From d4b35b895cdf157e49609b59ec89ab648dafb524 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Wed, 13 Apr 2005 04:04:36 +0000 Subject: More updates. (This used to be commit 20f8bde1d0a2b2e42efedcdac21778fe34c0ab79) --- .../TOSHARG-RightsAndPriviliges.xml | 278 +++++++++++++++++++++ 1 file changed, 278 insertions(+) create mode 100644 docs/Samba-HOWTO-Collection/TOSHARG-RightsAndPriviliges.xml (limited to 'docs/Samba-HOWTO-Collection/TOSHARG-RightsAndPriviliges.xml') diff --git a/docs/Samba-HOWTO-Collection/TOSHARG-RightsAndPriviliges.xml b/docs/Samba-HOWTO-Collection/TOSHARG-RightsAndPriviliges.xml new file mode 100644 index 0000000000..a8c2811511 --- /dev/null +++ b/docs/Samba-HOWTO-Collection/TOSHARG-RightsAndPriviliges.xml @@ -0,0 +1,278 @@ + + + + + &author.jerry; + &author.jht; + + +User Rights and Privileges + + +The administration of Windows user, group and machine accounts in the Samba +domain controlled network necessitates interfacing between the MS Windows +networking environment and the UNIX operating system environment. The right +(permission) to add machines to the Windows security domain can be assigned +(set) to non-administrative users both in Windows NT4 domains as well as in +Active Directory domains. + + + +The addition of Windows NT4/2kX/XPPro machines to the domain necessitates the +creation of a machine account for each machine added. The machine account is +a necessity that is used to validate that the machine can be trusted to permit +user logons. + + + +Machine accounts are analogous to user accounts, and thus in implementing them +on a UNIX machine that is hosting Samba (i.e.: On which Samba is running) it is +necessary to create a special type of user account. Machine accounts differ from +a normal user account in that the account name (login ID) is terminated with a $ +sign. An additional difference is that this type of account should not ever be able +to log into the UNIX environment as a system user and therefore is set to have a +shell of /bin/false and a home directory of +/dev/null. + + + +The creation of UNIX system accounts has traditionally been the sole right of +the system administrator, better known as the root account. +It is possible in the UNIX environment to create multiple users who have the +same UID. Any UNIX user who has a UID=0 is inherently the same as the +root account. + + + +All versions of Samba call system interface scripts that permit CIFS function +calls that are used to manage users, groups and machine accounts to be affected +in the UNIX environment. All versions of Samba up to and including version 3.0.10 +required the use of a Windows Administrator account that unambiguously maps to +the UNIX root account to permit the execution of these +interface scripts. The reuqirement to do this has understandably met with some +disdain and consternation among Samba administrators, particularly where it became +necessary to permit people who should not posses root level +access to the UNIX host system. + + + +Rights Management Capabilities + + +Samba 3.0.11 introduces support for the Windows privilege model. This model +allows certain rights to be assigned to a user or group SID. In order to enable +this feature, yes +must be defined in the section of the &smb.conf; file. + + + +Currently, the rights supported in Samba 3 are listed in . +The remainder of this chapter explains how to manage and use these privileges on Samba servers. + + + + Current Privilege Capabilities + + + + + + Privilege + Description + + + + + SeMachineAccountPrivilege + Add machines to domain + + + SePrintOperatorPrivilege + Manage printers + + + SeAddUsersPrivilege + Add users and groups to the domain + + + SeRemoteShutdownPrivilege + Force shutdown from a remote system + + + SeDiskOperatorPrivilege + Manage disk share + + + +
+ + +Using the <quote>net rpc rights</quote> Utility + + +There are two primary means of managing the rights assigned to users and groups +on a Samba server. The NT4 User Manager for Domains may be +used from any Windows NT4, 2000 or XP Professional domain member client to +connect to a Samba domain controller and view/modify the rights assignments. +This application, however, appears to have bugs when run on a client running +Windows 2000 or later, therefore Samba provides a command line utility for +performing the necessary administrative actions. + + + +The net rpc rights utility in Samba 3.0.11 has 3 new subcommands: + + + + list [name|accounts] + + When called with no arguments, net rpc list + will simply list the available rights on the server. When passed + a specific user or group name, the tool lists the privileges + currently assigned to the specified account. When invoked using + the special string accounts, + net rpc rights list will return a list of all + privileged accounts on the server and the assigned rights. + + + + grant <user> <right [right ...]> + + When called with no arguments, This function is used to assign + a list of rights to a specified user or group. For example, + to grant the members of the Domain Admins group on a Samba DC + the capability to add client machines to the domain, one would run: + +&rootprompt; net -S server -U domadmin rpc rights grant \ + 'DOMAIN\Domain Admins' SeMachineAccountPrivilege + + More than one privilege can be assigned by specifying a + list of rights separated by spaces. The parameter 'Domain\Domain Admins' + must be quoted with single ticks or using double-quotes to prevent + the back-slash and the space from being interpreted by the system shell. + + + + revoke <user> <right [right ...]> + + This command is similar in format to net rpc rights grant. It's + effect is to remove an assigned right (or list of rights) from a user or group. + + + + + + +You must be connected as a member of the Domain Admins group to be able to +grant or revoke privileges assigned to an account. This capability is +inherent to the Domain Admins group and is not configurable. + + + +By default, no privileges are initially assigned to any +account. The reason for this is that certain actions will +be performed as root once smbd determines that a user has +the necessary rights. For example, when joining a client to +a Windows domain, the 'add machine script' must be executed +with superuser rights in most cases. For this reason, you +should be very careful about handing out privileges to +accounts. + + + +Access as the root user (UID=0) bypasses all privilege checks. + + + + + +Description of Privileges + + +The privileges that have been implemented in Samba-3.0.11 are shown below. +It is possible, and likely, that additional privileges may be implemented in +later releases of Samba. It is also likely that any privileges currently implemented +but not used may be removed from future releases, thus it is important that +the successful as well as unsuccessful use of these facilities should be reported +on the Samba mailing lists. + + + + SeAddUsersPrivilege + + This right determines whether or not smbd will allow the + user to create new user or group accounts via such tools + as net rpc user add or + NT4 User Manager for Domains. + + + + SeDiskOperatorPrivilege + + Accounts which posses this right will be able to execute + scripts defined by the add/delete/change + share command in &smb.conf; file as root. Such users will + also be able to modify the ACL associated with file shares + on the Samba server. + + + + SeMachineAccountPrivilege + + Controls whether or not the user is able join client + machines to a Samba controlled domain. + + + + SePrintOperatorPrivilege + + This privilege operates identically to the + + option in the &smb.conf; file (see section 5 man page for &smb.conf;) + except that it is a global right (not on a per printer basis). + Eventually the smb.conf option will be deprecated and administrative + rights to printers will be controlled exclusively by this right and + the security descriptor associated with the printer object in the + ntprinters.tdb file. + + + + SeRemoteShutdownPrivilege + + Samba provides two hooks for shutting down or rebooting + the server and for aborting a previously issued shutdown + command. Since this is an operation normally limited by + the operating system to the root user, an account must possess this + right to be able to execute either of these hooks to have any effect. + + + + + + + + + + +The Administrator Domain SID + + +Please note that when configured as a DC, it is now required +that an account in the server's passdb backend be set to the +domain SID of the default Administrator account. To obtain the +domain SID on a Samba DC, run the following command: + + +&rootprompt; net getlocalsid +SID for domain FOO is: S-1-5-21-4294955119-3368514841-2087710299 + +You may assign the Domain Administrator rid to an account using the pdbedit +command as shown here: + +&rootprompt; pdbedit -U S-1-5-21-4294955119-3368514841-2087710299-500 -u root -r + + + + + + -- cgit