User Privilege Management - Administration

In this conclusion to a four-part series that covers authentication and authorization in Samba, you will learn about group mapping, user privilege management, and more. This article is excerpted from chapter five of Using Samba, Third Edition, written by Gerald Carter, Jay Ts and Robert Eckstein (O'Reilly, 2007; ISBN: 0596007698). Copyright © 2007 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.

TABLE OF CONTENTS:

By: O'Reilly Media

Poor Best

Rating:

/ 5

February 28, 2008

print this article

SEARCH DEV SHED

TOOLS YOU CAN USE

The user privilege model was introduced in Samba 3.0.11 to alleviate the need to log on as root to perform certain administrative duties, such as joining client machines to a Samba domain or managing printer properties. A user privilege, sometimes called a user right, is the inherent capability to perform certain actions regardless of the access control settings. For example, a printer administrator should be able to manage printer settings irrespective of whether the printer’s security descriptor allows his user account administrative access. Currently Samba supports eight different privileges, which are described in Table 5-15, along with references to the chapter that fully covers each one.

*Table 5-15. Samba user privileges*
Privilege	Description
SeAddUsersPrivilege	Add, modify, and delete users, as well as group membership (Chapter 9).
SeBackupPrivilege	Not currently used.
SeDiskOperatorPrivilege	Create, modify, and remove file shares, as well as modify share ACLs (Chapter 9).
SePrintOperatorPrivilege	Create, modify, and remove printers, print drivers, and forms (Chapter 7).
SeMachineAccountPrivilege	Add and remove client machines from a Samba domain (Chapter 9).
SeRemoteShutdownPrivilege	Issues requests to initiate and abort a shutdown of the Samba server (Chapter 9).
SeRestorePrivilege	Set the ownership of a file or directory to an arbitrary user (Chapter 6).
SeTakeOwnershipPrivilege	Take possession of a file or directory (Chapter 6).

The first thing that must be done to take advantage of this administration delegation model is to enable the feature in smb.conf:

[global]
enable privileges = yes

Table 5-16 provides a short description of the enable privileges parameter, as well as its current default value.

Table 5-16. User-privilege-related parameters

Parameter	Value	Description	Default	Scope
enable privileges	boolean	Controls whether smbd supports the assignment and honoring of user rights assignments.	no a	Global

Once this feature is enabled, the primary means of managing privilege assignments on a Samba server is the rpc rights subcommand of the net utility.

It is possible to manipulate user rights assignments with the Windows NT 4.0 User Manager for Domains utility, but only when run from a Windows NT 4.0 client. This specific functionality in usrmgr.exe does not work correctly when run from a Windows 2000 or later client, due to a bug in the application.

Next: The net Tool >>