From 8f8a9f01909ba29e2b781310baeeaaddc3f15f0d Mon Sep 17 00:00:00 2001 From: "Gerald W. Carter" Date: Tue, 22 Apr 2008 10:09:40 -0500 Subject: Moving docs tree to docs-xml to make room for generated docs in the release tarball. (This used to be commit 9f672c26d63955f613088489c6efbdc08b5b2d14) --- .../Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml | 600 +++++++++++++++++++++ 1 file changed, 600 insertions(+) create mode 100644 docs-xml/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml (limited to 'docs-xml/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml') diff --git a/docs-xml/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml b/docs-xml/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml new file mode 100644 index 0000000000..5ce64ddffd --- /dev/null +++ b/docs-xml/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml @@ -0,0 +1,600 @@ + + + + + &author.jerry; + &author.jht; + + +User Rights and Privileges + + +Windows user +Windows group +machine accounts +ADS +The administration of Windows user, group, and machine accounts in the Samba +domain-controlled network necessitates interfacing between the MS Windows +networking environment and the UNIX operating system environment. The right +(permission) to add machines to the Windows security domain can be assigned +(set) to non-administrative users both in Windows NT4 domains and +Active Directory domains. + + + +Windows NT4/2kX/XPPro +machine account +trusted +user logons +The addition of Windows NT4/2kX/XPPro machines to the domain necessitates the +creation of a machine account for each machine added. The machine account is +a necessity that is used to validate that the machine can be trusted to permit +user logons. + + + +user accounts +special account +account name +/bin/false +/dev/null +man-in-the-middle +Machine accounts are analogous to user accounts, and thus in implementing them on a UNIX machine that is +hosting Samba (i.e., on which Samba is running), it is necessary to create a special type of user account. +Machine accounts differ from normal user accounts in that the account name (login ID) is terminated with a +$ sign. An additional difference is that this type of account should not ever be able to +log into the UNIX environment as a system user and therefore is set to have a shell of +/bin/false and a home directory of /dev/null. The machine +account is used only to authenticate domain member machines during start-up. This security measure +is designed to block man-in-the-middle attempts to violate network integrity. + + + +computer accounts +domain member servers +domain controller +credentials +secure authentication +Machine (computer) accounts are used in the Windows NT OS family to store security +credentials for domain member servers and workstations. When the domain member +starts up, it goes through a validation process that includes an exchange of +credentials with a domain controller. If the domain member fails to authenticate +using the credentials known for it by domain controllers, the machine will be refused +all access by domain users. The computer account is essential to the way that MS +Windows secures authentication. + + + +UNIX system accounts +system administrator +root +UID +The creation of UNIX system accounts has traditionally been the sole right of +the system administrator, better known as the root account. +It is possible in the UNIX environment to create multiple users who have the +same UID. Any UNIX user who has a UID=0 is inherently the same as the +root account user. + + + +system interface scripts +CIFS function calls +root account +UNIX host system +All versions of Samba call system interface scripts that permit CIFS function +calls that are used to manage users, groups, and machine accounts +in the UNIX environment. All versions of Samba up to and including version 3.0.10 +required the use of a Windows administrator account that unambiguously maps to +the UNIX root account to permit the execution of these +interface scripts. The requirement to do this has understandably met with some +disdain and consternation among Samba administrators, particularly where it became +necessary to permit people who should not possess root-level +access to the UNIX host system. + + + +Rights Management Capabilities + + +Windows privilege model +privilege model +rights assigned +SID +Samba 3.0.11 introduced support for the Windows privilege model. This model +allows certain rights to be assigned to a user or group SID. In order to enable +this feature, yes +must be defined in the section of the &smb.conf; file. + + + +rights +privileges +manage privileges +Currently, the rights supported in Samba-3 are listed in . +The remainder of this chapter explains how to manage and use these privileges on Samba servers. + + +SeMachineAccountPrivilege +SePrintOperatorPrivilege +SeAddUsersPrivilege +SeRemoteShutdownPrivilege +SeDiskOperatorPrivilege +SeTakeOwnershipPrivilege + + Current Privilege Capabilities + + + + + + Privilege + Description + + + + + SeMachineAccountPrivilege + Add machines to domain + + + SePrintOperatorPrivilege + Manage printers + + + SeAddUsersPrivilege + Add users and groups to the domain + + + SeRemoteShutdownPrivilege + Force shutdown from a remote system + + + SeDiskOperatorPrivilege + Manage disk share + + + + SeTakeOwnershipPrivilege + Take ownership of files or other objects + + + +
+ + +Using the <quote>net rpc rights</quote> Utility + + +managing rights +rights assigned +NT4 User Manager for Domains +command-line utility +administrative actions +There are two primary means of managing the rights assigned to users and groups +on a Samba server. The NT4 User Manager for Domains may be +used from any Windows NT4, 2000, or XP Professional domain member client to +connect to a Samba domain controller and view/modify the rights assignments. +This application, however, appears to have bugs when run on a client running +Windows 2000 or later; therefore, Samba provides a command-line utility for +performing the necessary administrative actions. + + + +The net rpc rights utility in Samba 3.0.11 has three new subcommands: + + + + list [name|accounts] + +netrpclist +available rights +privileges assigned +privileged accounts + When called with no arguments, net rpc list + simply lists the available rights on the server. When passed + a specific user or group name, the tool lists the privileges + currently assigned to the specified account. When invoked using + the special string accounts, + net rpc rights list returns a list of all + privileged accounts on the server and the assigned rights. + + + + grant <user> <right [right ...]> + +assign rights +grant rights +add client machines +user or group + When called with no arguments, this function is used to assign + a list of rights to a specified user or group. For example, + to grant the members of the Domain Admins group on a Samba domain controller, + the capability to add client machines to the domain, one would run: + +&rootprompt; net -S server -U domadmin rpc rights grant \ + 'DOMAIN\Domain Admins' SeMachineAccountPrivilege + + The following syntax has the same result: +netrpcrights grant + +&rootprompt; net rpc rights grant 'DOMAIN\Domain Admins' \ + SeMachineAccountPrivilege -S server -U domadmin + + More than one privilege can be assigned by specifying a + list of rights separated by spaces. The parameter 'Domain\Domain Admins' + must be quoted with single ticks or using double-quotes to prevent + the backslash and the space from being interpreted by the system shell. + + + + revoke <user> <right [right ...]> + + This command is similar in format to net rpc rights grant. Its + effect is to remove an assigned right (or list of rights) from a user or group. + + + + + + +member +Domain Admins +revoke privileges +You must be connected as a member of the Domain Admins group to be able to grant or revoke privileges assigned +to an account. This capability is inherent to the Domain Admins group and is not configurable. There are no +default rights and privileges, except the ability for a member of the Domain Admins group to assign them. +This means that all administrative rights and privileges (other than the ability to assign them) must be +explicitly assigned, even for the Domain Admins group. + + + +performed as root +necessary rights +add machine script + +By default, no privileges are initially assigned to any account because certain actions will be performed as +root once smbd determines that a user has the necessary rights. For example, when joining a client to a +Windows domain, add machine script must be executed with superuser rights in most +cases. For this reason, you should be very careful about handing out privileges to accounts. + + + +Access +root user +bypasses privilege +Access as the root user (UID=0) bypasses all privilege checks. + + + + + +Description of Privileges + + +privileges +additional privileges +house-keeping +The privileges that have been implemented in Samba-3.0.11 are shown below. It is possible, and likely, that +additional privileges may be implemented in later releases of Samba. It is also likely that any privileges +currently implemented but not used may be removed from future releases as a housekeeping matter, so it is +important that the successful as well as unsuccessful use of these facilities should be reported on the Samba +mailing lists. + + + + SeAddUsersPrivilege + +SeAddUsersPrivilege +smbd +net rpc user add + This right determines whether or not smbd will allow the + user to create new user or group accounts via such tools + as net rpc user add or + NT4 User Manager for Domains. + + + + SeDiskOperatorPrivilege + +SeDiskOperatorPrivilege +add/delete/change share +ACL + Accounts that possess this right will be able to execute + scripts defined by the add/delete/change + share command in &smb.conf; file as root. Such users will + also be able to modify the ACL associated with file shares + on the Samba server. + + + + SeMachineAccountPrivilege + +SeMachineAccountPrivilege +right to join domain +join client + This right controls whether or not the user can join client + machines to a Samba-controlled domain. + + + + SePrintOperatorPrivilege + +SePrintOperatorPrivilege +privilege +global right +administrative rights +printers admin + This privilege operates identically to the + option in the &smb.conf; file (see section 5 man page for &smb.conf;) + except that it is a global right (not on a per-printer basis). + Eventually the smb.conf option will be deprecated and administrative + rights to printers will be controlled exclusively by this right and + the security descriptor associated with the printer object in the + ntprinters.tdb file. + + + + SeRemoteShutdownPrivilege + +SeRemoteShutdownPrivilege +rebooting server +aborting shutdown + Samba provides two hooks for shutting down or rebooting + the server and for aborting a previously issued shutdown + command. Since this is an operation normally limited by + the operating system to the root user, an account must possess this + right to be able to execute either of these hooks. + + + + SeTakeOwnershipPrivilege + +SeTakeOwnershipPrivilege +take ownership + This right permits users to take ownership of files and directories. + + + + + + + + +Privileges Suppored by Windows 2000 Domain Controllers + + + For reference purposes, a Windows NT4 Primary Domain Controller reports support for the following + privileges: +SeCreateTokenPrivilege +SeAssignPrimaryTokenPrivilege +SeLockMemoryPrivilege +SeIncreaseQuotaPrivilege +SeMachineAccountPrivilege +SeTcbPrivilege +SeSecurityPrivilege +SeTakeOwnershipPrivilege +SeLoadDriverPrivilege +SeSystemProfilePrivilege +SeSystemtimePrivilege +SeProfileSingleProcessPrivilege +SeIncreaseBasePriorityPrivilege +SeCreatePagefilePrivilege +SeCreatePermanentPrivilege +SeBackupPrivilege +SeRestorePrivilege +SeShutdownPrivilege +SeDebugPrivilege +SeAuditPrivilege +SeSystemEnvironmentPrivilege +SeChangeNotifyPrivilege +SeRemoteShutdownPrivilege + + SeCreateTokenPrivilege Create a token object + SeAssignPrimaryTokenPrivilege Replace a process level token + SeLockMemoryPrivilege Lock pages in memory + SeIncreaseQuotaPrivilege Increase quotas + SeMachineAccountPrivilege Add workstations to domain + SeTcbPrivilege Act as part of the operating system + SeSecurityPrivilege Manage auditing and security log + SeTakeOwnershipPrivilege Take ownership of files or other objects + SeLoadDriverPrivilege Load and unload device drivers + SeSystemProfilePrivilege Profile system performance + SeSystemtimePrivilege Change the system time +SeProfileSingleProcessPrivilege Profile single process +SeIncreaseBasePriorityPrivilege Increase scheduling priority + SeCreatePagefilePrivilege Create a pagefile + SeCreatePermanentPrivilege Create permanent shared objects + SeBackupPrivilege Back up files and directories + SeRestorePrivilege Restore files and directories + SeShutdownPrivilege Shut down the system + SeDebugPrivilege Debug programs + SeAuditPrivilege Generate security audits + SeSystemEnvironmentPrivilege Modify firmware environment values + SeChangeNotifyPrivilege Bypass traverse checking + SeRemoteShutdownPrivilege Force shutdown from a remote system + + And Windows 200x/XP Domain Controllers and workstations reports to support the following privileges: +SeCreateTokenPrivilege +SeAssignPrimaryTokenPrivilege +SeLockMemoryPrivilege +SeIncreaseQuotaPrivilege +SeMachineAccountPrivilege +SeTcbPrivilege +SeSecurityPrivilege +SeTakeOwnershipPrivilege +SeLoadDriverPrivilege +SeSystemProfilePrivilege +SeSystemtimePrivilege +SeProfileSingleProcessPrivilege +SeIncreaseBasePriorityPrivilege +SeCreatePagefilePrivilege +SeCreatePermanentPrivilege +SeBackupPrivilege +SeRestorePrivilege +SeShutdownPrivilege +SeDebugPrivilege +SeAuditPrivilege +SeSystemEnvironmentPrivilege +SeChangeNotifyPrivilege +SeRemoteShutdownPrivilege +SeUndockPrivilege +SeSyncAgentPrivilege +SeEnableDelegationPrivilege +SeManageVolumePrivilege +SeImpersonatePrivilege +SeCreateGlobalPrivilege + + SeCreateTokenPrivilege Create a token object + SeAssignPrimaryTokenPrivilege Replace a process level token + SeLockMemoryPrivilege Lock pages in memory + SeIncreaseQuotaPrivilege Increase quotas + SeMachineAccountPrivilege Add workstations to domain + SeTcbPrivilege Act as part of the operating system + SeSecurityPrivilege Manage auditing and security log + SeTakeOwnershipPrivilege Take ownership of files or other objects + SeLoadDriverPrivilege Load and unload device drivers + SeSystemProfilePrivilege Profile system performance + SeSystemtimePrivilege Change the system time +SeProfileSingleProcessPrivilege Profile single process +SeIncreaseBasePriorityPrivilege Increase scheduling priority + SeCreatePagefilePrivilege Create a pagefile + SeCreatePermanentPrivilege Create permanent shared objects + SeBackupPrivilege Back up files and directories + SeRestorePrivilege Restore files and directories + SeShutdownPrivilege Shut down the system + SeDebugPrivilege Debug programs + SeAuditPrivilege Generate security audits + SeSystemEnvironmentPrivilege Modify firmware environment values + SeChangeNotifyPrivilege Bypass traverse checking + SeRemoteShutdownPrivilege Force shutdown from a remote system + SeUndockPrivilege Remove computer from docking station + SeSyncAgentPrivilege Synchronize directory service data + SeEnableDelegationPrivilege Enable computer and user accounts to + be trusted for delegation + SeManageVolumePrivilege Perform volume maintenance tasks + SeImpersonatePrivilege Impersonate a client after authentication + SeCreateGlobalPrivilege Create global objects + +equivalence + The Samba Team is implementing only those privileges that are logical and useful in the UNIX/Linux + environment. Many of the Windows 200X/XP privileges have no direct equivalence in UNIX. + + + + + + + +The Administrator Domain SID + + +domain Administrator +User Rights and Privileges +passdb backend +SID +net getlocalsid +Please note that every Windows NT4 and later server requires a domain Administrator account. Samba versions +commencing with 3.0.11 permit Administrative duties to be performed via assigned rights and privileges +(see User Rights and Privileges). An account in the server's passdb backend can +be set to the well-known RID of the default administrator account. To obtain the domain SID on a Samba domain +controller, run the following command: + +&rootprompt; net getlocalsid +SID for domain FOO is: S-1-5-21-4294955119-3368514841-2087710299 + +RID +You may assign the domain administrator RID to an account using the pdbedit +command as shown here: +pdbedit + +&rootprompt; pdbedit -U S-1-5-21-4294955119-3368514841-2087710299-500 -u root -r + + + + +RID 500 +well known RID +rights and privileges +root account +The RID 500 is the well known standard value of the default Administrator account. It is the RID +that confers the rights and privileges that the Administrator account has on a Windows machine +or domain. Under UNIX/Linux the equivalent is UID=0 (the root account). + + + +without Administrator account +equivalent rights and privileges +Windows group account +3.0.11 +Releases of Samba version 3.0.11 and later make it possible to operate without an Administrator account +provided equivalent rights and privileges have been established for a Windows user or a Windows +group account. + + + + + +Common Errors + + + What Rights and Privileges Will Permit Windows Client Administration? + + +domain global +local group +administrative rights +Windows client + When a Windows NT4 (or later) client joins a domain, the domain global Domain Admins group + is added to the membership of the local Administrators group on the client. Any user who is + a member of the domain global Domain Admins group will have administrative rights on the + Windows client. + + + +desirable solution +administrative rights and privileges +Power Users +domain global user +domain global group + This is often not the most desirable solution because it means that the user will have administrative + rights and privileges on domain servers also. The Power Users group on Windows client + workstations permits local administration of the workstation alone. Any domain global user or domain global + group can be added to the membership of the local workstation group Power Users. + + + +Nested Group Support +add domain users and groups to a local group +net +Windows workstation. + See Nested Group Support for an example of how to add domain users + and groups to a local group that is on a Windows workstation. The use of the net + command permits this to be done from the Samba server. + + + +cmd +cmd shell +netlocalgroup + Another way this can be done is to log onto the Windows workstation as the user + Administrator, then open a cmd shell, then execute: + +&dosprompt; net localgroup administrators /add domain_name\entity + + where entity is either a domain user or a domain group account name. + + + + + + + -- cgit