--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 14. User Rights and Privileges</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.68.1"><link rel="start" href="index.html" title="The Official Samba-3 HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="idmapper.html" title="Chapter 13. Identity Mapping (IDMAP)"><link rel="next" href="AccessControls.html" title="Chapter 15. File, Directory, and Share Access Controls"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 14. User Rights and Privileges</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="idmapper.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="AccessControls.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="rights"></a>Chapter 14. User Rights and Privileges</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></code></p></div></div></div></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="rights.html#id2576198">Rights Management Capabilities</a></span></dt><dd><dl><dt><span class="sect2"><a href="rights.html#id2576468">Using the “<span class="quote">net rpc rights</span>” Utility</a></span></dt><dt><span class="sect2"><a href="rights.html#id2576813">Description of Privileges</a></span></dt><dt><span class="sect2"><a href="rights.html#id2577125">Privileges Suppored by Windows 2000 Domain Controllers</a></span></dt></dl></dd><dt><span class="sect1"><a href="rights.html#id2577614">The Administrator Domain SID</a></span></dt><dt><span class="sect1"><a href="rights.html#id2577791">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="rights.html#id2577797">What Rights and Privileges Will Permit Windows Client Administration?</a></span></dt></dl></dd></dl></div><p>
+<a class="indexterm" name="id2575914"></a>
+<a class="indexterm" name="id2575921"></a>
+<a class="indexterm" name="id2575928"></a>
+<a class="indexterm" name="id2575935"></a>
+The administration of Windows user, group, and machine accounts in the Samba
+domain-controlled network necessitates interfacing between the MS Windows
+networking environment and the UNIX operating system environment. The right
+(permission) to add machines to the Windows security domain can be assigned
+(set) to non-administrative users both in Windows NT4 domains and
+Active Directory domains.
+</p><p>
+<a class="indexterm" name="id2575952"></a>
+<a class="indexterm" name="id2575959"></a>
+<a class="indexterm" name="id2575966"></a>
+<a class="indexterm" name="id2575972"></a>
+The addition of Windows NT4/2kX/XPPro machines to the domain necessitates the
+creation of a machine account for each machine added. The machine account is
+a necessity that is used to validate that the machine can be trusted to permit
+user logons.
+</p><p>
+<a class="indexterm" name="id2575987"></a>
+<a class="indexterm" name="id2575994"></a>
+<a class="indexterm" name="id2576001"></a>
+<a class="indexterm" name="id2576008"></a>
+<a class="indexterm" name="id2576014"></a>
+<a class="indexterm" name="id2576021"></a>
+Machine accounts are analogous to user accounts, and thus in implementing them on a UNIX machine that is
+hosting Samba (i.e., on which Samba is running), it is necessary to create a special type of user account.
+Machine accounts differ from normal user accounts in that the account name (login ID) is terminated with a
+<code class="literal">$</code> sign. An additional difference is that this type of account should not ever be able to
+log into the UNIX environment as a system user and therefore is set to have a shell of
+<span><strong class="command">/bin/false</strong></span> and a home directory of <span><strong class="command">/dev/null.</strong></span> The machine
+account is used only to authenticate domain member machines during start-up. This security measure
+is designed to block man-in-the-middle attempts to violate network integrity.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+<a class="indexterm" name="id2576062"></a>
+<a class="indexterm" name="id2576069"></a>
+<a class="indexterm" name="id2576076"></a>
+<a class="indexterm" name="id2576083"></a>
+<a class="indexterm" name="id2576089"></a>
+Machine (computer) accounts are used in the Windows NT OS family to store security
+credentials for domain member servers and workstations. When the domain member
+starts up, it goes through a validation process that includes an exchange of
+credentials with a domain controller. If the domain member fails to authenticate
+using the credentials known for it by domain controllers, the machine will be refused
+all access by domain users. The computer account is essential to the way that MS
+Windows secures authentication.
+</p></div><p>
+<a class="indexterm" name="id2576108"></a>
+<a class="indexterm" name="id2576116"></a>
+<a class="indexterm" name="id2576123"></a>
+<a class="indexterm" name="id2576129"></a>
+The creation of UNIX system accounts has traditionally been the sole right of
+the system administrator, better known as the <code class="constant">root</code> account.
+It is possible in the UNIX environment to create multiple users who have the
+same UID. Any UNIX user who has a UID=0 is inherently the same as the
+<code class="constant">root</code> account user.
+</p><p>
+<a class="indexterm" name="id2576152"></a>
+<a class="indexterm" name="id2576159"></a>
+<a class="indexterm" name="id2576166"></a>
+<a class="indexterm" name="id2576172"></a>
+All versions of Samba call system interface scripts that permit CIFS function
+calls that are used to manage users, groups, and machine accounts
+in the UNIX environment. All versions of Samba up to and including version 3.0.10
+required the use of a Windows administrator account that unambiguously maps to
+the UNIX <code class="constant">root</code> account to permit the execution of these
+interface scripts. The requirement to do this has understandably met with some
+disdain and consternation among Samba administrators, particularly where it became
+necessary to permit people who should not possess <code class="constant">root</code>-level
+access to the UNIX host system.
+</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2576198"></a>Rights Management Capabilities</h2></div></div></div><p>
+<a class="indexterm" name="id2576206"></a>
+<a class="indexterm" name="id2576213"></a>
+<a class="indexterm" name="id2576220"></a>
+<a class="indexterm" name="id2576227"></a>
+Samba 3.0.11 introduced support for the Windows privilege model. This model
+allows certain rights to be assigned to a user or group SID. In order to enable
+this feature, <a class="indexterm" name="id2576237"></a>enable privileges = yes
+must be defined in the <em class="parameter"><code>global</code></em> section of the <code class="filename">smb.conf</code> file.
+</p><p>
+<a class="indexterm" name="id2576260"></a>
+<a class="indexterm" name="id2576267"></a>
+<a class="indexterm" name="id2576273"></a>
+Currently, the rights supported in Samba-3 are listed in <a href="rights.html#rp-privs" title="Table 14.1. Current Privilege Capabilities">???</a>.
+The remainder of this chapter explains how to manage and use these privileges on Samba servers.
+</p><a class="indexterm" name="id2576290"></a><a class="indexterm" name="id2576297"></a><a class="indexterm" name="id2576304"></a><a class="indexterm" name="id2576311"></a><a class="indexterm" name="id2576318"></a><a class="indexterm" name="id2576325"></a><div class="table"><a name="rp-privs"></a><p class="title"><b>Table 14.1. Current Privilege Capabilities</b></p><table summary="Current Privilege Capabilities" border="1"><colgroup><col align="right"><col align="left"></colgroup><thead><tr><th align="left">Privilege</th><th align="left">Description</th></tr></thead><tbody><tr><td align="right"><p>SeMachineAccountPrivilege</p></td><td align="left"><p>Add machines to domain</p></td></tr><tr><td align="right"><p>SePrintOperatorPrivilege</p></td><td align="left"><p>Manage printers</p></td></tr><tr><td align="right"><p>SeAddUsersPrivilege</p></td><td align="left"><p>Add users and groups to the domain</p></td></tr><tr><td align="right"><p>SeRemoteShutdownPrivilege</p></td><td align="left"><p>Force shutdown from a remote system</p></td></tr><tr><td align="right"><p>SeDiskOperatorPrivilege</p></td><td align="left"><p>Manage disk share</p></td></tr><tr><td align="right"><p>SeTakeOwnershipPrivilege</p></td><td align="left"><p>Take ownership of files or other objects</p></td></tr></tbody></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2576468"></a>Using the “<span class="quote">net rpc rights</span>” Utility</h3></div></div></div><p>
+<a class="indexterm" name="id2576479"></a>
+<a class="indexterm" name="id2576486"></a>
+<a class="indexterm" name="id2576493"></a>
+<a class="indexterm" name="id2576500"></a>
+<a class="indexterm" name="id2576507"></a>
+There are two primary means of managing the rights assigned to users and groups
+on a Samba server. The <span><strong class="command">NT4 User Manager for Domains</strong></span> may be
+used from any Windows NT4, 2000, or XP Professional domain member client to
+connect to a Samba domain controller and view/modify the rights assignments.
+This application, however, appears to have bugs when run on a client running
+Windows 2000 or later; therefore, Samba provides a command-line utility for
+performing the necessary administrative actions.
+</p><p>
+The <span><strong class="command">net rpc rights</strong></span> utility in Samba 3.0.11 has three new subcommands:
+</p><div class="variablelist"><dl><dt><span class="term">list [name|accounts]</span></dt><dd><p>
+<a class="indexterm" name="id2576550"></a>
+<a class="indexterm" name="id2576561"></a>
+<a class="indexterm" name="id2576568"></a>
+<a class="indexterm" name="id2576575"></a>
+ When called with no arguments, <span><strong class="command">net rpc list</strong></span>
+ simply lists the available rights on the server. When passed
+ a specific user or group name, the tool lists the privileges
+ currently assigned to the specified account. When invoked using
+ the special string <code class="constant">accounts</code>,
+ <span><strong class="command">net rpc rights list</strong></span> returns a list of all
+ privileged accounts on the server and the assigned rights.
+ </p></dd><dt><span class="term">grant <user> <right [right ...]></span></dt><dd><p>
+<a class="indexterm" name="id2576614"></a>
+<a class="indexterm" name="id2576621"></a>
+<a class="indexterm" name="id2576628"></a>
+<a class="indexterm" name="id2576635"></a>
+ When called with no arguments, this function is used to assign
+ a list of rights to a specified user or group. For example,
+ to grant the members of the Domain Admins group on a Samba domain controller,
+ the capability to add client machines to the domain, one would run:
+</p><pre class="screen">
+<code class="prompt">root# </code> net -S server -U domadmin rpc rights grant \
+ 'DOMAIN\Domain Admins' SeMachineAccountPrivilege
+</pre><p>
+ The following syntax has the same result:
+<a class="indexterm" name="id2576660"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc rights grant 'DOMAIN\Domain Admins' \
+ SeMachineAccountPrivilege -S server -U domadmin
+</pre><p>
+ More than one privilege can be assigned by specifying a
+ list of rights separated by spaces. The parameter 'Domain\Domain Admins'
+ must be quoted with single ticks or using double-quotes to prevent
+ the backslash and the space from being interpreted by the system shell.
+ </p></dd><dt><span class="term">revoke <user> <right [right ...]></span></dt><dd><p>
+ This command is similar in format to <span><strong class="command">net rpc rights grant</strong></span>. Its
+ effect is to remove an assigned right (or list of rights) from a user or group.
+ </p></dd></dl></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+<a class="indexterm" name="id2576715"></a>
+<a class="indexterm" name="id2576722"></a>
+<a class="indexterm" name="id2576729"></a>
+You must be connected as a member of the Domain Admins group to be able to grant or revoke privileges assigned
+to an account. This capability is inherent to the Domain Admins group and is not configurable. There are no
+default rights and privileges, except the ability for a member of the Domain Admins group to assign them.
+This means that all administrative rights and privileges (other than the ability to assign them) must be
+explicitly assigned, even for the Domain Admins group.
+</p></div><p>
+<a class="indexterm" name="id2576747"></a>
+<a class="indexterm" name="id2576754"></a>
+<a class="indexterm" name="id2576761"></a>
+<a class="indexterm" name="id2576768"></a>
+By default, no privileges are initially assigned to any account because certain actions will be performed as
+root once smbd determines that a user has the necessary rights. For example, when joining a client to a
+Windows domain, <em class="parameter"><code>add machine script</code></em> must be executed with superuser rights in most
+cases. For this reason, you should be very careful about handing out privileges to accounts.
+</p><p>
+<a class="indexterm" name="id2576789"></a>
+<a class="indexterm" name="id2576796"></a>
+<a class="indexterm" name="id2576803"></a>
+Access as the root user (UID=0) bypasses all privilege checks.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2576813"></a>Description of Privileges</h3></div></div></div><p>
+<a class="indexterm" name="id2576821"></a>
+<a class="indexterm" name="id2576828"></a>
+<a class="indexterm" name="id2576835"></a>
+The privileges that have been implemented in Samba-3.0.11 are shown below. It is possible, and likely, that
+additional privileges may be implemented in later releases of Samba. It is also likely that any privileges
+currently implemented but not used may be removed from future releases as a housekeeping matter, so it is
+important that the successful as well as unsuccessful use of these facilities should be reported on the Samba
+mailing lists.
+</p><div class="variablelist"><dl><dt><span class="term">SeAddUsersPrivilege</span></dt><dd><p>
+<a class="indexterm" name="id2576868"></a>
+<a class="indexterm" name="id2576875"></a>
+<a class="indexterm" name="id2576882"></a>
+ This right determines whether or not smbd will allow the
+ user to create new user or group accounts via such tools
+ as <span><strong class="command">net rpc user add</strong></span> or
+ <span><strong class="command">NT4 User Manager for Domains.</strong></span>
+ </p></dd><dt><span class="term">SeDiskOperatorPrivilege</span></dt><dd><p>
+<a class="indexterm" name="id2576913"></a>
+<a class="indexterm" name="id2576920"></a>
+<a class="indexterm" name="id2576928"></a>
+ Accounts that possess this right will be able to execute
+ scripts defined by the <span><strong class="command">add/delete/change</strong></span>
+ share command in <code class="filename">smb.conf</code> file as root. Such users will
+ also be able to modify the ACL associated with file shares
+ on the Samba server.
+ </p></dd><dt><span class="term">SeMachineAccountPrivilege</span></dt><dd><p>
+<a class="indexterm" name="id2576960"></a>
+<a class="indexterm" name="id2576967"></a>
+<a class="indexterm" name="id2576974"></a>
+ This right controls whether or not the user can join client
+ machines to a Samba-controlled domain.
+ </p></dd><dt><span class="term">SePrintOperatorPrivilege</span></dt><dd><p>
+<a class="indexterm" name="id2576993"></a>
+<a class="indexterm" name="id2577000"></a>
+<a class="indexterm" name="id2577007"></a>
+<a class="indexterm" name="id2577014"></a>
+<a class="indexterm" name="id2577021"></a>
+ This privilege operates identically to the <a class="indexterm" name="id2577029"></a>printer admin
+ option in the <code class="filename">smb.conf</code> file (see section 5 man page for <code class="filename">smb.conf</code>)
+ except that it is a global right (not on a per-printer basis).
+ Eventually the smb.conf option will be deprecated and administrative
+ rights to printers will be controlled exclusively by this right and
+ the security descriptor associated with the printer object in the
+ <code class="filename">ntprinters.tdb</code> file.
+ </p></dd><dt><span class="term">SeRemoteShutdownPrivilege</span></dt><dd><p>
+<a class="indexterm" name="id2577070"></a>
+<a class="indexterm" name="id2577077"></a>
+<a class="indexterm" name="id2577084"></a>
+ Samba provides two hooks for shutting down or rebooting
+ the server and for aborting a previously issued shutdown
+ command. Since this is an operation normally limited by
+ the operating system to the root user, an account must possess this
+ right to be able to execute either of these hooks.
+ </p></dd><dt><span class="term">SeTakeOwnershipPrivilege</span></dt><dd><p>
+<a class="indexterm" name="id2577106"></a>
+<a class="indexterm" name="id2577113"></a>
+ This right permits users to take ownership of files and directories.
+ </p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2577125"></a>Privileges Suppored by Windows 2000 Domain Controllers</h3></div></div></div><p>
+ For reference purposes, a Windows NT4 Primary Domain Controller reports support for the following
+ privileges:
+<a class="indexterm" name="id2577136"></a>
+<a class="indexterm" name="id2577143"></a>
+<a class="indexterm" name="id2577150"></a>
+<a class="indexterm" name="id2577157"></a>
+<a class="indexterm" name="id2577164"></a>
+<a class="indexterm" name="id2577172"></a>
+<a class="indexterm" name="id2577178"></a>
+<a class="indexterm" name="id2577185"></a>
+<a class="indexterm" name="id2577192"></a>
+<a class="indexterm" name="id2577200"></a>
+<a class="indexterm" name="id2577207"></a>
+<a class="indexterm" name="id2577214"></a>
+<a class="indexterm" name="id2577221"></a>
+<a class="indexterm" name="id2577228"></a>
+<a class="indexterm" name="id2577235"></a>
+<a class="indexterm" name="id2577242"></a>
+<a class="indexterm" name="id2577249"></a>
+<a class="indexterm" name="id2577256"></a>
+<a class="indexterm" name="id2577263"></a>
+<a class="indexterm" name="id2577270"></a>
+<a class="indexterm" name="id2577277"></a>
+<a class="indexterm" name="id2577284"></a>
+<a class="indexterm" name="id2577291"></a>
+</p><pre class="screen">
+ SeCreateTokenPrivilege Create a token object
+ SeAssignPrimaryTokenPrivilege Replace a process level token
+ SeLockMemoryPrivilege Lock pages in memory
+ SeIncreaseQuotaPrivilege Increase quotas
+ SeMachineAccountPrivilege Add workstations to domain
+ SeTcbPrivilege Act as part of the operating system
+ SeSecurityPrivilege Manage auditing and security log
+ SeTakeOwnershipPrivilege Take ownership of files or other objects
+ SeLoadDriverPrivilege Load and unload device drivers
+ SeSystemProfilePrivilege Profile system performance
+ SeSystemtimePrivilege Change the system time
+SeProfileSingleProcessPrivilege Profile single process
+SeIncreaseBasePriorityPrivilege Increase scheduling priority
+ SeCreatePagefilePrivilege Create a pagefile
+ SeCreatePermanentPrivilege Create permanent shared objects
+ SeBackupPrivilege Back up files and directories
+ SeRestorePrivilege Restore files and directories
+ SeShutdownPrivilege Shut down the system
+ SeDebugPrivilege Debug programs
+ SeAuditPrivilege Generate security audits
+ SeSystemEnvironmentPrivilege Modify firmware environment values
+ SeChangeNotifyPrivilege Bypass traverse checking
+ SeRemoteShutdownPrivilege Force shutdown from a remote system
+</pre><p>
+ And Windows 200x/XP Domain Controllers and workstations reports to support the following privileges:
+<a class="indexterm" name="id2577329"></a>
+<a class="indexterm" name="id2577336"></a>
+<a class="indexterm" name="id2577343"></a>
+<a class="indexterm" name="id2577350"></a>
+<a class="indexterm" name="id2577357"></a>
+<a class="indexterm" name="id2577364"></a>
+<a class="indexterm" name="id2577371"></a>
+<a class="indexterm" name="id2577378"></a>
+<a class="indexterm" name="id2577385"></a>
+<a class="indexterm" name="id2577392"></a>
+<a class="indexterm" name="id2577399"></a>
+<a class="indexterm" name="id2577406"></a>
+<a class="indexterm" name="id2577414"></a>
+<a class="indexterm" name="id2577421"></a>
+<a class="indexterm" name="id2577428"></a>
+<a class="indexterm" name="id2577435"></a>
+<a class="indexterm" name="id2577442"></a>
+<a class="indexterm" name="id2577449"></a>
+<a class="indexterm" name="id2577456"></a>
+<a class="indexterm" name="id2577463"></a>
+<a class="indexterm" name="id2577470"></a>
+<a class="indexterm" name="id2577477"></a>
+<a class="indexterm" name="id2577484"></a>
+<a class="indexterm" name="id2577491"></a>
+<a class="indexterm" name="id2577498"></a>
+<a class="indexterm" name="id2577505"></a>
+<a class="indexterm" name="id2577512"></a>
+<a class="indexterm" name="id2577519"></a>
+<a class="indexterm" name="id2577526"></a>
+</p><pre class="screen">
+ SeCreateTokenPrivilege Create a token object
+ SeAssignPrimaryTokenPrivilege Replace a process level token
+ SeLockMemoryPrivilege Lock pages in memory
+ SeIncreaseQuotaPrivilege Increase quotas
+ SeMachineAccountPrivilege Add workstations to domain
+ SeTcbPrivilege Act as part of the operating system
+ SeSecurityPrivilege Manage auditing and security log
+ SeTakeOwnershipPrivilege Take ownership of files or other objects
+ SeLoadDriverPrivilege Load and unload device drivers
+ SeSystemProfilePrivilege Profile system performance
+ SeSystemtimePrivilege Change the system time
+SeProfileSingleProcessPrivilege Profile single process
+SeIncreaseBasePriorityPrivilege Increase scheduling priority
+ SeCreatePagefilePrivilege Create a pagefile
+ SeCreatePermanentPrivilege Create permanent shared objects
+ SeBackupPrivilege Back up files and directories
+ SeRestorePrivilege Restore files and directories
+ SeShutdownPrivilege Shut down the system
+ SeDebugPrivilege Debug programs
+ SeAuditPrivilege Generate security audits
+ SeSystemEnvironmentPrivilege Modify firmware environment values
+ SeChangeNotifyPrivilege Bypass traverse checking
+ SeRemoteShutdownPrivilege Force shutdown from a remote system
+ SeUndockPrivilege Remove computer from docking station
+ SeSyncAgentPrivilege Synchronize directory service data
+ SeEnableDelegationPrivilege Enable computer and user accounts to
+ be trusted for delegation
+ SeManageVolumePrivilege Perform volume maintenance tasks
+ SeImpersonatePrivilege Impersonate a client after authentication
+ SeCreateGlobalPrivilege Create global objects
+</pre><p>
+<a class="indexterm" name="id2577601"></a>
+ The Samba Team is implementing only those privileges that are logical and useful in the UNIX/Linux
+ environment. Many of the Windows 200X/XP privileges have no direct equivalence in UNIX.
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2577614"></a>The Administrator Domain SID</h2></div></div></div><p>
+<a class="indexterm" name="id2577622"></a>
+<a class="indexterm" name="id2577629"></a>
+<a class="indexterm" name="id2577636"></a>
+<a class="indexterm" name="id2577643"></a>
+<a class="indexterm" name="id2577650"></a>
+Please note that every Windows NT4 and later server requires a domain Administrator account. Samba versions
+commencing with 3.0.11 permit Administrative duties to be performed via assigned rights and privileges
+(see <a href="rights.html" title="Chapter 14. User Rights and Privileges">User Rights and Privileges</a>). An account in the server's passdb backend can
+be set to the well-known RID of the default administrator account. To obtain the domain SID on a Samba domain
+controller, run the following command:
+</p><pre class="screen">
+<code class="prompt">root# </code> net getlocalsid
+SID for domain FOO is: S-1-5-21-4294955119-3368514841-2087710299
+</pre><p>
+<a class="indexterm" name="id2577684"></a>
+You may assign the domain administrator RID to an account using the <span><strong class="command">pdbedit</strong></span>
+command as shown here:
+<a class="indexterm" name="id2577698"></a>
+</p><pre class="screen">
+<code class="prompt">root# </code> pdbedit -U S-1-5-21-4294955119-3368514841-2087710299-500 -u root -r
+</pre><p>
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+<a class="indexterm" name="id2577722"></a>
+<a class="indexterm" name="id2577728"></a>
+<a class="indexterm" name="id2577735"></a>
+<a class="indexterm" name="id2577742"></a>
+The RID 500 is the well known standard value of the default Administrator account. It is the RID
+that confers the rights and privileges that the Administrator account has on a Windows machine
+or domain. Under UNIX/Linux the equivalent is UID=0 (the root account).
+</p></div><p>
+<a class="indexterm" name="id2577757"></a>
+<a class="indexterm" name="id2577764"></a>
+<a class="indexterm" name="id2577771"></a>
+<a class="indexterm" name="id2577778"></a>
+Releases of Samba version 3.0.11 and later make it possible to operate without an Administrator account
+provided equivalent rights and privileges have been established for a Windows user or a Windows
+group account.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2577791"></a>Common Errors</h2></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2577797"></a>What Rights and Privileges Will Permit Windows Client Administration?</h3></div></div></div><p>
+<a class="indexterm" name="id2577806"></a>
+<a class="indexterm" name="id2577813"></a>
+<a class="indexterm" name="id2577819"></a>
+<a class="indexterm" name="id2577826"></a>
+ When a Windows NT4 (or later) client joins a domain, the domain global <code class="literal">Domain Admins</code> group
+ is added to the membership of the local <code class="literal">Administrators</code> group on the client. Any user who is
+ a member of the domain global <code class="literal">Domain Admins</code> group will have administrative rights on the
+ Windows client.
+ </p><p>
+<a class="indexterm" name="id2577859"></a>
+<a class="indexterm" name="id2577866"></a>
+<a class="indexterm" name="id2577873"></a>
+<a class="indexterm" name="id2577880"></a>
+<a class="indexterm" name="id2577887"></a>
+ This is often not the most desirable solution because it means that the user will have administrative
+ rights and privileges on domain servers also. The <code class="literal">Power Users</code> group on Windows client
+ workstations permits local administration of the workstation alone. Any domain global user or domain global
+ group can be added to the membership of the local workstation group <code class="literal">Power Users</code>.
+ </p><p>
+<a class="indexterm" name="id2577915"></a>
+<a class="indexterm" name="id2577922"></a>
+<a class="indexterm" name="id2577929"></a>
+<a class="indexterm" name="id2577936"></a>
+ See <a href="NetCommand.html#nestedgrpmgmgt" title="Nested Group Support">Nested Group Support</a> for an example of how to add domain users
+ and groups to a local group that is on a Windows workstation. The use of the <span><strong class="command">net</strong></span>
+ command permits this to be done from the Samba server.
+ </p><p>
+<a class="indexterm" name="id2577964"></a>
+<a class="indexterm" name="id2577970"></a>
+<a class="indexterm" name="id2577977"></a>
+ Another way this can be done is to log onto the Windows workstation as the user
+ <code class="literal">Administrator</code>, then open a <span><strong class="command">cmd</strong></span> shell, then execute:
+</p><pre class="screen">
+<code class="prompt">C:\> </code> net localgroup administrators /add <strong class="userinput"><code>domain_name\entity</code></strong>
+</pre><p>
+ where <code class="literal">entity</code> is either a domain user or a domain group account name.
+ </p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="idmapper.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="AccessControls.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 13. Identity Mapping (IDMAP) </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 15. File, Directory, and Share Access Controls</td></tr></table></div></body></html>
projects / samba / blobdiff