From 161ac1e36f0adf8f081422f98b25f2cf5b690720 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Thu, 16 Jun 2005 18:31:27 +0000 Subject: More Updates. (This used to be commit 6fba7bc2c89b584278b0f888b7620b5206624e4b) --- docs/Samba3-HOWTO/TOSHARG-BDC.xml | 12 ++-- docs/Samba3-HOWTO/TOSHARG-Portability.xml | 3 +- docs/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml | 43 ++++++++++++- docs/Samba3-HOWTO/TOSHARG-TheNetCommand.xml | 78 +++++++++++++++++++++-- 4 files changed, 123 insertions(+), 13 deletions(-) (limited to 'docs') diff --git a/docs/Samba3-HOWTO/TOSHARG-BDC.xml b/docs/Samba3-HOWTO/TOSHARG-BDC.xml index 2d601af1b4..353683478c 100644 --- a/docs/Samba3-HOWTO/TOSHARG-BDC.xml +++ b/docs/Samba3-HOWTO/TOSHARG-BDC.xml @@ -19,12 +19,12 @@ with configuring a Samba domain controller as described in John H. Terpstra -clearly setting out your requirements and/or question, and we will do our best to provide a solution. +This is one of the most difficult chapters to summarize. It does not matter what we say here, for someone will +still draw conclusions and/or approach the Samba Team with expectations that are either not yet capable of +being delivered or that can be achieved far more effectively using a totally different approach. In the event +that you should have a persistent concern that is not addressed in this book, please email John H. Terpstra clearly setting out your requirements and/or question, and +we will do our best to provide a solution. diff --git a/docs/Samba3-HOWTO/TOSHARG-Portability.xml b/docs/Samba3-HOWTO/TOSHARG-Portability.xml index 28f32702e0..d70dba1a9e 100644 --- a/docs/Samba3-HOWTO/TOSHARG-Portability.xml +++ b/docs/Samba3-HOWTO/TOSHARG-Portability.xml @@ -233,7 +233,8 @@ and rebuild Samba. Winbind on Solaris 9 Nsswitch on Solaris 9 refuses to use the Winbind NSS module. This behavior -is fixed by Sun in patch 112960-14. +is fixed by Sun in patch 112960-14. diff --git a/docs/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml b/docs/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml index 3a87fcd64c..15a963943b 100644 --- a/docs/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml +++ b/docs/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml @@ -278,11 +278,50 @@ or domain. Under UNIX/Linux the equivalent is UID=0 (the root account). -Commencing with Samba version 3.0.11 it is possible to operate without an Administrator account +Releases of Samba version 3.0.11 and later make it possible to operate without an Administrator account providing equivalent rights and privileges have been established for a Windows user or a Windows -group account. +group account. + +Common Errors + + + What Rights and Privileges Will Permit Windows Client Administration? + + + When a Windows NT4 (or later) client joins a domain, the domain global Domain Admins group + is added to the membership of the local Administrators group on the client. Any user who is + a member of the domain global Domain Admins group will have administrative rights on the + Windows client. + + + + This is often not the most desirable solution because it means that the user will have administrative + rights and privileges on domain servers also. The Power Users group on Windows client + workstations permits local administration of the workstation alone. Any domain global user or domain global + group can be added to the membership of the local workstation group Power Users. + + + + See Nested Group Support for an example of how to add domain users + and groups to a local group that is on a Windows workstation. The use of the net + command permits this to be done from the Samba server. + + + + Another way this can be done is to log onto the Windows workstation as the user + Administrator, then open a cmd shell, then execute: + +c:\ net localgroup administrators /add domain_name\entity + + where entity is either a domain user or a domain group account name. + + + + + + diff --git a/docs/Samba3-HOWTO/TOSHARG-TheNetCommand.xml b/docs/Samba3-HOWTO/TOSHARG-TheNetCommand.xml index 2b73a06392..7231bdaf21 100644 --- a/docs/Samba3-HOWTO/TOSHARG-TheNetCommand.xml +++ b/docs/Samba3-HOWTO/TOSHARG-TheNetCommand.xml @@ -224,8 +224,8 @@ SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -> SupportEngrs - The operations that are permitted include: add, modify, and delete. An example - of each operation is shown here. + The operations that are permitted include: add, modify, + and delete. An example of each operation is shown here. @@ -296,7 +296,7 @@ SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -> SupportEngrs - + Manipulating Group Memberships @@ -409,7 +409,7 @@ MIDEARTH\vlendecke - + Nested Group Support @@ -452,6 +452,9 @@ DOM\jht + + Managing Nest Groups on Workstations from the Samba Server + Windows network administrators often ask on the Samba mailing list how it is possible to grant everyone administrative rights on their own workstation. This is of course a very bad practice, but commonly done @@ -462,6 +465,73 @@ DOM\jht + + This can be scripted, and can therefore be performed as a user logs onto the domain from a Windows + workstation. Here is a simple example that shows how this can be done. + + + + Automating User Addition to the Workstation Power Users Group + + + Create the script shown in and locate it in + the directory /etc/samba/scripts, named as autopoweruser.sh. + + + +Script to Auto-add Domain Users to Workstation Power Users Group + +#!/bin/bash + +/usr/bin/net rpc group addmem "Power Users" "DOMAIN_NAME\$1" -UAdministrator%secret -S $2 + +exit 0 + + + + + Set the permissions on this script to permit it to be executed as part of the logon process: + +&rootprompt; chown root:root /etc/samba/autopoweruser.sh +&rootprompt; chmod 755 /etc/samba/autopoweruser.sh + + + + + Modify the &smb.conf; file so the NETLOGON stanza contains the parameters + shown in the Netlogon Example smb.conf file. + + + +A Magic Netlogon Share + + +Netlogon Share +/var/lib/samba/netlogon +/etc/samba/scripts/autopoweruser.sh %U %m +Yes +Yes + + + + + Ensure that every Windows workstation Adminsitrator account has the same password that you + have used in the script shown in the Netlogon Example smb.conf + file + + + + + + This script will be executed every time a user logs onto the network. Therefore every user will + have local Windows workstation management rights. This could of course be assigned using a group, + in which case there is little justification for the use of this procedure. The key justification + for the use of this method is that it will guarantee that all users have appropriate rights on + the workstation. + + + + -- cgit