mirror of
https://github.com/samba-team/samba.git
synced 2025-01-14 19:24:43 +03:00
8f8a9f0190
(This used to be commit 9f672c26d63955f613088489c6efbdc08b5b2d14)
601 lines
29 KiB
XML
601 lines
29 KiB
XML
<?xml version="1.0" encoding="iso-8859-1"?>
|
|
<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
|
|
<chapter id="rights">
|
|
<chapterinfo>
|
|
&author.jerry;
|
|
&author.jht;
|
|
</chapterinfo>
|
|
|
|
<title>User Rights and Privileges</title>
|
|
|
|
<para>
|
|
<indexterm><primary>Windows user</primary></indexterm>
|
|
<indexterm><primary>Windows group</primary></indexterm>
|
|
<indexterm><primary>machine accounts</primary></indexterm>
|
|
<indexterm><primary>ADS</primary></indexterm>
|
|
The administration of Windows user, group, and machine accounts in the Samba
|
|
domain-controlled network necessitates interfacing between the MS Windows
|
|
networking environment and the UNIX operating system environment. The right
|
|
(permission) to add machines to the Windows security domain can be assigned
|
|
(set) to non-administrative users both in Windows NT4 domains and
|
|
Active Directory domains.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>Windows NT4/2kX/XPPro</primary></indexterm>
|
|
<indexterm><primary>machine account</primary></indexterm>
|
|
<indexterm><primary>trusted</primary></indexterm>
|
|
<indexterm><primary>user logons</primary></indexterm>
|
|
The addition of Windows NT4/2kX/XPPro machines to the domain necessitates the
|
|
creation of a machine account for each machine added. The machine account is
|
|
a necessity that is used to validate that the machine can be trusted to permit
|
|
user logons.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>user accounts</primary></indexterm>
|
|
<indexterm><primary>special account</primary></indexterm>
|
|
<indexterm><primary>account name</primary></indexterm>
|
|
<indexterm><primary>/bin/false</primary></indexterm>
|
|
<indexterm><primary>/dev/null</primary></indexterm>
|
|
<indexterm><primary>man-in-the-middle</primary></indexterm>
|
|
Machine accounts are analogous to user accounts, and thus in implementing them on a UNIX machine that is
|
|
hosting Samba (i.e., on which Samba is running), it is necessary to create a special type of user account.
|
|
Machine accounts differ from normal user accounts in that the account name (login ID) is terminated with a
|
|
<literal>$</literal> sign. An additional difference is that this type of account should not ever be able to
|
|
log into the UNIX environment as a system user and therefore is set to have a shell of
|
|
<command>/bin/false</command> and a home directory of <command>/dev/null.</command> The machine
|
|
account is used only to authenticate domain member machines during start-up. This security measure
|
|
is designed to block man-in-the-middle attempts to violate network integrity.
|
|
</para>
|
|
|
|
<note><para>
|
|
<indexterm><primary>computer accounts</primary></indexterm>
|
|
<indexterm><primary>domain member servers</primary></indexterm>
|
|
<indexterm><primary>domain controller</primary></indexterm>
|
|
<indexterm><primary>credentials</primary></indexterm>
|
|
<indexterm><primary>secure authentication</primary></indexterm>
|
|
Machine (computer) accounts are used in the Windows NT OS family to store security
|
|
credentials for domain member servers and workstations. When the domain member
|
|
starts up, it goes through a validation process that includes an exchange of
|
|
credentials with a domain controller. If the domain member fails to authenticate
|
|
using the credentials known for it by domain controllers, the machine will be refused
|
|
all access by domain users. The computer account is essential to the way that MS
|
|
Windows secures authentication.
|
|
</para></note>
|
|
|
|
<para>
|
|
<indexterm><primary>UNIX system accounts</primary></indexterm>
|
|
<indexterm><primary>system administrator</primary></indexterm>
|
|
<indexterm><primary>root</primary></indexterm>
|
|
<indexterm><primary>UID</primary></indexterm>
|
|
The creation of UNIX system accounts has traditionally been the sole right of
|
|
the system administrator, better known as the <constant>root</constant> account.
|
|
It is possible in the UNIX environment to create multiple users who have the
|
|
same UID. Any UNIX user who has a UID=0 is inherently the same as the
|
|
<constant>root</constant> account user.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>system interface scripts</primary></indexterm>
|
|
<indexterm><primary>CIFS function calls</primary></indexterm>
|
|
<indexterm><primary>root account</primary></indexterm>
|
|
<indexterm><primary>UNIX host system</primary></indexterm>
|
|
All versions of Samba call system interface scripts that permit CIFS function
|
|
calls that are used to manage users, groups, and machine accounts
|
|
in the UNIX environment. All versions of Samba up to and including version 3.0.10
|
|
required the use of a Windows administrator account that unambiguously maps to
|
|
the UNIX <constant>root</constant> account to permit the execution of these
|
|
interface scripts. The requirement to do this has understandably met with some
|
|
disdain and consternation among Samba administrators, particularly where it became
|
|
necessary to permit people who should not possess <constant>root</constant>-level
|
|
access to the UNIX host system.
|
|
</para>
|
|
|
|
<sect1>
|
|
<title>Rights Management Capabilities</title>
|
|
|
|
<para>
|
|
<indexterm><primary>Windows privilege model</primary></indexterm>
|
|
<indexterm><primary>privilege model</primary></indexterm>
|
|
<indexterm><primary>rights assigned</primary></indexterm>
|
|
<indexterm><primary>SID</primary></indexterm>
|
|
Samba 3.0.11 introduced support for the Windows privilege model. This model
|
|
allows certain rights to be assigned to a user or group SID. In order to enable
|
|
this feature, <smbconfoption name="enable privileges">yes</smbconfoption>
|
|
must be defined in the <smbconfsection name="global"/> section of the &smb.conf; file.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>rights</primary></indexterm>
|
|
<indexterm><primary>privileges</primary></indexterm>
|
|
<indexterm><primary>manage privileges</primary></indexterm>
|
|
Currently, the rights supported in Samba-3 are listed in <link linkend="rp-privs"/>.
|
|
The remainder of this chapter explains how to manage and use these privileges on Samba servers.
|
|
</para>
|
|
|
|
<indexterm><primary>SeMachineAccountPrivilege</primary></indexterm>
|
|
<indexterm><primary>SePrintOperatorPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeAddUsersPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeRemoteShutdownPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeDiskOperatorPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeTakeOwnershipPrivilege</primary></indexterm>
|
|
<table id="rp-privs">
|
|
<title>Current Privilege Capabilities</title>
|
|
<tgroup cols="2">
|
|
<colspec align="right"/>
|
|
<colspec align="left"/>
|
|
<thead>
|
|
<row>
|
|
<entry align="left">Privilege</entry>
|
|
<entry align="left">Description</entry>
|
|
</row>
|
|
</thead>
|
|
<tbody>
|
|
<row>
|
|
<entry><para>SeMachineAccountPrivilege</para></entry>
|
|
<entry><para>Add machines to domain</para></entry>
|
|
</row>
|
|
<row>
|
|
<entry><para>SePrintOperatorPrivilege</para></entry>
|
|
<entry><para>Manage printers</para></entry>
|
|
</row>
|
|
<row>
|
|
<entry><para>SeAddUsersPrivilege</para></entry>
|
|
<entry><para>Add users and groups to the domain</para></entry>
|
|
</row>
|
|
<row>
|
|
<entry><para>SeRemoteShutdownPrivilege</para></entry>
|
|
<entry><para>Force shutdown from a remote system</para></entry>
|
|
</row>
|
|
<row>
|
|
<entry><para>SeDiskOperatorPrivilege</para></entry>
|
|
<entry><para>Manage disk share</para></entry>
|
|
</row>
|
|
<!-- These are not used at this time - so void them from the docs.
|
|
<row>
|
|
<entry><para>SeBackupPrivilege</para></entry>
|
|
<entry><para>Back up files and directories</para></entry>
|
|
</row>
|
|
<row>
|
|
<entry><para>SeRestorePrivilege</para></entry>
|
|
<entry><para>Restore files and directories</para></entry>
|
|
</row>
|
|
**** End of commented out section **** -->
|
|
<row>
|
|
<entry><para>SeTakeOwnershipPrivilege</para></entry>
|
|
<entry><para>Take ownership of files or other objects</para></entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
|
|
<sect2>
|
|
<title>Using the <quote>net rpc rights</quote> Utility</title>
|
|
|
|
<para>
|
|
<indexterm><primary>managing rights</primary></indexterm>
|
|
<indexterm><primary>rights assigned</primary></indexterm>
|
|
<indexterm><primary>NT4 User Manager for Domains</primary></indexterm>
|
|
<indexterm><primary>command-line utility</primary></indexterm>
|
|
<indexterm><primary>administrative actions</primary></indexterm>
|
|
There are two primary means of managing the rights assigned to users and groups
|
|
on a Samba server. The <command>NT4 User Manager for Domains</command> may be
|
|
used from any Windows NT4, 2000, or XP Professional domain member client to
|
|
connect to a Samba domain controller and view/modify the rights assignments.
|
|
This application, however, appears to have bugs when run on a client running
|
|
Windows 2000 or later; therefore, Samba provides a command-line utility for
|
|
performing the necessary administrative actions.
|
|
</para>
|
|
|
|
<para>
|
|
The <command>net rpc rights</command> utility in Samba 3.0.11 has three new subcommands:
|
|
</para>
|
|
|
|
<variablelist>
|
|
<varlistentry><term>list [name|accounts]</term>
|
|
<listitem><para>
|
|
<indexterm><primary>net</primary><secondary>rpc</secondary><tertiary>list</tertiary></indexterm>
|
|
<indexterm><primary>available rights</primary></indexterm>
|
|
<indexterm><primary>privileges assigned</primary></indexterm>
|
|
<indexterm><primary>privileged accounts</primary></indexterm>
|
|
When called with no arguments, <command>net rpc list</command>
|
|
simply lists the available rights on the server. When passed
|
|
a specific user or group name, the tool lists the privileges
|
|
currently assigned to the specified account. When invoked using
|
|
the special string <constant>accounts</constant>,
|
|
<command>net rpc rights list</command> returns a list of all
|
|
privileged accounts on the server and the assigned rights.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry><term>grant <user> <right [right ...]></term>
|
|
<listitem><para>
|
|
<indexterm><primary>assign rights</primary></indexterm>
|
|
<indexterm><primary>grant rights</primary></indexterm>
|
|
<indexterm><primary>add client machines</primary></indexterm>
|
|
<indexterm><primary>user or group</primary></indexterm>
|
|
When called with no arguments, this function is used to assign
|
|
a list of rights to a specified user or group. For example,
|
|
to grant the members of the Domain Admins group on a Samba domain controller,
|
|
the capability to add client machines to the domain, one would run:
|
|
<screen>
|
|
&rootprompt; net -S server -U domadmin rpc rights grant \
|
|
'DOMAIN\Domain Admins' SeMachineAccountPrivilege
|
|
</screen>
|
|
The following syntax has the same result:
|
|
<indexterm><primary>net</primary><secondary>rpc</secondary><tertiary>rights grant</tertiary></indexterm>
|
|
<screen>
|
|
&rootprompt; net rpc rights grant 'DOMAIN\Domain Admins' \
|
|
SeMachineAccountPrivilege -S server -U domadmin
|
|
</screen>
|
|
More than one privilege can be assigned by specifying a
|
|
list of rights separated by spaces. The parameter 'Domain\Domain Admins'
|
|
must be quoted with single ticks or using double-quotes to prevent
|
|
the backslash and the space from being interpreted by the system shell.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry><term>revoke <user> <right [right ...]></term>
|
|
<listitem><para>
|
|
This command is similar in format to <command>net rpc rights grant</command>. Its
|
|
effect is to remove an assigned right (or list of rights) from a user or group.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
<note><para>
|
|
<indexterm><primary>member</primary></indexterm>
|
|
<indexterm><primary>Domain Admins</primary></indexterm>
|
|
<indexterm><primary>revoke privileges</primary></indexterm>
|
|
You must be connected as a member of the Domain Admins group to be able to grant or revoke privileges assigned
|
|
to an account. This capability is inherent to the Domain Admins group and is not configurable. There are no
|
|
default rights and privileges, except the ability for a member of the Domain Admins group to assign them.
|
|
This means that all administrative rights and privileges (other than the ability to assign them) must be
|
|
explicitly assigned, even for the Domain Admins group.
|
|
</para></note>
|
|
|
|
<para>
|
|
<indexterm><primary>performed as root</primary></indexterm>
|
|
<indexterm><primary>necessary rights</primary></indexterm>
|
|
<indexterm><primary>add machine script</primary></indexterm>
|
|
<indexterm><primary></primary></indexterm>
|
|
By default, no privileges are initially assigned to any account because certain actions will be performed as
|
|
root once smbd determines that a user has the necessary rights. For example, when joining a client to a
|
|
Windows domain, <parameter>add machine script</parameter> must be executed with superuser rights in most
|
|
cases. For this reason, you should be very careful about handing out privileges to accounts.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>Access</primary></indexterm>
|
|
<indexterm><primary>root user</primary></indexterm>
|
|
<indexterm><primary>bypasses privilege</primary></indexterm>
|
|
Access as the root user (UID=0) bypasses all privilege checks.
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>Description of Privileges</title>
|
|
|
|
<para>
|
|
<indexterm><primary>privileges</primary></indexterm>
|
|
<indexterm><primary>additional privileges</primary></indexterm>
|
|
<indexterm><primary>house-keeping</primary></indexterm>
|
|
The privileges that have been implemented in Samba-3.0.11 are shown below. It is possible, and likely, that
|
|
additional privileges may be implemented in later releases of Samba. It is also likely that any privileges
|
|
currently implemented but not used may be removed from future releases as a housekeeping matter, so it is
|
|
important that the successful as well as unsuccessful use of these facilities should be reported on the Samba
|
|
mailing lists.
|
|
</para>
|
|
|
|
<variablelist>
|
|
<varlistentry><term>SeAddUsersPrivilege</term>
|
|
<listitem><para>
|
|
<indexterm><primary>SeAddUsersPrivilege</primary></indexterm>
|
|
<indexterm><primary>smbd</primary></indexterm>
|
|
<indexterm><primary>net rpc user add</primary></indexterm>
|
|
This right determines whether or not smbd will allow the
|
|
user to create new user or group accounts via such tools
|
|
as <command>net rpc user add</command> or
|
|
<command>NT4 User Manager for Domains.</command>
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry><term>SeDiskOperatorPrivilege</term>
|
|
<listitem><para>
|
|
<indexterm><primary>SeDiskOperatorPrivilege</primary></indexterm>
|
|
<indexterm><primary>add/delete/change share</primary></indexterm>
|
|
<indexterm><primary>ACL</primary></indexterm>
|
|
Accounts that possess this right will be able to execute
|
|
scripts defined by the <command>add/delete/change</command>
|
|
share command in &smb.conf; file as root. Such users will
|
|
also be able to modify the ACL associated with file shares
|
|
on the Samba server.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry><term>SeMachineAccountPrivilege</term>
|
|
<listitem><para>
|
|
<indexterm><primary>SeMachineAccountPrivilege</primary></indexterm>
|
|
<indexterm><primary>right to join domain</primary></indexterm>
|
|
<indexterm><primary>join client</primary></indexterm>
|
|
This right controls whether or not the user can join client
|
|
machines to a Samba-controlled domain.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry><term>SePrintOperatorPrivilege</term>
|
|
<listitem><para>
|
|
<indexterm><primary>SePrintOperatorPrivilege</primary></indexterm>
|
|
<indexterm><primary>privilege</primary></indexterm>
|
|
<indexterm><primary>global right</primary></indexterm>
|
|
<indexterm><primary>administrative rights</primary></indexterm>
|
|
<indexterm><primary>printers admin</primary></indexterm>
|
|
This privilege operates identically to the <smbconfoption name="printer admin"/>
|
|
option in the &smb.conf; file (see section 5 man page for &smb.conf;)
|
|
except that it is a global right (not on a per-printer basis).
|
|
Eventually the smb.conf option will be deprecated and administrative
|
|
rights to printers will be controlled exclusively by this right and
|
|
the security descriptor associated with the printer object in the
|
|
<filename>ntprinters.tdb</filename> file.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry><term>SeRemoteShutdownPrivilege</term>
|
|
<listitem><para>
|
|
<indexterm><primary>SeRemoteShutdownPrivilege</primary></indexterm>
|
|
<indexterm><primary>rebooting server</primary></indexterm>
|
|
<indexterm><primary>aborting shutdown</primary></indexterm>
|
|
Samba provides two hooks for shutting down or rebooting
|
|
the server and for aborting a previously issued shutdown
|
|
command. Since this is an operation normally limited by
|
|
the operating system to the root user, an account must possess this
|
|
right to be able to execute either of these hooks.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry><term>SeTakeOwnershipPrivilege</term>
|
|
<listitem><para>
|
|
<indexterm><primary>SeTakeOwnershipPrivilege</primary></indexterm>
|
|
<indexterm><primary>take ownership</primary></indexterm>
|
|
This right permits users to take ownership of files and directories.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>Privileges Suppored by Windows 2000 Domain Controllers</title>
|
|
|
|
<para>
|
|
For reference purposes, a Windows NT4 Primary Domain Controller reports support for the following
|
|
privileges:
|
|
<indexterm><primary>SeCreateTokenPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeAssignPrimaryTokenPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeLockMemoryPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeIncreaseQuotaPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeMachineAccountPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeTcbPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeSecurityPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeTakeOwnershipPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeLoadDriverPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeSystemProfilePrivilege</primary></indexterm>
|
|
<indexterm><primary>SeSystemtimePrivilege</primary></indexterm>
|
|
<indexterm><primary>SeProfileSingleProcessPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeIncreaseBasePriorityPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeCreatePagefilePrivilege</primary></indexterm>
|
|
<indexterm><primary>SeCreatePermanentPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeBackupPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeRestorePrivilege</primary></indexterm>
|
|
<indexterm><primary>SeShutdownPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeDebugPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeAuditPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeSystemEnvironmentPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeChangeNotifyPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeRemoteShutdownPrivilege</primary></indexterm>
|
|
<screen>
|
|
SeCreateTokenPrivilege Create a token object
|
|
SeAssignPrimaryTokenPrivilege Replace a process level token
|
|
SeLockMemoryPrivilege Lock pages in memory
|
|
SeIncreaseQuotaPrivilege Increase quotas
|
|
SeMachineAccountPrivilege Add workstations to domain
|
|
SeTcbPrivilege Act as part of the operating system
|
|
SeSecurityPrivilege Manage auditing and security log
|
|
SeTakeOwnershipPrivilege Take ownership of files or other objects
|
|
SeLoadDriverPrivilege Load and unload device drivers
|
|
SeSystemProfilePrivilege Profile system performance
|
|
SeSystemtimePrivilege Change the system time
|
|
SeProfileSingleProcessPrivilege Profile single process
|
|
SeIncreaseBasePriorityPrivilege Increase scheduling priority
|
|
SeCreatePagefilePrivilege Create a pagefile
|
|
SeCreatePermanentPrivilege Create permanent shared objects
|
|
SeBackupPrivilege Back up files and directories
|
|
SeRestorePrivilege Restore files and directories
|
|
SeShutdownPrivilege Shut down the system
|
|
SeDebugPrivilege Debug programs
|
|
SeAuditPrivilege Generate security audits
|
|
SeSystemEnvironmentPrivilege Modify firmware environment values
|
|
SeChangeNotifyPrivilege Bypass traverse checking
|
|
SeRemoteShutdownPrivilege Force shutdown from a remote system
|
|
</screen>
|
|
And Windows 200x/XP Domain Controllers and workstations reports to support the following privileges:
|
|
<indexterm><primary>SeCreateTokenPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeAssignPrimaryTokenPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeLockMemoryPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeIncreaseQuotaPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeMachineAccountPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeTcbPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeSecurityPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeTakeOwnershipPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeLoadDriverPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeSystemProfilePrivilege</primary></indexterm>
|
|
<indexterm><primary>SeSystemtimePrivilege</primary></indexterm>
|
|
<indexterm><primary>SeProfileSingleProcessPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeIncreaseBasePriorityPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeCreatePagefilePrivilege</primary></indexterm>
|
|
<indexterm><primary>SeCreatePermanentPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeBackupPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeRestorePrivilege</primary></indexterm>
|
|
<indexterm><primary>SeShutdownPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeDebugPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeAuditPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeSystemEnvironmentPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeChangeNotifyPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeRemoteShutdownPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeUndockPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeSyncAgentPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeEnableDelegationPrivilege</primary></indexterm>
|
|
<indexterm><primary>SeManageVolumePrivilege</primary></indexterm>
|
|
<indexterm><primary>SeImpersonatePrivilege</primary></indexterm>
|
|
<indexterm><primary>SeCreateGlobalPrivilege</primary></indexterm>
|
|
<screen>
|
|
SeCreateTokenPrivilege Create a token object
|
|
SeAssignPrimaryTokenPrivilege Replace a process level token
|
|
SeLockMemoryPrivilege Lock pages in memory
|
|
SeIncreaseQuotaPrivilege Increase quotas
|
|
SeMachineAccountPrivilege Add workstations to domain
|
|
SeTcbPrivilege Act as part of the operating system
|
|
SeSecurityPrivilege Manage auditing and security log
|
|
SeTakeOwnershipPrivilege Take ownership of files or other objects
|
|
SeLoadDriverPrivilege Load and unload device drivers
|
|
SeSystemProfilePrivilege Profile system performance
|
|
SeSystemtimePrivilege Change the system time
|
|
SeProfileSingleProcessPrivilege Profile single process
|
|
SeIncreaseBasePriorityPrivilege Increase scheduling priority
|
|
SeCreatePagefilePrivilege Create a pagefile
|
|
SeCreatePermanentPrivilege Create permanent shared objects
|
|
SeBackupPrivilege Back up files and directories
|
|
SeRestorePrivilege Restore files and directories
|
|
SeShutdownPrivilege Shut down the system
|
|
SeDebugPrivilege Debug programs
|
|
SeAuditPrivilege Generate security audits
|
|
SeSystemEnvironmentPrivilege Modify firmware environment values
|
|
SeChangeNotifyPrivilege Bypass traverse checking
|
|
SeRemoteShutdownPrivilege Force shutdown from a remote system
|
|
SeUndockPrivilege Remove computer from docking station
|
|
SeSyncAgentPrivilege Synchronize directory service data
|
|
SeEnableDelegationPrivilege Enable computer and user accounts to
|
|
be trusted for delegation
|
|
SeManageVolumePrivilege Perform volume maintenance tasks
|
|
SeImpersonatePrivilege Impersonate a client after authentication
|
|
SeCreateGlobalPrivilege Create global objects
|
|
</screen>
|
|
<indexterm><primary>equivalence</primary></indexterm>
|
|
The Samba Team is implementing only those privileges that are logical and useful in the UNIX/Linux
|
|
environment. Many of the Windows 200X/XP privileges have no direct equivalence in UNIX.
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>The Administrator Domain SID</title>
|
|
|
|
<para>
|
|
<indexterm><primary>domain Administrator</primary></indexterm>
|
|
<indexterm><primary>User Rights and Privileges</primary></indexterm>
|
|
<indexterm><primary>passdb backend</primary></indexterm>
|
|
<indexterm><primary>SID</primary></indexterm>
|
|
<indexterm><primary>net getlocalsid</primary></indexterm>
|
|
Please note that every Windows NT4 and later server requires a domain Administrator account. Samba versions
|
|
commencing with 3.0.11 permit Administrative duties to be performed via assigned rights and privileges
|
|
(see <link linkend="rights">User Rights and Privileges</link>). An account in the server's passdb backend can
|
|
be set to the well-known RID of the default administrator account. To obtain the domain SID on a Samba domain
|
|
controller, run the following command:
|
|
<screen>
|
|
&rootprompt; net getlocalsid
|
|
SID for domain FOO is: S-1-5-21-4294955119-3368514841-2087710299
|
|
</screen>
|
|
<indexterm><primary>RID</primary></indexterm>
|
|
You may assign the domain administrator RID to an account using the <command>pdbedit</command>
|
|
command as shown here:
|
|
<indexterm><primary>pdbedit</primary></indexterm>
|
|
<screen>
|
|
&rootprompt; pdbedit -U S-1-5-21-4294955119-3368514841-2087710299-500 -u root -r
|
|
</screen>
|
|
</para>
|
|
|
|
<note><para>
|
|
<indexterm><primary>RID 500</primary></indexterm>
|
|
<indexterm><primary>well known RID</primary></indexterm>
|
|
<indexterm><primary>rights and privileges</primary></indexterm>
|
|
<indexterm><primary>root account</primary></indexterm>
|
|
The RID 500 is the well known standard value of the default Administrator account. It is the RID
|
|
that confers the rights and privileges that the Administrator account has on a Windows machine
|
|
or domain. Under UNIX/Linux the equivalent is UID=0 (the root account).
|
|
</para></note>
|
|
|
|
<para>
|
|
<indexterm><primary>without Administrator account</primary></indexterm>
|
|
<indexterm><primary>equivalent rights and privileges</primary></indexterm>
|
|
<indexterm><primary>Windows group account</primary></indexterm>
|
|
<indexterm><primary>3.0.11</primary></indexterm>
|
|
Releases of Samba version 3.0.11 and later make it possible to operate without an Administrator account
|
|
provided equivalent rights and privileges have been established for a Windows user or a Windows
|
|
group account.
|
|
</para>
|
|
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Common Errors</title>
|
|
|
|
<sect2>
|
|
<title>What Rights and Privileges Will Permit Windows Client Administration?</title>
|
|
|
|
<para>
|
|
<indexterm><primary>domain global</primary></indexterm>
|
|
<indexterm><primary>local group</primary></indexterm>
|
|
<indexterm><primary>administrative rights</primary></indexterm>
|
|
<indexterm><primary>Windows client</primary></indexterm>
|
|
When a Windows NT4 (or later) client joins a domain, the domain global <literal>Domain Admins</literal> group
|
|
is added to the membership of the local <literal>Administrators</literal> group on the client. Any user who is
|
|
a member of the domain global <literal>Domain Admins</literal> group will have administrative rights on the
|
|
Windows client.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>desirable solution</primary></indexterm>
|
|
<indexterm><primary>administrative rights and privileges</primary></indexterm>
|
|
<indexterm><primary>Power Users</primary></indexterm>
|
|
<indexterm><primary>domain global user</primary></indexterm>
|
|
<indexterm><primary>domain global group</primary></indexterm>
|
|
This is often not the most desirable solution because it means that the user will have administrative
|
|
rights and privileges on domain servers also. The <literal>Power Users</literal> group on Windows client
|
|
workstations permits local administration of the workstation alone. Any domain global user or domain global
|
|
group can be added to the membership of the local workstation group <literal>Power Users</literal>.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>Nested Group Support</primary></indexterm>
|
|
<indexterm><primary>add domain users and groups to a local group</primary></indexterm>
|
|
<indexterm><primary>net</primary></indexterm>
|
|
<indexterm><primary>Windows workstation.</primary></indexterm>
|
|
See <link linkend="nestedgrpmgmgt">Nested Group Support</link> for an example of how to add domain users
|
|
and groups to a local group that is on a Windows workstation. The use of the <command>net</command>
|
|
command permits this to be done from the Samba server.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>cmd</primary></indexterm>
|
|
<indexterm><primary>cmd shell</primary></indexterm>
|
|
<indexterm><primary>net</primary><secondary>localgroup</secondary></indexterm>
|
|
Another way this can be done is to log onto the Windows workstation as the user
|
|
<literal>Administrator</literal>, then open a <command>cmd</command> shell, then execute:
|
|
<screen>
|
|
&dosprompt; net localgroup administrators /add <userinput>domain_name\entity</userinput>
|
|
</screen>
|
|
where <literal>entity</literal> is either a domain user or a domain group account name.
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
</sect1>
|
|
|
|
</chapter>
|