Ignore:
Timestamp:
Sep 24, 2009, 9:15:13 AM (16 years ago)
Author:
Herwig Bauernfeind
Message:

Update 3.2 to 3.2.14 (final)

File:
1 edited

Legend:

Unmodified
Added
Removed

  • branches/samba-3.2.x/docs/htmldocs/Samba3-HOWTO/rights.html

    r272 r335  
    22<a class="indexterm" name="id2608159"></a>
    33<a class="indexterm" name="id2608166"></a>
    4 <a class="indexterm" name="id2608172"></a>
    5 <a class="indexterm" name="id2608179"></a>
     4<a class="indexterm" name="id2608173"></a>
     5<a class="indexterm" name="id2608180"></a>
    66The administration of Windows user, group, and machine accounts in the Samba
    77domain-controlled network necessitates interfacing between the MS Windows
     
    2525<a class="indexterm" name="id2608252"></a>
    2626<a class="indexterm" name="id2608259"></a>
    27 <a class="indexterm" name="id2608265"></a>
     27<a class="indexterm" name="id2608266"></a>
    2828Machine accounts are analogous to user accounts, and thus in implementing them on a UNIX machine that is
    2929hosting Samba (i.e., on which Samba is running), it is necessary to create a special type of user account.
     
    4848Windows secures authentication.
    4949</p></div><p>
    50 <a class="indexterm" name="id2608361"></a>
    51 <a class="indexterm" name="id2608368"></a>
     50<a class="indexterm" name="id2608362"></a>
     51<a class="indexterm" name="id2608369"></a>
    5252<a class="indexterm" name="id2608376"></a>
    5353<a class="indexterm" name="id2608382"></a>
     
    5858<code class="constant">root</code> account user.
    5959</p><p>
    60 <a class="indexterm" name="id2608404"></a>
     60<a class="indexterm" name="id2608405"></a>
    6161<a class="indexterm" name="id2608412"></a>
    62 <a class="indexterm" name="id2608418"></a>
    63 <a class="indexterm" name="id2608425"></a>
     62<a class="indexterm" name="id2608419"></a>
     63<a class="indexterm" name="id2608426"></a>
    6464All versions of Samba call system interface scripts that permit CIFS function
    6565calls that are used to manage users, groups, and machine accounts
     
    8282</p><p>
    8383<a class="indexterm" name="id2608519"></a>
    84 <a class="indexterm" name="id2608525"></a>
     84<a class="indexterm" name="id2608526"></a>
    8585<a class="indexterm" name="id2608532"></a>
    8686Currently, the rights supported in Samba-3 are listed in <a class="link" href="rights.html#rp-privs" title="Table 15.1. Current Privilege Capabilities">&#8220;Current Privilege Capabilities&#8221;</a>.
    8787The remainder of this chapter explains how to manage and use these privileges on Samba servers.
    88 </p><a class="indexterm" name="id2608550"></a><a class="indexterm" name="id2608556"></a><a class="indexterm" name="id2608563"></a><a class="indexterm" name="id2608570"></a><a class="indexterm" name="id2608577"></a><a class="indexterm" name="id2608584"></a><div class="table"><a name="rp-privs"></a><p class="title"><b>Table 15.1. Current Privilege Capabilities</b></p><div class="table-contents"><table summary="Current Privilege Capabilities" border="1"><colgroup><col align="right"><col align="left"></colgroup><thead><tr><th align="left">Privilege</th><th align="left">Description</th></tr></thead><tbody><tr><td align="right"><p>SeMachineAccountPrivilege</p></td><td align="left"><p>Add machines to domain</p></td></tr><tr><td align="right"><p>SePrintOperatorPrivilege</p></td><td align="left"><p>Manage printers</p></td></tr><tr><td align="right"><p>SeAddUsersPrivilege</p></td><td align="left"><p>Add users and groups to the domain</p></td></tr><tr><td align="right"><p>SeRemoteShutdownPrivilege</p></td><td align="left"><p>Force shutdown from a remote system</p></td></tr><tr><td align="right"><p>SeDiskOperatorPrivilege</p></td><td align="left"><p>Manage disk share</p></td></tr><tr><td align="right"><p>SeTakeOwnershipPrivilege</p></td><td align="left"><p>Take ownership of files or other objects</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2608726"></a>Using the &#8220;<span class="quote">net rpc rights</span>&#8221; Utility</h3></div></div></div><p>
     88</p><a class="indexterm" name="id2608550"></a><a class="indexterm" name="id2608556"></a><a class="indexterm" name="id2608564"></a><a class="indexterm" name="id2608570"></a><a class="indexterm" name="id2608578"></a><a class="indexterm" name="id2608585"></a><div class="table"><a name="rp-privs"></a><p class="title"><b>Table 15.1. Current Privilege Capabilities</b></p><div class="table-contents"><table summary="Current Privilege Capabilities" border="1"><colgroup><col align="right"><col align="left"></colgroup><thead><tr><th align="left">Privilege</th><th align="left">Description</th></tr></thead><tbody><tr><td align="right"><p>SeMachineAccountPrivilege</p></td><td align="left"><p>Add machines to domain</p></td></tr><tr><td align="right"><p>SePrintOperatorPrivilege</p></td><td align="left"><p>Manage printers</p></td></tr><tr><td align="right"><p>SeAddUsersPrivilege</p></td><td align="left"><p>Add users and groups to the domain</p></td></tr><tr><td align="right"><p>SeRemoteShutdownPrivilege</p></td><td align="left"><p>Force shutdown from a remote system</p></td></tr><tr><td align="right"><p>SeDiskOperatorPrivilege</p></td><td align="left"><p>Manage disk share</p></td></tr><tr><td align="right"><p>SeTakeOwnershipPrivilege</p></td><td align="left"><p>Take ownership of files or other objects</p></td></tr></tbody></table></div></div><br class="table-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2608726"></a>Using the &#8220;<span class="quote">net rpc rights</span>&#8221; Utility</h3></div></div></div><p>
    8989<a class="indexterm" name="id2608737"></a>
    9090<a class="indexterm" name="id2608744"></a>
     
    141141                </p></dd></dl></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
    142142<a class="indexterm" name="id2608974"></a>
    143 <a class="indexterm" name="id2608980"></a>
    144 <a class="indexterm" name="id2608987"></a>
     143<a class="indexterm" name="id2608981"></a>
     144<a class="indexterm" name="id2608988"></a>
    145145You must be connected as a member of the Domain Admins group to be able to grant or revoke privileges assigned
    146146to an account.  This capability is inherent to the Domain Admins group and is not configurable. There are no
     
    159159</p><p>
    160160<a class="indexterm" name="id2609048"></a>
    161 <a class="indexterm" name="id2609054"></a>
     161<a class="indexterm" name="id2609055"></a>
    162162<a class="indexterm" name="id2609061"></a>
    163163Access as the root user (UID=0) bypasses all privilege checks.
     
    165165<a class="indexterm" name="id2609080"></a>
    166166<a class="indexterm" name="id2609086"></a>
    167 <a class="indexterm" name="id2609093"></a>
     167<a class="indexterm" name="id2609094"></a>
    168168The privileges that have been implemented in Samba-3.0.11 are shown below.  It is possible, and likely, that
    169169additional privileges may be implemented in later releases of Samba. It is also likely that any privileges
     
    181181                </p></dd><dt><span class="term">SeDiskOperatorPrivilege</span></dt><dd><p>
    182182<a class="indexterm" name="id2609164"></a>
    183 <a class="indexterm" name="id2609171"></a>
    184 <a class="indexterm" name="id2609178"></a>
     183<a class="indexterm" name="id2609172"></a>
     184<a class="indexterm" name="id2609179"></a>
    185185                Accounts that possess this right will be able to execute
    186186                scripts defined by the <code class="literal">add/delete/change</code>
     
    224224        privileges:
    225225<a class="indexterm" name="id2609392"></a>
    226 <a class="indexterm" name="id2609399"></a>
     226<a class="indexterm" name="id2609400"></a>
    227227<a class="indexterm" name="id2609407"></a>
    228228<a class="indexterm" name="id2609414"></a>
     
    237237<a class="indexterm" name="id2609477"></a>
    238238<a class="indexterm" name="id2609484"></a>
    239 <a class="indexterm" name="id2609491"></a>
    240 <a class="indexterm" name="id2609498"></a>
    241 <a class="indexterm" name="id2609505"></a>
     239<a class="indexterm" name="id2609492"></a>
     240<a class="indexterm" name="id2609499"></a>
     241<a class="indexterm" name="id2609506"></a>
    242242<a class="indexterm" name="id2609512"></a>
    243243<a class="indexterm" name="id2609519"></a>
     
    245245<a class="indexterm" name="id2609533"></a>
    246246<a class="indexterm" name="id2609540"></a>
    247 <a class="indexterm" name="id2609547"></a>
     247<a class="indexterm" name="id2609548"></a>
    248248</p><pre class="screen">
    249249         SeCreateTokenPrivilege  Create a token object
     
    290290<a class="indexterm" name="id2609721"></a>
    291291<a class="indexterm" name="id2609728"></a>
    292 <a class="indexterm" name="id2609734"></a>
    293 <a class="indexterm" name="id2609741"></a>
     292<a class="indexterm" name="id2609735"></a>
     293<a class="indexterm" name="id2609742"></a>
    294294<a class="indexterm" name="id2609748"></a>
    295295<a class="indexterm" name="id2609756"></a>
     
    341341<a class="indexterm" name="id2609915"></a>
    342342<a class="indexterm" name="id2609922"></a>
    343 <a class="indexterm" name="id2609928"></a>
     343<a class="indexterm" name="id2609929"></a>
    344344Please note that every Windows NT4 and later server requires a domain Administrator account. Samba versions
    345345commencing with 3.0.11 permit Administrative duties to be performed via assigned rights and privileges
     
    354354You may assign the domain administrator RID to an account using the <code class="literal">pdbedit</code>
    355355command as shown here:
    356 <a class="indexterm" name="id2609976"></a>
     356<a class="indexterm" name="id2609977"></a>
    357357</p><pre class="screen">
    358358<code class="prompt">root# </code> pdbedit -U S-1-5-21-4294955119-3368514841-2087710299-500 -u root -r
     
    394394        group can be added to the membership of the local workstation group <code class="literal">Power Users</code>.
    395395        </p><p>
    396 <a class="indexterm" name="id2610193"></a>
    397 <a class="indexterm" name="id2610200"></a>
     396<a class="indexterm" name="id2610194"></a>
     397<a class="indexterm" name="id2610201"></a>
    398398<a class="indexterm" name="id2610208"></a>
    399 <a class="indexterm" name="id2610214"></a>
     399<a class="indexterm" name="id2610215"></a>
    400400        See <a class="link" href="NetCommand.html#nestedgrpmgmgt" title="Nested Group Support">Nested Group Support</a> for an example of how to add domain users
    401401        and groups to a local group that is on a Windows workstation. The use of the <code class="literal">net</code>
Note: See TracChangeset for help on using the changeset viewer.