path: root/docs-xml/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml
diff options
Diffstat (limited to 'docs-xml/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml')
1 files changed, 600 insertions, 0 deletions
diff --git a/docs-xml/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml b/docs-xml/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml
new file mode 100644
index 00000000000..5ce64ddffdf
--- /dev/null
+++ b/docs-xml/Samba3-HOWTO/TOSHARG-RightsAndPriviliges.xml
@@ -0,0 +1,600 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "">
+<chapter id="rights">
+ &author.jerry;
+ &author.jht;
+<title>User Rights and Privileges</title>
+<indexterm><primary>Windows user</primary></indexterm>
+<indexterm><primary>Windows group</primary></indexterm>
+<indexterm><primary>machine accounts</primary></indexterm>
+The administration of Windows user, group, and machine accounts in the Samba
+domain-controlled network necessitates interfacing between the MS Windows
+networking environment and the UNIX operating system environment. The right
+(permission) to add machines to the Windows security domain can be assigned
+(set) to non-administrative users both in Windows NT4 domains and
+Active Directory domains.
+<indexterm><primary>Windows NT4/2kX/XPPro</primary></indexterm>
+<indexterm><primary>machine account</primary></indexterm>
+<indexterm><primary>user logons</primary></indexterm>
+The addition of Windows NT4/2kX/XPPro machines to the domain necessitates the
+creation of a machine account for each machine added. The machine account is
+a necessity that is used to validate that the machine can be trusted to permit
+user logons.
+<indexterm><primary>user accounts</primary></indexterm>
+<indexterm><primary>special account</primary></indexterm>
+<indexterm><primary>account name</primary></indexterm>
+Machine accounts are analogous to user accounts, and thus in implementing them on a UNIX machine that is
+hosting Samba (i.e., on which Samba is running), it is necessary to create a special type of user account.
+Machine accounts differ from normal user accounts in that the account name (login ID) is terminated with a
+<literal>$</literal> sign. An additional difference is that this type of account should not ever be able to
+log into the UNIX environment as a system user and therefore is set to have a shell of
+<command>/bin/false</command> and a home directory of <command>/dev/null.</command> The machine
+account is used only to authenticate domain member machines during start-up. This security measure
+is designed to block man-in-the-middle attempts to violate network integrity.
+<indexterm><primary>computer accounts</primary></indexterm>
+<indexterm><primary>domain member servers</primary></indexterm>
+<indexterm><primary>domain controller</primary></indexterm>
+<indexterm><primary>secure authentication</primary></indexterm>
+Machine (computer) accounts are used in the Windows NT OS family to store security
+credentials for domain member servers and workstations. When the domain member
+starts up, it goes through a validation process that includes an exchange of
+credentials with a domain controller. If the domain member fails to authenticate
+using the credentials known for it by domain controllers, the machine will be refused
+all access by domain users. The computer account is essential to the way that MS
+Windows secures authentication.
+<indexterm><primary>UNIX system accounts</primary></indexterm>
+<indexterm><primary>system administrator</primary></indexterm>
+The creation of UNIX system accounts has traditionally been the sole right of
+the system administrator, better known as the <constant>root</constant> account.
+It is possible in the UNIX environment to create multiple users who have the
+same UID. Any UNIX user who has a UID=0 is inherently the same as the
+<constant>root</constant> account user.
+<indexterm><primary>system interface scripts</primary></indexterm>
+<indexterm><primary>CIFS function calls</primary></indexterm>
+<indexterm><primary>root account</primary></indexterm>
+<indexterm><primary>UNIX host system</primary></indexterm>
+All versions of Samba call system interface scripts that permit CIFS function
+calls that are used to manage users, groups, and machine accounts
+in the UNIX environment. All versions of Samba up to and including version 3.0.10
+required the use of a Windows administrator account that unambiguously maps to
+the UNIX <constant>root</constant> account to permit the execution of these
+interface scripts. The requirement to do this has understandably met with some
+disdain and consternation among Samba administrators, particularly where it became
+necessary to permit people who should not possess <constant>root</constant>-level
+access to the UNIX host system.
+<title>Rights Management Capabilities</title>
+<indexterm><primary>Windows privilege model</primary></indexterm>
+<indexterm><primary>privilege model</primary></indexterm>
+<indexterm><primary>rights assigned</primary></indexterm>
+Samba 3.0.11 introduced support for the Windows privilege model. This model
+allows certain rights to be assigned to a user or group SID. In order to enable
+this feature, <smbconfoption name="enable privileges">yes</smbconfoption>
+must be defined in the <smbconfsection name="global"/> section of the &smb.conf; file.
+<indexterm><primary>manage privileges</primary></indexterm>
+Currently, the rights supported in Samba-3 are listed in <link linkend="rp-privs"/>.
+The remainder of this chapter explains how to manage and use these privileges on Samba servers.
+<table id="rp-privs">
+ <title>Current Privilege Capabilities</title>
+ <tgroup cols="2">
+ <colspec align="right"/>
+ <colspec align="left"/>
+ <thead>
+ <row>
+ <entry align="left">Privilege</entry>
+ <entry align="left">Description</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry><para>SeMachineAccountPrivilege</para></entry>
+ <entry><para>Add machines to domain</para></entry>
+ </row>
+ <row>
+ <entry><para>SePrintOperatorPrivilege</para></entry>
+ <entry><para>Manage printers</para></entry>
+ </row>
+ <row>
+ <entry><para>SeAddUsersPrivilege</para></entry>
+ <entry><para>Add users and groups to the domain</para></entry>
+ </row>
+ <row>
+ <entry><para>SeRemoteShutdownPrivilege</para></entry>
+ <entry><para>Force shutdown from a remote system</para></entry>
+ </row>
+ <row>
+ <entry><para>SeDiskOperatorPrivilege</para></entry>
+ <entry><para>Manage disk share</para></entry>
+ </row>
+<!-- These are not used at this time - so void them from the docs.
+ <row>
+ <entry><para>SeBackupPrivilege</para></entry>
+ <entry><para>Back up files and directories</para></entry>
+ </row>
+ <row>
+ <entry><para>SeRestorePrivilege</para></entry>
+ <entry><para>Restore files and directories</para></entry>
+ </row>
+**** End of commented out section **** -->
+ <row>
+ <entry><para>SeTakeOwnershipPrivilege</para></entry>
+ <entry><para>Take ownership of files or other objects</para></entry>
+ </row>
+ </tbody>
+ </tgroup>
+<title>Using the <quote>net rpc rights</quote> Utility</title>
+<indexterm><primary>managing rights</primary></indexterm>
+<indexterm><primary>rights assigned</primary></indexterm>
+<indexterm><primary>NT4 User Manager for Domains</primary></indexterm>
+<indexterm><primary>command-line utility</primary></indexterm>
+<indexterm><primary>administrative actions</primary></indexterm>
+There are two primary means of managing the rights assigned to users and groups
+on a Samba server. The <command>NT4 User Manager for Domains</command> may be
+used from any Windows NT4, 2000, or XP Professional domain member client to
+connect to a Samba domain controller and view/modify the rights assignments.
+This application, however, appears to have bugs when run on a client running
+Windows 2000 or later; therefore, Samba provides a command-line utility for
+performing the necessary administrative actions.
+The <command>net rpc rights</command> utility in Samba 3.0.11 has three new subcommands:
+ <varlistentry><term>list [name|accounts]</term>
+ <listitem><para>
+<indexterm><primary>available rights</primary></indexterm>
+<indexterm><primary>privileges assigned</primary></indexterm>
+<indexterm><primary>privileged accounts</primary></indexterm>
+ When called with no arguments, <command>net rpc list</command>
+ simply lists the available rights on the server. When passed
+ a specific user or group name, the tool lists the privileges
+ currently assigned to the specified account. When invoked using
+ the special string <constant>accounts</constant>,
+ <command>net rpc rights list</command> returns a list of all
+ privileged accounts on the server and the assigned rights.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry><term>grant &lt;user&gt; &lt;right [right ...]&gt;</term>
+ <listitem><para>
+<indexterm><primary>assign rights</primary></indexterm>
+<indexterm><primary>grant rights</primary></indexterm>
+<indexterm><primary>add client machines</primary></indexterm>
+<indexterm><primary>user or group</primary></indexterm>
+ When called with no arguments, this function is used to assign
+ a list of rights to a specified user or group. For example,
+ to grant the members of the Domain Admins group on a Samba domain controller,
+ the capability to add client machines to the domain, one would run:
+&rootprompt; net -S server -U domadmin rpc rights grant \
+ 'DOMAIN\Domain Admins' SeMachineAccountPrivilege
+ The following syntax has the same result:
+<indexterm><primary>net</primary><secondary>rpc</secondary><tertiary>rights grant</tertiary></indexterm>
+&rootprompt; net rpc rights grant 'DOMAIN\Domain Admins' \
+ SeMachineAccountPrivilege -S server -U domadmin
+ More than one privilege can be assigned by specifying a
+ list of rights separated by spaces. The parameter 'Domain\Domain Admins'
+ must be quoted with single ticks or using double-quotes to prevent
+ the backslash and the space from being interpreted by the system shell.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry><term>revoke &lt;user&gt; &lt;right [right ...]&gt;</term>
+ <listitem><para>
+ This command is similar in format to <command>net rpc rights grant</command>. Its
+ effect is to remove an assigned right (or list of rights) from a user or group.
+ </para></listitem>
+ </varlistentry>
+<indexterm><primary>Domain Admins</primary></indexterm>
+<indexterm><primary>revoke privileges</primary></indexterm>
+You must be connected as a member of the Domain Admins group to be able to grant or revoke privileges assigned
+to an account. This capability is inherent to the Domain Admins group and is not configurable. There are no
+default rights and privileges, except the ability for a member of the Domain Admins group to assign them.
+This means that all administrative rights and privileges (other than the ability to assign them) must be
+explicitly assigned, even for the Domain Admins group.
+<indexterm><primary>performed as root</primary></indexterm>
+<indexterm><primary>necessary rights</primary></indexterm>
+<indexterm><primary>add machine script</primary></indexterm>
+By default, no privileges are initially assigned to any account because certain actions will be performed as
+root once smbd determines that a user has the necessary rights. For example, when joining a client to a
+Windows domain, <parameter>add machine script</parameter> must be executed with superuser rights in most
+cases. For this reason, you should be very careful about handing out privileges to accounts.
+<indexterm><primary>root user</primary></indexterm>
+<indexterm><primary>bypasses privilege</primary></indexterm>
+Access as the root user (UID=0) bypasses all privilege checks.
+<title>Description of Privileges</title>
+<indexterm><primary>additional privileges</primary></indexterm>
+The privileges that have been implemented in Samba-3.0.11 are shown below. It is possible, and likely, that
+additional privileges may be implemented in later releases of Samba. It is also likely that any privileges
+currently implemented but not used may be removed from future releases as a housekeeping matter, so it is
+important that the successful as well as unsuccessful use of these facilities should be reported on the Samba
+mailing lists.
+ <varlistentry><term>SeAddUsersPrivilege</term>
+ <listitem><para>
+<indexterm><primary>net rpc user add</primary></indexterm>
+ This right determines whether or not smbd will allow the
+ user to create new user or group accounts via such tools
+ as <command>net rpc user add</command> or
+ <command>NT4 User Manager for Domains.</command>
+ </para></listitem>
+ </varlistentry>
+ <varlistentry><term>SeDiskOperatorPrivilege</term>
+ <listitem><para>
+<indexterm><primary>add/delete/change share</primary></indexterm>
+ Accounts that possess this right will be able to execute
+ scripts defined by the <command>add/delete/change</command>
+ share command in &smb.conf; file as root. Such users will
+ also be able to modify the ACL associated with file shares
+ on the Samba server.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry><term>SeMachineAccountPrivilege</term>
+ <listitem><para>
+<indexterm><primary>right to join domain</primary></indexterm>
+<indexterm><primary>join client</primary></indexterm>
+ This right controls whether or not the user can join client
+ machines to a Samba-controlled domain.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry><term>SePrintOperatorPrivilege</term>
+ <listitem><para>
+<indexterm><primary>global right</primary></indexterm>
+<indexterm><primary>administrative rights</primary></indexterm>
+<indexterm><primary>printers admin</primary></indexterm>
+ This privilege operates identically to the <smbconfoption name="printer admin"/>
+ option in the &smb.conf; file (see section 5 man page for &smb.conf;)
+ except that it is a global right (not on a per-printer basis).
+ Eventually the smb.conf option will be deprecated and administrative
+ rights to printers will be controlled exclusively by this right and
+ the security descriptor associated with the printer object in the
+ <filename>ntprinters.tdb</filename> file.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry><term>SeRemoteShutdownPrivilege</term>
+ <listitem><para>
+<indexterm><primary>rebooting server</primary></indexterm>
+<indexterm><primary>aborting shutdown</primary></indexterm>
+ Samba provides two hooks for shutting down or rebooting
+ the server and for aborting a previously issued shutdown
+ command. Since this is an operation normally limited by
+ the operating system to the root user, an account must possess this
+ right to be able to execute either of these hooks.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry><term>SeTakeOwnershipPrivilege</term>
+ <listitem><para>
+<indexterm><primary>take ownership</primary></indexterm>
+ This right permits users to take ownership of files and directories.
+ </para></listitem>
+ </varlistentry>
+<title>Privileges Suppored by Windows 2000 Domain Controllers</title>
+ For reference purposes, a Windows NT4 Primary Domain Controller reports support for the following
+ privileges:
+ SeCreateTokenPrivilege Create a token object
+ SeAssignPrimaryTokenPrivilege Replace a process level token
+ SeLockMemoryPrivilege Lock pages in memory
+ SeIncreaseQuotaPrivilege Increase quotas
+ SeMachineAccountPrivilege Add workstations to domain
+ SeTcbPrivilege Act as part of the operating system
+ SeSecurityPrivilege Manage auditing and security log
+ SeTakeOwnershipPrivilege Take ownership of files or other objects
+ SeLoadDriverPrivilege Load and unload device drivers
+ SeSystemProfilePrivilege Profile system performance
+ SeSystemtimePrivilege Change the system time
+SeProfileSingleProcessPrivilege Profile single process
+SeIncreaseBasePriorityPrivilege Increase scheduling priority
+ SeCreatePagefilePrivilege Create a pagefile
+ SeCreatePermanentPrivilege Create permanent shared objects
+ SeBackupPrivilege Back up files and directories
+ SeRestorePrivilege Restore files and directories
+ SeShutdownPrivilege Shut down the system
+ SeDebugPrivilege Debug programs
+ SeAuditPrivilege Generate security audits
+ SeSystemEnvironmentPrivilege Modify firmware environment values
+ SeChangeNotifyPrivilege Bypass traverse checking
+ SeRemoteShutdownPrivilege Force shutdown from a remote system
+ And Windows 200x/XP Domain Controllers and workstations reports to support the following privileges:
+ SeCreateTokenPrivilege Create a token object
+ SeAssignPrimaryTokenPrivilege Replace a process level token
+ SeLockMemoryPrivilege Lock pages in memory
+ SeIncreaseQuotaPrivilege Increase quotas
+ SeMachineAccountPrivilege Add workstations to domain
+ SeTcbPrivilege Act as part of the operating system
+ SeSecurityPrivilege Manage auditing and security log
+ SeTakeOwnershipPrivilege Take ownership of files or other objects
+ SeLoadDriverPrivilege Load and unload device drivers
+ SeSystemProfilePrivilege Profile system performance
+ SeSystemtimePrivilege Change the system time
+SeProfileSingleProcessPrivilege Profile single process
+SeIncreaseBasePriorityPrivilege Increase scheduling priority
+ SeCreatePagefilePrivilege Create a pagefile
+ SeCreatePermanentPrivilege Create permanent shared objects
+ SeBackupPrivilege Back up files and directories
+ SeRestorePrivilege Restore files and directories
+ SeShutdownPrivilege Shut down the system
+ SeDebugPrivilege Debug programs
+ SeAuditPrivilege Generate security audits
+ SeSystemEnvironmentPrivilege Modify firmware environment values
+ SeChangeNotifyPrivilege Bypass traverse checking
+ SeRemoteShutdownPrivilege Force shutdown from a remote system
+ SeUndockPrivilege Remove computer from docking station
+ SeSyncAgentPrivilege Synchronize directory service data
+ SeEnableDelegationPrivilege Enable computer and user accounts to
+ be trusted for delegation
+ SeManageVolumePrivilege Perform volume maintenance tasks
+ SeImpersonatePrivilege Impersonate a client after authentication
+ SeCreateGlobalPrivilege Create global objects
+ The Samba Team is implementing only those privileges that are logical and useful in the UNIX/Linux
+ environment. Many of the Windows 200X/XP privileges have no direct equivalence in UNIX.
+ </para>
+<title>The Administrator Domain SID</title>
+<indexterm><primary>domain Administrator</primary></indexterm>
+<indexterm><primary>User Rights and Privileges</primary></indexterm>
+<indexterm><primary>passdb backend</primary></indexterm>
+<indexterm><primary>net getlocalsid</primary></indexterm>
+Please note that every Windows NT4 and later server requires a domain Administrator account. Samba versions
+commencing with 3.0.11 permit Administrative duties to be performed via assigned rights and privileges
+(see <link linkend="rights">User Rights and Privileges</link>). An account in the server's passdb backend can
+be set to the well-known RID of the default administrator account. To obtain the domain SID on a Samba domain
+controller, run the following command:
+&rootprompt; net getlocalsid
+SID for domain FOO is: S-1-5-21-4294955119-3368514841-2087710299
+You may assign the domain administrator RID to an account using the <command>pdbedit</command>
+command as shown here:
+&rootprompt; pdbedit -U S-1-5-21-4294955119-3368514841-2087710299-500 -u root -r
+<indexterm><primary>RID 500</primary></indexterm>
+<indexterm><primary>well known RID</primary></indexterm>
+<indexterm><primary>rights and privileges</primary></indexterm>
+<indexterm><primary>root account</primary></indexterm>
+The RID 500 is the well known standard value of the default Administrator account. It is the RID
+that confers the rights and privileges that the Administrator account has on a Windows machine
+or domain. Under UNIX/Linux the equivalent is UID=0 (the root account).
+<indexterm><primary>without Administrator account</primary></indexterm>
+<indexterm><primary>equivalent rights and privileges</primary></indexterm>
+<indexterm><primary>Windows group account</primary></indexterm>
+Releases of Samba version 3.0.11 and later make it possible to operate without an Administrator account
+provided equivalent rights and privileges have been established for a Windows user or a Windows
+group account.
+<title>Common Errors</title>
+ <sect2>
+ <title>What Rights and Privileges Will Permit Windows Client Administration?</title>
+ <para>
+<indexterm><primary>domain global</primary></indexterm>
+<indexterm><primary>local group</primary></indexterm>
+<indexterm><primary>administrative rights</primary></indexterm>
+<indexterm><primary>Windows client</primary></indexterm>
+ When a Windows NT4 (or later) client joins a domain, the domain global <literal>Domain Admins</literal> group
+ is added to the membership of the local <literal>Administrators</literal> group on the client. Any user who is
+ a member of the domain global <literal>Domain Admins</literal> group will have administrative rights on the
+ Windows client.
+ </para>
+ <para>
+<indexterm><primary>desirable solution</primary></indexterm>
+<indexterm><primary>administrative rights and privileges</primary></indexterm>
+<indexterm><primary>Power Users</primary></indexterm>
+<indexterm><primary>domain global user</primary></indexterm>
+<indexterm><primary>domain global group</primary></indexterm>
+ This is often not the most desirable solution because it means that the user will have administrative
+ rights and privileges on domain servers also. The <literal>Power Users</literal> group on Windows client
+ workstations permits local administration of the workstation alone. Any domain global user or domain global
+ group can be added to the membership of the local workstation group <literal>Power Users</literal>.
+ </para>
+ <para>
+<indexterm><primary>Nested Group Support</primary></indexterm>
+<indexterm><primary>add domain users and groups to a local group</primary></indexterm>
+<indexterm><primary>Windows workstation.</primary></indexterm>
+ See <link linkend="nestedgrpmgmgt">Nested Group Support</link> for an example of how to add domain users
+ and groups to a local group that is on a Windows workstation. The use of the <command>net</command>
+ command permits this to be done from the Samba server.
+ </para>
+ <para>
+<indexterm><primary>cmd shell</primary></indexterm>
+ Another way this can be done is to log onto the Windows workstation as the user
+ <literal>Administrator</literal>, then open a <command>cmd</command> shell, then execute:
+&dosprompt; net localgroup administrators /add <userinput>domain_name\entity</userinput>
+ where <literal>entity</literal> is either a domain user or a domain group account name.
+ </para>
+ </sect2>