm>
+<indexterm><primary></primary></indexterm>
+By default, no privileges are initially assigned to any account because certain actions will be performed as
+root once smbd determines that a user has the necessary rights.  For example, when joining a client to a
+Windows domain, <parameter>add machine script</parameter> must be executed with superuser rights in most 
+cases.  For this reason, you should be very careful about handing out privileges to accounts.
+</para>
+
+<para>
+<indexterm><primary>Access</primary></indexterm>
+<indexterm><primary>root user</primary></indexterm>
+<indexterm><primary>bypasses privilege</primary></indexterm>
+Access as the root user (UID=0) bypasses all privilege checks.
+</para>
+
+</sect2>
+
+<sect2>
+<title>Description of Privileges</title>
+
+<para>
+<indexterm><primary>privileges</primary></indexterm>
+<indexterm><primary>additional privileges</primary></indexterm>
+<indexterm><primary>house-keeping</primary></indexterm>
+The privileges that have been implemented in Samba-3.0.11 are shown below.  It is possible, and likely, that
+additional privileges may be implemented in later releases of Samba. It is also likely that any privileges
+currently implemented but not used may be removed from future releases as a housekeeping matter, so it is
+important that the successful as well as unsuccessful use of these facilities should be reported on the Samba
+mailing lists.
+</para>
+
+<variablelist>
+	<varlistentry><term>SeAddUsersPrivilege</term>
+		<listitem><para>
+<indexterm><primary>SeAddUsersPrivilege</primary></indexterm>
+<indexterm><primary>smbd</primary></indexterm>
+<indexterm><primary>net rpc user add</primary></indexterm>
+		This right determines whether or not smbd will allow the
+		user to create new user or group accounts via such tools
+		as <command>net rpc user add</command> or 
+		<command>NT4 User Manager for Domains.</command>
+		</para></listitem>
+	</varlistentry>
+
+	<varlistentry><term>SeDiskOperatorPrivilege</term>
+		<listitem><para>
+<indexterm><primary>SeDiskOperatorPrivilege</primary></indexterm>
+<indexterm><primary>add/delete/change share</primary></indexterm>
+<indexterm><primary>ACL</primary></indexterm>
+		Accounts that possess this right will be able to execute
+		scripts defined by the <command>add/delete/change</command>
+		share command in &smb.conf; file as root.  Such users will
+		also be able to modify the ACL associated with file shares
+		on the Samba server.
+		</para></listitem>
+	</varlistentry>
+
+	<varlistentry><term>SeMachineAccountPrivilege</term>
+		<listitem><para>
+<indexterm><primary>SeMachineAccountPrivilege</primary></indexterm>
+<indexterm><primary>right to join domain</primary></indexterm>
+<indexterm><primary>join client</primary></indexterm>
+		This right controls whether or not the user can join client
+		machines to a Samba-controlled domain.
+		</para></listitem>
+	</varlistentry>
+
+	<varlistentry><term>SePrintOperatorPrivilege</term>
+		<listitem><para>
+<indexterm><primary>SePrintOperatorPrivilege</primary></indexterm>
+<indexterm><primary>privilege</primary></indexterm>
+<indexterm><primary>global right</primary></indexterm>
+<indexterm><primary>administrative rights</primary></indexterm>
+<indexterm><primary>printers admin</primary></indexterm>
+		This privilege operates identically to the <smbconfoption name="printer admin"/>
+		option in the &smb.conf; file (see section 5 man page for &smb.conf;)
+		except that it is a global right (not on a per-printer basis). 
+		Eventually the smb.conf option will be deprecated and administrative
+		rights to printers will be controlled exclusively by this right and
+		the security descriptor associated with the printer object in the
+		<filename>ntprinters.tdb</filename> file.
+		</para></listitem>
+	</varlistentry>
+
+	<varlistentry><term>SeRemoteShutdownPrivilege</term>
+		<listitem><para>
+<indexterm><primary>SeRemoteShutdownPrivilege</primary></indexterm>
+<indexterm><primary>rebooting server</primary></indexterm>
+<indexterm><primary>aborting shutdown</primary></indexterm>
+		Samba provides two hooks for shutting down or rebooting
+		the server and for aborting a previously issued shutdown
+		command.  Since this is an operation normally limited by
+		the operating system to the root user, an account must possess this
+		right to be able to execute either of these hooks.
+		</para></listitem>
+	</varlistentry>
+
+	<varlistentry><term>SeTakeOwnershipPrivilege</term>
+		<listitem><para>
+<indexterm><primary>SeTakeOwnershipPrivilege</primary></indexterm>
+<indexterm><primary>take ownership</primary></indexterm>
+		This right permits users to take ownership of files and directories.
+		</para></listitem>
+	</varlistentry>
+
+</variablelist>
+
+</sect2>
+
+<sect2>
+<title>Privileges Suppored by Windows 2000 Domain Controllers</title>
+
+<para>
+    For reference purposes, a Windows NT4 Primary Domain Controller reports support for the following
+	privileges:
+<indexterm><primary>SeCreateTokenPrivilege</primary></indexterm>
+<indexterm><primary>SeAssignPrimaryTokenPrivilege</primary></indexterm>
+<indexterm><primary>SeLockMemoryPrivilege</primary></indexterm>
+<indexterm><primary>SeIncreaseQuotaPrivilege</primary></indexterm>
+<indexterm><primary>SeMachineAccountPrivilege</primary></indexterm>
+<indexterm><primary>SeTcbPrivilege</primary></indexterm>
+<indexterm><primary>SeSecurityPrivilege</primary></indexterm>
+<indexterm><primary>SeTakeOwnershipPrivilege</primary></indexterm>
+<indexterm><primary>SeLoadDriverPrivilege</primary></indexterm>
+<indexterm><primary>SeSystemProfilePrivilege</primary></indexterm>
+<indexterm><primary>SeSystemtimePrivilege</primary></indexterm>
+<indexterm><primary>SeProfileSingleProcessPrivilege</primary></indexterm>
+<indexterm><primary>SeIncreaseBasePriorityPrivilege</primary></indexterm>
+<indexterm><primary>SeCreatePagefilePrivilege</primary></indexterm>
+<indexterm><primary>SeCreatePermanentPrivilege</primary></indexterm>
+<indexterm><primary>SeBackupPrivilege</primary></indexterm>
+<indexterm><primary>SeRestorePrivilege</primary></indexterm>
+<indexterm><primary>SeShutdownPrivilege</primary></indexterm>
+<indexterm><primary>SeDebugPrivilege</primary></indexterm>
+<indexterm><primary>SeAuditPrivilege</primary></indexterm>
+<indexterm><primary>SeSystemEnvironmentPrivilege</primary></indexterm>
+<indexterm><primary>SeChangeNotifyPrivilege</primary></indexterm>
+<indexterm><primary>SeRemoteShutdownPrivilege</primary></indexterm>
+<screen>
+         SeCreateTokenPrivilege  Create a token object
+  SeAssignPrimaryTokenPrivilege  Replace a process level token
+          SeLockMemoryPrivilege  Lock pages in memory
+       SeIncreaseQuotaPrivilege  Increase quotas
+      SeMachineAccountPrivilege  Add workstations to domain
+                 SeTcbPrivilege  Act as part of the operating system
+            SeSecurityPrivilege  Manage auditing and security log
+       SeTakeOwnershipPrivilege  Take ownership of files or other objects
+          SeLoadDriverPrivilege  Load and unload device drivers
+       SeSystemProfilePrivilege  Profile system performance
+          SeSystemtimePrivilege  Change the system time
+SeProfileSingleProcessPrivilege  Profile single process
+SeIncreaseBasePriorityPrivilege  Increase scheduling priority
+      SeCreatePagefilePrivilege  Create a pagefile
+     SeCreatePermanentPrivilege  Create permanent shared objects
+              SeBackupPrivilege  Back up files and directories
+             SeRestorePrivilege  Restore files and directories
+            SeShutdownPrivilege  Shut down the system
+               SeDebugPrivilege  Debug programs
+               SeAuditPrivilege  Generate security audits
+   SeSystemEnvironmentPrivilege  Modify firmware environment values
+        SeChangeNotifyPrivilege  Bypass traverse checking
+      SeRemoteShutdownPrivilege  Force shutdown from a remote system
+</screen>
+	And Windows 200x/XP Domain Controllers and workstations reports to support the following privileges:
+<indexterm><primary>SeCreateTokenPrivilege</primary></indexterm>
+<indexterm><primary>SeAssignPrimaryTokenPrivilege</primary></indexterm>
+<indexterm><primary>SeLockMemoryPrivilege</primary></indexterm>
+<indexterm><primary>SeIncreaseQuotaPrivilege</primary></indexterm>
+<indexterm><primary>SeMachineAccountPrivilege</primary></indexterm>
+<indexterm><primary>SeTcbPrivilege</primary></indexterm>
+<indexterm><primary>SeSecurityPrivilege</primary></indexterm>
+<indexterm><primary>SeTakeOwnershipPrivilege</primary></indexterm>
+<indexterm><primary>SeLoadDriverPrivilege</primary></indexterm>
+<indexterm><primary>SeSystemProfilePrivilege</primary></indexterm>
+<indexterm><primary>SeSystemtimePrivilege</primary></indexterm>
+<indexterm><primary>SeProfileSingleProcessPrivilege</primary></indexterm>
+<indexterm><primary>SeIncreaseBasePriorityPrivilege</primary></indexterm>
+<indexterm><primary>SeCreatePagefilePrivilege</primary></indexterm>
+<indexterm><primary>SeCreatePermanentPrivilege</primary></indexterm>
+<indexterm><primary>SeBackupPrivilege</primary></indexterm>
+<indexterm><primary>SeRestorePrivilege</primary></indexterm>
+<indexterm><primary>SeShutdownPrivilege</primary></indexterm>
+<indexterm><primary>SeDebugPrivilege</primary></indexterm>
+<indexterm><primary>SeAuditPrivilege</primary></indexterm>
+<indexterm><primary>SeSystemEnvironmentPrivilege</primary></indexterm>
+<indexterm><primary>SeChangeNotifyPrivilege</primary></indexterm>
+<indexterm><primary>SeRemoteShutdownPrivilege</primary></indexterm>
+<indexterm><primary>SeUndockPrivilege</primary></indexterm>
+<indexterm><primary>SeSyncAgentPrivilege</primary></indexterm>
+<indexterm><primary>SeEnableDelegationPrivilege</primary></indexterm>
+<indexterm><primary>SeManageVolumePrivilege</primary></indexterm>
+<indexterm><primary>SeImpersonatePrivilege</primary></indexterm>
+<indexterm><primary>SeCreateGlobalPrivilege</primary></indexterm>
+<screen>
+         SeCreateTokenPrivilege  Create a token object
+  SeAssignPrimaryTokenPrivilege  Replace a process level token
+          SeLockMemoryPrivilege  Lock pages in memory
+       SeIncreaseQuotaPrivilege  Increase quotas
+      SeMachineAccountPrivilege  Add workstations to domain
+                 SeTcbPrivilege  Act as part of the operating system
+            SeSecurityPrivilege  Manage auditing and security log
+       SeTakeOwnershipPrivilege  Take ownership of files or other objects
+          SeLoadDriverPrivilege  Load and unload device drivers
+       SeSystemProfilePrivilege  Profile system performance
+          SeSystemtimePrivilege  Change the system time
+SeProfileSingleProcessPrivilege  Profile single process
+SeIncreaseBasePriorityPrivilege  Increase scheduling priority
+      SeCreatePagefilePrivilege  Create a pagefile
+     SeCreatePermanentPrivilege  Create permanent shared objects
+              SeBackupPrivilege  Back up files and directories
+             SeRestorePrivilege  Restore files and directories
+            SeShutdownPrivilege  Shut down the system
+               SeDebugPrivilege  Debug programs
+               SeAuditPrivilege  Generate security audits
+   SeSystemEnvironmentPrivilege  Modify firmware environment values
+        SeChangeNotifyPrivilege  Bypass traverse checking
+      SeRemoteShutdownPrivilege  Force shutdown from a remote system
+              SeUndockPrivilege  Remove computer from docking station
+           SeSyncAgentPrivilege  Synchronize directory service data
+    SeEnableDelegationPrivilege  Enable computer and user accounts to
+                                 be trusted for delegation
+        SeManageVolumePrivilege  Perform volume maintenance tasks
+         SeImpersonatePrivilege  Impersonate a client after authentication
+        SeCreateGlobalPrivilege  Create global objects
+</screen>
+<indexterm><primary>equivalence</primary></indexterm>
+    The Samba Team is implementing only those privileges that are logical and useful in the UNIX/Linux
+    environment. Many of the Windows 200X/XP privileges have no direct equivalence in UNIX.
+    </para>
+
+</sect2>
+
+</sect1>
+
+<sect1>
+<title>The Administrator Domain SID</title>
+
+<para>
+<indexterm><primary>domain Administrator</primary></indexterm>
+<indexterm><primary>User Rights and Privileges</primary></indexterm>
+<indexterm><primary>passdb backend</primary></indexterm>
+<indexterm><primary>SID</primary></indexterm>
+<indexterm><primary>net getlocalsid</primary></indexterm>
+Please note that every Windows NT4 and later server requires a domain Administrator account. Samba versions
+commencing with 3.0.11 permit Administrative duties to be performed via assigned rights and privileges
+(see <link linkend="rights">User Rights and Privileges</link>).  An account in the server's passdb backend can
+be set to the well-known RID of the default administrator account.  To obtain the domain SID on a Samba domain
+controller, run the following command:
+<screen>
+&rootprompt; net getlocalsid
+SID for domain FOO is: S-1-5-21-4294955119-3368514841-2087710299
+</screen>
+<indexterm><primary>RID</primary></indexterm>
+You may assign the domain administrator RID to an account using the <command>pdbedit</command>
+command as shown here:
+<indexterm><primary>pdbedit</primary></indexterm>
+<screen>
+&rootprompt; pdbedit -U S-1-5-21-4294955119-3368514841-2087710299-500 -u root -r
+</screen>
+</para>
+
+<note><para>
+<indexterm><primary>RID 500</primary></indexterm>
+<indexterm><primary>well known RID</primary></indexterm>
+<indexterm><primary>rights and privileges</primary></indexterm>
+<indexterm><primary>root account</primary></indexterm>
+The RID 500 is the well known standard value of the default Administrator account. It is the RID
+that confers the rights and privileges that the Administrator account has on a Windows machine
+or domain. Under UNIX/Linux the equivalent is UID=0 (the root account).
+</para></note>
+
+<para>
+<indexterm><primary>without Administrator account</primary></indexterm>
+<indexterm><primary>equivalent rights and privileges</primary></indexterm>
+<indexterm><primary>Windows group account</primary></indexterm>
+<indexterm><primary>3.0.11</primary></indexterm>
+Releases of Samba version 3.0.11 and later make it possible to operate without an Administrator account
+provided equivalent rights and privileges have been established for a Windows user or a Windows
+group account. 
+</para>
+
+</sect1>
+
+<sect1>
+<title>Common Errors</title>
+
+	<sect2>
+	<title>What Rights and Privileges Will Permit Windows Client Administration?</title>
+
+	<para>
+<indexterm><primary>domain global</primary></indexterm>
+<indexterm><primary>local group</primary></indexterm>
+<indexterm><primary>administrative rights</primary></indexterm>
+<indexterm><primary>Windows client</primary></indexterm>
+	When a Windows NT4 (or later) client joins a domain, the domain global <literal>Domain Admins</literal> group
+	is added to the membership of the local <literal>Administrators</literal> group on the client. Any user who is
+	a member of the domain global <literal>Domain Admins</literal> group will have administrative rights on the
+	Windows client.
+	</para>
+
+	<para>
+<indexterm><primary>desirable solution</primary></indexterm>
+<indexterm><primary>administrative rights and privileges</primary></indexterm>
+<indexterm><primary>Power Users</primary></indexterm>
+<indexterm><primary>domain global user</primary></indexterm>
+<indexterm><primary>domain global group</primary></indexterm>
+	This is often not the most desirable solution because it means that the user will have administrative
+	rights and privileges on domain servers also. The <literal>Power Users</literal> group on Windows client
+	workstations permits local administration of the workstation alone. Any domain global user or domain global
+	group can be added to the membership of the local workstation group <literal>Power Users</literal>.
+	</para>
+
+	<para>
+<indexterm><primary>Nested Group Support</primary></indexterm>
+<indexterm><primary>add domain users and groups to a local group</primary></indexterm>
+<indexterm><primary>net</primary></indexterm>
+<indexterm><primary>Windows workstation.</primary></indexterm>
+	See <link linkend="nestedgrpmgmgt">Nested Group Support</link> for an example of how to add domain users
+	and groups to a local group that is on a Windows workstation. The use of the <command>net</command>
+	command permits this to be done from the Samba server.
+	</para>
+
+	<para>
+<indexterm><primary>cmd</primary></indexterm>
+<indexterm><primary>cmd shell</primary></indexterm>
+<indexterm><primary>net</primary><secondary>localgroup</secondary></indexterm>
+	Another way this can be done is to log onto the Windows workstation as the user
+	<literal>Administrator</literal>, then open a <command>cmd</command> shell, then execute:
+<screen>
+&dosprompt; net localgroup administrators /add <userinput>domain_name\entity</userinput>
+</screen>
+	where <literal>entity</literal> is either a domain user or a domain group account name.
+	</para>
+
+	</sect2>
+
+</sect1>
+
+</chapter>