1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00

Another update - adding Privilege info to chapter 6, updating it also in the HOWTO.

(This used to be commit b5c7f01601)
This commit is contained in:
John Terpstra 2005-03-05 05:43:19 +00:00 committed by Gerald W. Carter
parent c1575807a4
commit 90f2fb9ad6
2 changed files with 198 additions and 20 deletions

View File

@ -452,12 +452,12 @@
</para>
<para>
<indexterm><primary>interoperability</primary></indexterm>
For those who are willing to brave the process of installing and configuring LDAP and Samba-3 interoperability,
there are a few nice Web-based tools that may help you to manage your users and groups more effectively.
The Web-based tools you might like to consider include: The <ulink
url="http://lam.sourceforge.net/">LDAP
Account Manager</ulink> (LAM), as well as the <ulink
url="http://www.webmin.com">Webmin</ulink>-based Idealx
The Web-based tools you might like to consider include: The
<ulink url="http://lam.sourceforge.net/">LDAP Account Manager</ulink> (LAM), as well as the
<ulink url="http://www.webmin.com">Webmin</ulink>-based Idealx
<ulink url="http://webmin.idealx.org/index.en.html">CGI tools.</ulink>
</para>
@ -471,18 +471,17 @@
</para>
<note><para>
The following prescriptive guidance is not an LDAP tutorial. The LDAP implementation expressly lacks
security. No form of secure LDAP communications is attempted. The LDAP configuration information provided
The following prescriptive guidance is not an LDAP tutorial. The LDAP implementation expressly uses minimal
security controls. No form of secure LDAP communications is attempted. The LDAP configuration information provided
is considered to consist of the barest essentials only. You are strongly encouraged to learn more about
LDAP before attempting to deploy it in a business-critical environment.
</para></note>
<para>
Information to help you get started with OpenLDAP is available from the
<ulink url="http://www.openldap.org/pub/">
OpenLDAP Web Site.</ulink> Many people have found the book <ulink
url="http://www.booksense.com/product/info.jsp?isbn=1565924916">
LDAP System Administration,</ulink> written by Jerry Carter, quite useful.
<ulink url="http://www.openldap.org/pub/">OpenLDAP Web Site.</ulink> Many people have found the book
<ulink url="http://www.booksense.com/product/info.jsp?isbn=1565924916">LDAP System Administration,</ulink>
written by Jerry Carter, quite useful.
</para>
<para><indexterm>
@ -636,6 +635,66 @@
connections.
</para>
<sect3>
<title>Addition of Machines to the Domain</title>
<para>
<indexterm><primary></primary></indexterm>
<indexterm><primary></primary></indexterm>
<indexterm><primary></primary></indexterm>
<indexterm><primary></primary></indexterm>
Samba versions prior to 3.0.11 necessitated the use of a domain administrator account
that maps to the UNIX UID=0. The UNIX operating system permits only the <constant>root</constant>
user to add user and group accounts. Samba 3.0.11 introduced a new facility known as
<constant>Privilieges</constant>. This new facility introduced four new privileges that
can be assigned to users and/or groups:
</para>
<table id="ch6-privs">
<title>Current Privilege Capabilities</title>
<tgroup cols="2">
<colspec align="left"/>
<colspec align="left"/>
<thead>
<row>
<entry align="left">Privilege</entry>
<entry align="left">Description</entry>
</row>
</thead>
<tbody>
<row>
<entry><para>SeMachineAccountPrivilege</para></entry>
<entry><para>Add machines to domain</para></entry>
</row>
<row>
<entry><para>SePrintOperatorPrivilege</para></entry>
<entry><para>Manage printers</para></entry>
</row>
<row>
<entry><para>SeAddUsersPrivilege</para></entry>
<entry><para>Add users and groups to the domain</para></entry>
</row>
<row>
<entry><para>SeRemoteShutdownPrivilege</para></entry>
<entry><para>Force shutdown from a remote system</para></entry>
</row>
<row>
<entry><para>SeDiskOperatorPrivilege</para></entry>
<entry><para>Manage disk share</para></entry>
</row>
</tbody>
</tgroup>
</table>
<para>
In this network example use will be made of one of the supported privileges purely to demonstrate
how any user can now be given the ability to add machines to the domain using a normal user account
that has been given the appropriate privileges.
</para>
</sect3>
<sect3>
<title>Roaming Profile Background</title>
@ -3181,6 +3240,97 @@ structuralObjectClass: organizationalUnit
</sect2>
<sect2>
<title>Assigning Domain Privileges</title>
<para>
The ability to perform tasks such as joining Windows clients to the domain can be assigned to
normal user accounts. By default, only the domain administrator account (<constant>root</constant> on UNIX
systems because it has UID=0) can add accounts. New to Samba 3.0.11 is the ability to grant
this privilege in a very limited fashion to particular accounts.
</para>
<para>
By default, even Samba 3.0.11 does not grant any rights even to the <constant>Domain Admins</constant>
group. Here we will grant this group all privileges.
</para>
<para>
Samba limits privileges on a per-server basis. This is a deliberate limitation so that users who
are granted rights can be restricted to particular machines. It is left to the network administrator
to determine which rights should be provided and to whom.
</para>
<procedure>
<step><para>
Log onto the primary domain controller (PDC) as the <constant>root</constant> account.
</para></step>
<step><para>
Execute the following command to grant the <constant>Domain Admins</constant> group all
rights and privileges:
<screen>
&rootprompt; net -S MASSIVE -U root%not24get rpc rights grant \
"MEGANET2\Domain Admins" SeMachineAccountPrivilege SePrintOperatorPrivilege \
SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
Successfully granted rights.
</screen>
Repeat this step on each domain controller in each case substituting the name of the server
(e.g.: BLDG1, BLDG2) in place of the PDC called MASSIVE.
</para></step>
<step><para>
In this step the privilege will be granted to Bob Jordan (bobj) to add Windows workstations
to the domain. Execute the following only on the PDC. It is not necessary to do this on
BDCs or on DMS machines because machine accounts are only ever added by the PDC:
<screen>
&rootprompt; net -S MASSIVE -U root%not24get rpc rights grant \
"MEGANET2\bobj" SeMachineAccountPrivilege
Successfully granted rights.
</screen>
</para></step>
<step><para>
Verify that the assignment of privileges have been correctly applied by executing:
<screen>
net rpc rights list accounts -Uroot%not24get
MEGANET2\bobj
SeMachineAccountPrivilege
S-0-0
No privileges assigned
BUILTIN\Print Operators
No privileges assigned
BUILTIN\Account Operators
No privileges assigned
BUILTIN\Backup Operators
No privileges assigned
BUILTIN\Server Operators
No privileges assigned
BUILTIN\Administrators
No privileges assigned
Everyone
No privileges assigned
MEGANET2\Domain Admins
SeMachineAccountPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeRemoteShutdownPrivilege
SeDiskOperatorPrivilege
</screen>
</para></step>
</procedure>
</sect2>
</sect1>
<sect1>

View File

@ -74,18 +74,46 @@ must be defined in the <smbconfsection>global</smbconfsection> section of the &s
</para>
<para>
Currently, the following rights are supported in Samba 3:
<screen>
SeAddUsersPrivilege Add users and groups to the domain
SeDiskOperatorPrivilege Manage disk shares
SeMachineAccountPrivilege Add machines to domain
SePrintOperatorPrivilege Manage printers
SeRemoteShutdownPrivilege Force shutdown from a remote system
</screen>
The remainder of this chapter explains how to manage and use
these privileges on Samba servers.
Currently, the rights supported in Samba 3 are listed in <link linkend="rp-privs"/>.
The remainder of this chapter explains how to manage and use these privileges on Samba servers.
</para>
<table id="rp-privs">
<title>Current Privilege Capabilities</title>
<tgroup cols="2">
<colspec align="right"/>
<colspec align="left"/>
<thead>
<row>
<entry align="center">Privilege</entry>
<entry align="center">Description</entry>
</row>
</thead>
<tbody>
<row>
<entry><para>SeMachineAccountPrivilege</para></entry>
<entry><para>Add machines to domain</para></entry>
</row>
<row>
<entry><para>SePrintOperatorPrivilege</para></entry>
<entry><para>Manage printers</para></entry>
</row>
<row>
<entry><para>SeAddUsersPrivilege</para></entry>
<entry><para>Add users and groups to the domain</para></entry>
</row>
<row>
<entry><para>SeRemoteShutdownPrivilege</para></entry>
<entry><para>Force shutdown from a remote system</para></entry>
</row>
<row>
<entry><para>SeDiskOperatorPrivilege</para></entry>
<entry><para>Manage disk share</para></entry>
</row>
</tbody>
</tgroup>
</table>
<sect2>
<title>Using the <quote>net rpc rights</quote> Utility</title>