From d2dc286b2115d3629730276aa4246ee8ce6c5f4a Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Mon, 16 May 2005 21:38:34 +0000 Subject: Progress update only. (This used to be commit 471c811da4804c340a0982bdd7a20e80fd7c8008) --- .../TOSHARG-TheNetCommand.xml | 147 +++++++++++++++++++-- 1 file changed, 135 insertions(+), 12 deletions(-) (limited to 'docs') diff --git a/docs/Samba-HOWTO-Collection/TOSHARG-TheNetCommand.xml b/docs/Samba-HOWTO-Collection/TOSHARG-TheNetCommand.xml index 2675820164..b4fab1c978 100644 --- a/docs/Samba-HOWTO-Collection/TOSHARG-TheNetCommand.xml +++ b/docs/Samba-HOWTO-Collection/TOSHARG-TheNetCommand.xml @@ -83,8 +83,10 @@ the infliction of self induced pain, agony and desperation. Be warned, this is a exhaustive, and thus it is incomplete. Since the primary focus is on migration from Windows servers to a Samba server the emphasis is on the use of the DCE RPC mode of operation. When used against a server that is a member of an Active Directory domain it is preferable (and often necessary) to use ADS mode - operations. The net command supports both, but not for every operation. Please refer - to the man page for a more comprehensive overview of the capabilities of this utility. + operations. The net command supports both, but not for every operation. For most + operations, if the mode is not specified net will automatically fall back via + the ads, rpc, rap modes. Please refer to the man page for a more comprehensive + overview of the capabilities of this utility. @@ -181,7 +183,7 @@ SupportEngrs:x:1003: results in immediate mapping of the POSIX group that has been created to the Windows group account as whown here: -merlin:~ # net groupmap list +&rootprompt; net groupmap list Domain Admins (S-1-5-21-72630-4128915-11681869-512) -> Domain Admins Domain Users (S-1-5-21-72630-4128915-11681869-513) -> Domain Users Domain Guests (S-1-5-21-72630-4128915-11681869-514) -> Domain Guests @@ -340,7 +342,7 @@ Engineers (S-1-5-21-72630-412605-116429-3001) -> Engineers group mapping, a member of the Windows group, an attempt to add this account again should fail. This is demonstrated here: -merlin:~ # net rpc group addmem "MIDEARTH\Engineers" ajt -Uroot%not24get +&rootprompt; net rpc group addmem "MIDEARTH\Engineers" ajt -Uroot%not24get Could not add ajt to MIDEARTH\Engineers: NT_STATUS_MEMBER_IN_GROUP This showns that the group mapping between UNIX/Linux groups and Windows groups is effective and @@ -450,6 +452,16 @@ DOM\jht + + Windows network administrators often ask on the Samba mailing list how it is possible to grant everyone + administrative rights on their own workstation. This is of course a very bad practice, but commonly done + to avoid user complaints. Here is how it can be done remotely from a Samba PDC or BDC: + +&rootprompt; net rpc group addmem "Administrators" "Domain Users" \ + -S WINPC032 -Uadministrator%secret + + + @@ -469,13 +481,37 @@ DOM\jht Although this is not the appropriate place to discuss the facility, this interface is an important method of mapping a Windows user account to a UNIX account that has a different name. Refer to the man page for the &smb.conf; file for more information regarding this - facility. User name mappings can not be managed usinf the net utility. + facility. User name mappings can not be managed using the net utility. - + Adding User Accounts + The syntax for adding a user account via the net (according to the man page) is shown + here: + +net [<method>] user ADD <name> [-c container] [-F user flags] \ + [misc. options] [targets] + + The user account password may be set using this syntax: + +net rpc password <username> [<password>] -Uadmin_username%admin_pass + + + + + The following demonstrates the addition of an account to the server FRODO: + +&rootprompt; net rpc user add jacko -S FRODO -Uroot%not24get +Added user jacko + + The account password can be set with the following methods (all show the same operation): + +&rootprompt; net rpc password jacko f4sth0rse -S FRODO -Uroot%not24get +&rootprompt; net rpc user password jacko f4sth0rse \ + -S FRODO -Uroot%not24get + @@ -484,14 +520,40 @@ DOM\jht Deletion of User Accounts + Deletion of a user account can be done using the following syntax: + +net [<method>] user DELETE <name> [misc. options] [targets] + + The following command will delete the user account jacko: + +&rootprompt; net rpc user delete jacko -Uroot%not24get +Deleted user account + - Modification of User Accounts + Managing User Accounts + + + Two basic user accont operations are routinely used, change of password and querying which groups a user + is a member of. The change of password operation is shown in . + + The ability to query Windows group membership can be essential. Here is how a remote server may be + interrogated to find which groups a user is a member of: + +&rootprompt; net rpc user info jacko -S SAURON -Uroot%not24get +net rpc user info jacko -S SAURON -Uroot%not24get +Domain Users +Domain Admins +Engineers +TorridGroup +BOP Shop +Emergency Services + @@ -500,6 +562,21 @@ DOM\jht User Mapping + In some situations it is unavoidable that a users' Windows logon name will differ from the login ID + that user has on the Samba server. It is possible to create a special file on the Samba server that + will permit the Windows user name to be mapped to a different UNIX/Linux user name. The &smb.conf; + file must also be ammended so that the [global] stanza contains the parameter: + +username map = /etc/samba/smbusers + + The content of the /etc/samba/smbusers file is shown here: + +parsonsw: "William Parsons" +marygee: geeringm + + In this example the Windows user account William Parsons will be mapped to the UNIX user + parsonsw, and the Windows user account geeringm will be mapped to the + UNIX user marygee. @@ -510,6 +587,29 @@ DOM\jht Administering User Rights and Privileges + With all versions of Samba earlier than 3.0.11 the only account on a Samba server that had the ability + to manage users, groups, shares, printers, etc. is the root account. This caused + immense problems for some users and was a frequent source of scorn over the necessity to hand out the + credentials for the most security sensitive account on a UNIX/Linux system. + + + + New to Samba version 3.0.11 is the ability to delegate administrative privileges as necessary to either + a normal user, or to groups of users. The significance of the administrative privileges is documented + in . Examples of use of the net for user rights and privilege + management is appropriate to this chapter. + + + + When user rights and privileges are correctly set there is no longer a need for there to be a Windows + network account for the root user (nor for any synonym of it) with a UNIX UID=0. + Initial user rights and privileges can be assigned by any account that is a member of the + Domain Admins group. Rights can be assigned to user as well as group accounts. + + + + By default, no privileges and rights are assigned. This is demonstrated by executing the command + shown here: &rootprompt; net rpc rights list accounts -U root%not24get BUILTIN\Print Operators @@ -529,26 +629,49 @@ No privileges assigned Everyone No privileges assigned + + + + The net command can be used to obtain the currently supported capabilities for rights + and privileges using this method: + &rootprompt; net rpc rights list -U root%not24get SeMachineAccountPrivilege Add machines to domain SePrintOperatorPrivilege Manage printers SeAddUsersPrivilege Add users and groups to the domain SeRemoteShutdownPrivilege Force shutdown from a remote system SeDiskOperatorPrivilege Manage disk shares + + Machine account privilege is necessary to permit a Windows NT4 or later network client to be added to the + domain. The disk operator privilege is necessary to permit the user to manage share ACLs and file and + directory ACLs for objects not owned by the user. + + + In this example, all rights are assigned to the Domain Admins group. This is a good + idea since members of this group are generally expected to be all-powerful. This assignment makes that + the reality: + &rootprompt; net rpc rights grant "MIDEARTH\Domain Admins" \ SeMachineAccountPrivilege SePrintOperatorPrivilege \ SeAddUsersPrivilege SeRemoteShutdownPrivilege \ SeDiskOperatorPrivilege -U root%not24get Successfully granted rights. - + + Next, the domain user jht is given the privileges needed for day to day + administration: &rootprompt; net rpc rights grant "MIDEARTH\jht" \ SeMachineAccountPrivilege SePrintOperatorPrivilege \ SeAddUsersPrivilege SeDiskOperatorPrivilege \ -U root%not24get Successfully granted rights. + + + + The following step permits validation of the changes just made: + &rootprompt; net rpc rights list accounts -U root%not24get MIDEARTH\jht SeMachineAccountPrivilege @@ -650,12 +773,12 @@ Join to 'MIDEARTH' is OK file system is the directory /data. The command that can be executed to perform the addition of this share is shown here: -&rootprompt; net rpc share add Bulge=/data -S merlin -Uroot%not24get +&rootprompt; net rpc share add Bulge=/data -S MERLIN -Uroot%not24get Validation is an important process, and by executing the command net rpc share with no other operators a listing of available shares is shown here: -&rootprompt; net rpc share -S merlin -Uroot%not24get +&rootprompt; net rpc share -S MERLIN -Uroot%not24get profdata archive Bulge <--- This one was added @@ -672,11 +795,11 @@ ADMIN$ Often times it is desirable also to permit a share to be removed using a command-line tool. The following step permits the share that was previously added to be removed: -&rootprompt; net rpc share delete Bulge -S merlin -Uroot%not24get +&rootprompt; net rpc share delete Bulge -S MERLIN -Uroot%not24get A simple validation shown here demonstrates that the share has been removed: -&rootprompt; net rpc share -S merlin -Uroot%not24get +&rootprompt; net rpc share -S MERLIN -Uroot%not24get profdata archive print$ -- cgit