Home arrow Site Administration arrow Page 2 - Authorizing Users in Samba

User Privilege Management - Administration

In this conclusion to a four-part series that covers authentication and authorization in Samba, you will learn about group mapping, user privilege management, and more. This article is excerpted from chapter five of Using Samba, Third Edition, written by Gerald Carter, Jay Ts and Robert Eckstein (O'Reilly, 2007; ISBN: 0596007698). Copyright © 2007 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.

  1. Authorizing Users in Samba
  2. User Privilege Management
  3. The net Tool
  4. Controlling Authorization for File Shares
By: O'Reilly Media
Rating: starstarstarstarstar / 5
February 28, 2008

print this article



The user privilege model was introduced in Samba 3.0.11 to alleviate the need to log on as root to perform certain administrative duties, such as joining client machines to a Samba domain or managing printer properties. A user privilege, sometimes called a user right, is the inherent capability to perform certain actions regardless of the access control settings. For example, a printer administrator should be able to manage printer settings irrespective of whether the printerís security descriptor allows his user account administrative access. Currently Samba supports eight different privileges, which are described in Table 5-15, along with references to the chapter that fully covers each one.

Table 5-15. Samba user privileges

Privilege Description
SeAddUsersPrivilege Add, modify, and delete users, as well as group membership (Chapter 9).
SeBackupPrivilege Not currently used.
SeDiskOperatorPrivilege Create, modify, and remove file shares, as well as modify share ACLs (Chapter 9).
SePrintOperatorPrivilege Create, modify, and remove printers, print drivers, and forms (Chapter 7).
SeMachineAccountPrivilege Add and remove client machines from a Samba domain (Chapter 9).
SeRemoteShutdownPrivilege Issues requests to initiate and abort a shutdown of the Samba server (Chapter 9).
SeRestorePrivilege Set the ownership of a file or directory to an arbitrary user (Chapter 6).
SeTakeOwnershipPrivilege Take possession of a file or directory (Chapter 6).

The first thing that must be done to take advantage of this administration delegation model is to enable the feature in smb.conf:

      enable privileges = yes

Table 5-16 provides a short description of the enable privileges parameter, as well as its current default value.

Table 5-16. User-privilege-related parameters

Parameter Value Description Default Scope
enable privileges boolean

Controls whether smbd supports the assignment and honoring of user rights assignments. 

no a Global

Once this feature is enabled, the primary means of managing privilege assignments on a Samba server is the rpc rights subcommand of the net utility.

It is possible to manipulate user rights assignments with the Windows NT 4.0 User Manager for Domains utility, but only when run from a Windows NT 4.0 client. This specific functionality in usrmgr.exe does not work correctly when run from a Windows 2000 or later client, due to a bug in the application.

>>> More Site Administration Articles          >>> More By O'Reilly Media

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Coding: Not Just for Developers
- To Support or Not Support IE?
- Administration: Networking OSX and Win 7
- DotNetNuke Gets Social
- Integrating MailChimp with Joomla: Creating ...
- Integrating MailChimp with Joomla: List Mana...
- Integrating MailChimp with Joomla: Building ...
- Integrating MailChimp with Joomla
- More Top WordPress Plugins for Social Media
- Optimizing Security: SSH Public Key Authenti...
- Patches and Rejects in Software Configuratio...
- Configuring a CVS Server
- Managing Code and Teams for Cross-Platform S...
- Software Configuration Management
- Back Up a Joomla Site with Akeeba Backup

Developer Shed Affiliates


Dev Shed Tutorial Topics: