diff options
author | John Terpstra <jht@samba.org> | 2005-06-16 18:31:27 +0000 |
---|---|---|
committer | Gerald W. Carter <jerry@samba.org> | 2008-04-23 08:46:50 -0500 |
commit | 161ac1e36f0adf8f081422f98b25f2cf5b690720 (patch) | |
tree | b0a3df0b956901df91b5baaff6f36c0d6c549db2 /docs/Samba3-HOWTO/TOSHARG-TheNetCommand.xml | |
parent | 04418983c959beb0c687dae9ad19d5e2d77b99df (diff) | |
download | samba-161ac1e36f0adf8f081422f98b25f2cf5b690720.tar.gz samba-161ac1e36f0adf8f081422f98b25f2cf5b690720.tar.bz2 samba-161ac1e36f0adf8f081422f98b25f2cf5b690720.zip |
More Updates.
(This used to be commit 6fba7bc2c89b584278b0f888b7620b5206624e4b)
Diffstat (limited to 'docs/Samba3-HOWTO/TOSHARG-TheNetCommand.xml')
-rw-r--r-- | docs/Samba3-HOWTO/TOSHARG-TheNetCommand.xml | 78 |
1 files changed, 74 insertions, 4 deletions
diff --git a/docs/Samba3-HOWTO/TOSHARG-TheNetCommand.xml b/docs/Samba3-HOWTO/TOSHARG-TheNetCommand.xml index 2b73a06392..7231bdaf21 100644 --- a/docs/Samba3-HOWTO/TOSHARG-TheNetCommand.xml +++ b/docs/Samba3-HOWTO/TOSHARG-TheNetCommand.xml @@ -224,8 +224,8 @@ SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -> SupportEngrs </para> <para> - The operations that are permitted include: <constant>add</constant>, <constant>modify</constant>, and <constant>delete</constant>. An example - of each operation is shown here. + The operations that are permitted include: <constant>add</constant>, <constant>modify</constant>, + and <constant>delete</constant>. An example of each operation is shown here. </para> <para> @@ -296,7 +296,7 @@ SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -> SupportEngrs </sect2> - <sect2> + <sect2 id="grpmemshipchg"> <title>Manipulating Group Memberships</title> <para> @@ -409,7 +409,7 @@ MIDEARTH\vlendecke </sect2> - <sect2> + <sect2 id="nestedgrpmgmgt"> <title>Nested Group Support</title> <para> @@ -452,6 +452,9 @@ DOM\jht </screen> </para> + <sect3> + <title>Managing Nest Groups on Workstations from the Samba Server</title> + <para> Windows network administrators often ask on the Samba mailing list how it is possible to grant everyone administrative rights on their own workstation. This is of course a very bad practice, but commonly done @@ -462,6 +465,73 @@ DOM\jht </screen> </para> + <para> + This can be scripted, and can therefore be performed as a user logs onto the domain from a Windows + workstation. Here is a simple example that shows how this can be done. + </para> + + <procedure> + <title>Automating User Addition to the Workstation Power Users Group</title> + + <step><para> + Create the script shown in <link linkend="autopoweruserscript"></link> and locate it in + the directory <filename>/etc/samba/scripts</filename>, named as <filename>autopoweruser.sh</filename>. + </para></step> + +<example id="autopoweruserscript"> +<title>Script to Auto-add Domain Users to Workstation Power Users Group</title> +<procedure> +#!/bin/bash + +/usr/bin/net rpc group addmem "Power Users" "DOMAIN_NAME\$1" -UAdministrator%secret -S $2 + +exit 0 +</procedure> +</example> + + <step><para> + Set the permissions on this script to permit it to be executed as part of the logon process: +<screen> +&rootprompt; chown root:root /etc/samba/autopoweruser.sh +&rootprompt; chmod 755 /etc/samba/autopoweruser.sh +</screen> + </para></step> + + <step><para> + Modify the &smb.conf; file so the <literal>NETLOGON</literal> stanza contains the parameters + shown in <link linkend="magicnetlogon">the Netlogon Example smb.conf file</link>. + </para></step> + +<example id="magicnetlogon"> +<title>A Magic Netlogon Share</title> +<smbconfblock> +<smbconfsection name="[netlogon]"/> +<smbconfoption name="comment">Netlogon Share</smbconfoption> +<smbconfoption name="path">/var/lib/samba/netlogon</smbconfoption> +<smbconfoption name="root preexec">/etc/samba/scripts/autopoweruser.sh %U %m</smbconfoption> +<smbconfoption name="read only">Yes</smbconfoption> +<smbconfoption name="guest ok">Yes</smbconfoption> +</smbconfblock> +</example> + + <step><para> + Ensure that every Windows workstation Adminsitrator account has the same password that you + have used in the script shown in <link linkend="magicnetlogon">the Netlogon Example smb.conf + file</link> + </para></step> + +</procedure> + + <para> + This script will be executed every time a user logs onto the network. Therefore every user will + have local Windows workstation management rights. This could of course be assigned using a group, + in which case there is little justification for the use of this procedure. The key justification + for the use of this method is that it will guarantee that all users have appropriate rights on + the workstation. + </para> + + </sect3> + </sect2> </sect1> |