## ## Samba-Rights-HOWTO ## Gerald (Jerry) Carter ## Introduction ============ Samba 3.0.11pre2 introduces support for the Windows privilege model. This model allows certain rights to be assigned to a user or group SID. In order to enable this feature, 'enable privileges = yes' must be defined in the [global] section of the server's smb.conf. Currently, the following rights are supported in Samba 3: SeAddUsersPrivilege Add users and groups to the domain SeDiskOperatorPrivilege Manage disk shares SeMachineAccountPrivilege Add machines to domain SePrintOperatorPrivilege Manage printers SeRemoteShutdownPrivilege Force shutdown from a remote system The remainder of this HOWTO explains how to manage and use these privileges on Samba servers. net rpc rights ============== There are two primary means of managing the rights assigned to users and groups on a Samba server. The 'User Manager for Domains' may be used from a Windows NT 4.0 client to connect to a Samba domain controller and view/modify the rights assignments. However, this application appears to have bugs when run on a client running Windows 2000 or later. Therefore, Samba provides a command line utility for performing the necessary administrative actions. The 'net rpc rights' command in Samba 3.0.11 has 3 subcommands * list [name|accounts] - When called with no arguments, 'net rpc list' will simply list the available rights on the server. When passed a specific user or group name, the tool lists the privileges currently assigned to the specified account. When invoked using the special string 'accounts', net rpc rights list' will return a list of all privileged accounts on the server and the assigned rights. * grant - This function is used to assign a list of rights to a specified user or group. For example, to grant the members of the Domain Admins group on a Samba DC the capability to add client machines to the domain, one would run $ net -S server -U domadmin rpc rights grant \ 'DOMAIN\Domain Admins' SeMachineAccountPrivilege More than one privilege can be assigned by specifying a list of rights separated by spaces. * revoke - This command is similar in format to 'net rpc rights grant'. It's effect is to remove an assigned right (or list of rights) from a user or group. Note that you must be connected as a member of the Domain Admins group to be able to grant or revoke privileges assigned to an account. This capability is inherent to the Domain Admins group and is not configurable. By default, no privileges are initially assigned to any account. The reason for this is that certain actions will be performed as root once smbd determines that a user has the necessary rights. For example, when joining a client to a Windows domain, the 'add machine script' must be executed with superuser rights in most cases. For this reason, you should be very careful about handing out privileges to accounts. Access as the root user (uid == 0) bypasses all privilege checks. Description of Privileges ========================= SeAddUsersPrivilege This right determines whether or not smbd will allow the user to create new user or group accounts via such tools as 'net rpc user add' or 'User Manager for Domains'. SeDiskOperatorPrivilege Accounts which posses this right will be able to execute scripts defined by the 'add/delete/change share command' in smb.conf as root. Such users will also be able to modify the ACL associated with file shares on the Samba server. SeMachineAccountPrivilege Controls whether or not the user is able join client machines to a Samba controlled domain. SePrintOperatorPrivilege This privilege operates identically to the 'printer admin' option in smb.conf(5) except that is is a global right (not on a per printer basis). Eventually the smb.conf option will be deprecated and administrative rights to printers will be controlled exclusively by this right and the security descriptor associated with the printer object in ntprinters.tdb. SeRemoteShutdownPrivilege Samba provides two hooks for shutting down or rebooting the server and for aborting a previously issued shutdown command. Since this is an operation normally limited by the OS to the root user, an account must possess this right to be able to execute either of these hooks to any effect. ## ## end of Samba-Rights-HOWTO ##