mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
Another update - adding Privilege info to chapter 6, updating it also in the HOWTO.
(This used to be commit b5c7f01601
)
This commit is contained in:
parent
c1575807a4
commit
90f2fb9ad6
@ -452,12 +452,12 @@
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<indexterm><primary>interoperability</primary></indexterm>
|
||||
For those who are willing to brave the process of installing and configuring LDAP and Samba-3 interoperability,
|
||||
there are a few nice Web-based tools that may help you to manage your users and groups more effectively.
|
||||
The Web-based tools you might like to consider include: The <ulink
|
||||
url="http://lam.sourceforge.net/">LDAP
|
||||
Account Manager</ulink> (LAM), as well as the <ulink
|
||||
url="http://www.webmin.com">Webmin</ulink>-based Idealx
|
||||
The Web-based tools you might like to consider include: The
|
||||
<ulink url="http://lam.sourceforge.net/">LDAP Account Manager</ulink> (LAM), as well as the
|
||||
<ulink url="http://www.webmin.com">Webmin</ulink>-based Idealx
|
||||
<ulink url="http://webmin.idealx.org/index.en.html">CGI tools.</ulink>
|
||||
</para>
|
||||
|
||||
@ -471,18 +471,17 @@
|
||||
</para>
|
||||
|
||||
<note><para>
|
||||
The following prescriptive guidance is not an LDAP tutorial. The LDAP implementation expressly lacks
|
||||
security. No form of secure LDAP communications is attempted. The LDAP configuration information provided
|
||||
The following prescriptive guidance is not an LDAP tutorial. The LDAP implementation expressly uses minimal
|
||||
security controls. No form of secure LDAP communications is attempted. The LDAP configuration information provided
|
||||
is considered to consist of the barest essentials only. You are strongly encouraged to learn more about
|
||||
LDAP before attempting to deploy it in a business-critical environment.
|
||||
</para></note>
|
||||
|
||||
<para>
|
||||
Information to help you get started with OpenLDAP is available from the
|
||||
<ulink url="http://www.openldap.org/pub/">
|
||||
OpenLDAP Web Site.</ulink> Many people have found the book <ulink
|
||||
url="http://www.booksense.com/product/info.jsp?isbn=1565924916">
|
||||
LDAP System Administration,</ulink> written by Jerry Carter, quite useful.
|
||||
<ulink url="http://www.openldap.org/pub/">OpenLDAP Web Site.</ulink> Many people have found the book
|
||||
<ulink url="http://www.booksense.com/product/info.jsp?isbn=1565924916">LDAP System Administration,</ulink>
|
||||
written by Jerry Carter, quite useful.
|
||||
</para>
|
||||
|
||||
<para><indexterm>
|
||||
@ -636,6 +635,66 @@
|
||||
connections.
|
||||
</para>
|
||||
|
||||
<sect3>
|
||||
<title>Addition of Machines to the Domain</title>
|
||||
|
||||
<para>
|
||||
<indexterm><primary></primary></indexterm>
|
||||
<indexterm><primary></primary></indexterm>
|
||||
<indexterm><primary></primary></indexterm>
|
||||
<indexterm><primary></primary></indexterm>
|
||||
Samba versions prior to 3.0.11 necessitated the use of a domain administrator account
|
||||
that maps to the UNIX UID=0. The UNIX operating system permits only the <constant>root</constant>
|
||||
user to add user and group accounts. Samba 3.0.11 introduced a new facility known as
|
||||
<constant>Privilieges</constant>. This new facility introduced four new privileges that
|
||||
can be assigned to users and/or groups:
|
||||
</para>
|
||||
|
||||
|
||||
<table id="ch6-privs">
|
||||
<title>Current Privilege Capabilities</title>
|
||||
<tgroup cols="2">
|
||||
<colspec align="left"/>
|
||||
<colspec align="left"/>
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="left">Privilege</entry>
|
||||
<entry align="left">Description</entry>
|
||||
</row>
|
||||
</thead>
|
||||
<tbody>
|
||||
<row>
|
||||
<entry><para>SeMachineAccountPrivilege</para></entry>
|
||||
<entry><para>Add machines to domain</para></entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry><para>SePrintOperatorPrivilege</para></entry>
|
||||
<entry><para>Manage printers</para></entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry><para>SeAddUsersPrivilege</para></entry>
|
||||
<entry><para>Add users and groups to the domain</para></entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry><para>SeRemoteShutdownPrivilege</para></entry>
|
||||
<entry><para>Force shutdown from a remote system</para></entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry><para>SeDiskOperatorPrivilege</para></entry>
|
||||
<entry><para>Manage disk share</para></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>
|
||||
In this network example use will be made of one of the supported privileges purely to demonstrate
|
||||
how any user can now be given the ability to add machines to the domain using a normal user account
|
||||
that has been given the appropriate privileges.
|
||||
</para>
|
||||
|
||||
</sect3>
|
||||
|
||||
<sect3>
|
||||
<title>Roaming Profile Background</title>
|
||||
|
||||
@ -3181,6 +3240,97 @@ structuralObjectClass: organizationalUnit
|
||||
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>Assigning Domain Privileges</title>
|
||||
|
||||
<para>
|
||||
The ability to perform tasks such as joining Windows clients to the domain can be assigned to
|
||||
normal user accounts. By default, only the domain administrator account (<constant>root</constant> on UNIX
|
||||
systems because it has UID=0) can add accounts. New to Samba 3.0.11 is the ability to grant
|
||||
this privilege in a very limited fashion to particular accounts.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
By default, even Samba 3.0.11 does not grant any rights even to the <constant>Domain Admins</constant>
|
||||
group. Here we will grant this group all privileges.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Samba limits privileges on a per-server basis. This is a deliberate limitation so that users who
|
||||
are granted rights can be restricted to particular machines. It is left to the network administrator
|
||||
to determine which rights should be provided and to whom.
|
||||
</para>
|
||||
|
||||
<procedure>
|
||||
<step><para>
|
||||
Log onto the primary domain controller (PDC) as the <constant>root</constant> account.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
Execute the following command to grant the <constant>Domain Admins</constant> group all
|
||||
rights and privileges:
|
||||
<screen>
|
||||
&rootprompt; net -S MASSIVE -U root%not24get rpc rights grant \
|
||||
"MEGANET2\Domain Admins" SeMachineAccountPrivilege SePrintOperatorPrivilege \
|
||||
SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
|
||||
Successfully granted rights.
|
||||
</screen>
|
||||
Repeat this step on each domain controller in each case substituting the name of the server
|
||||
(e.g.: BLDG1, BLDG2) in place of the PDC called MASSIVE.
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
In this step the privilege will be granted to Bob Jordan (bobj) to add Windows workstations
|
||||
to the domain. Execute the following only on the PDC. It is not necessary to do this on
|
||||
BDCs or on DMS machines because machine accounts are only ever added by the PDC:
|
||||
<screen>
|
||||
&rootprompt; net -S MASSIVE -U root%not24get rpc rights grant \
|
||||
"MEGANET2\bobj" SeMachineAccountPrivilege
|
||||
Successfully granted rights.
|
||||
</screen>
|
||||
</para></step>
|
||||
|
||||
<step><para>
|
||||
Verify that the assignment of privileges have been correctly applied by executing:
|
||||
<screen>
|
||||
net rpc rights list accounts -Uroot%not24get
|
||||
MEGANET2\bobj
|
||||
SeMachineAccountPrivilege
|
||||
|
||||
S-0-0
|
||||
No privileges assigned
|
||||
|
||||
BUILTIN\Print Operators
|
||||
No privileges assigned
|
||||
|
||||
BUILTIN\Account Operators
|
||||
No privileges assigned
|
||||
|
||||
BUILTIN\Backup Operators
|
||||
No privileges assigned
|
||||
|
||||
BUILTIN\Server Operators
|
||||
No privileges assigned
|
||||
|
||||
BUILTIN\Administrators
|
||||
No privileges assigned
|
||||
|
||||
Everyone
|
||||
No privileges assigned
|
||||
|
||||
MEGANET2\Domain Admins
|
||||
SeMachineAccountPrivilege
|
||||
SePrintOperatorPrivilege
|
||||
SeAddUsersPrivilege
|
||||
SeRemoteShutdownPrivilege
|
||||
SeDiskOperatorPrivilege
|
||||
</screen>
|
||||
</para></step>
|
||||
|
||||
</procedure>
|
||||
|
||||
</sect2>
|
||||
|
||||
</sect1>
|
||||
|
||||
<sect1>
|
||||
|
@ -74,18 +74,46 @@ must be defined in the <smbconfsection>global</smbconfsection> section of the &s
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Currently, the following rights are supported in Samba 3:
|
||||
<screen>
|
||||
SeAddUsersPrivilege Add users and groups to the domain
|
||||
SeDiskOperatorPrivilege Manage disk shares
|
||||
SeMachineAccountPrivilege Add machines to domain
|
||||
SePrintOperatorPrivilege Manage printers
|
||||
SeRemoteShutdownPrivilege Force shutdown from a remote system
|
||||
</screen>
|
||||
The remainder of this chapter explains how to manage and use
|
||||
these privileges on Samba servers.
|
||||
Currently, the rights supported in Samba 3 are listed in <link linkend="rp-privs"/>.
|
||||
The remainder of this chapter explains how to manage and use these privileges on Samba servers.
|
||||
</para>
|
||||
|
||||
<table id="rp-privs">
|
||||
<title>Current Privilege Capabilities</title>
|
||||
<tgroup cols="2">
|
||||
<colspec align="right"/>
|
||||
<colspec align="left"/>
|
||||
<thead>
|
||||
<row>
|
||||
<entry align="center">Privilege</entry>
|
||||
<entry align="center">Description</entry>
|
||||
</row>
|
||||
</thead>
|
||||
<tbody>
|
||||
<row>
|
||||
<entry><para>SeMachineAccountPrivilege</para></entry>
|
||||
<entry><para>Add machines to domain</para></entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry><para>SePrintOperatorPrivilege</para></entry>
|
||||
<entry><para>Manage printers</para></entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry><para>SeAddUsersPrivilege</para></entry>
|
||||
<entry><para>Add users and groups to the domain</para></entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry><para>SeRemoteShutdownPrivilege</para></entry>
|
||||
<entry><para>Force shutdown from a remote system</para></entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry><para>SeDiskOperatorPrivilege</para></entry>
|
||||
<entry><para>Manage disk share</para></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<sect2>
|
||||
<title>Using the <quote>net rpc rights</quote> Utility</title>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user