The user privilege model was introduced in Samba 3.0.11 to alleviate the need to log on as root to perform certain administrative duties, such as joining client machines to a Samba domain or managing printer properties. A user privilege, sometimes called a user right, is the inherent capability to perform certain actions regardless of the access control settings. For example, a printer administrator should be able to manage printer settings irrespective of whether the printerís security descriptor allows his user account administrative access. Currently Samba supports eight different privileges, which are described in Table 5-15, along with references to the chapter that fully covers each one.
Table 5-15. Samba user privileges
Add, modify, and delete users, as well as group membership (Chapter 9).
Not currently used.
Create, modify, and remove file shares, as well as modify share ACLs (Chapter 9).
Create, modify, and remove printers, print drivers, and forms (Chapter 7).
Add and remove client machines from a Samba domain (Chapter 9).
Issues requests to initiate and abort a shutdown of the Samba server (Chapter 9).
Set the ownership of a file or directory to an arbitrary user (Chapter 6).
Take possession of a file or directory (Chapter 6).
The first thing that must be done to take advantage of this administration delegation model is to enable the feature in smb.conf:
[global] enable privileges = yes
Table 5-16 provides a short description of the enable privileges parameter, as well as its current default value.
Table 5-16. User-privilege-related parameters
Controls whether smbd supports the assignment and honoring of user rights assignments.
Once this feature is enabled, the primary means of managing privilege assignments on a Samba server is the rpc rights subcommand of the net utility.
It is possible to manipulate user rights assignments with the Windows NT 4.0 User Manager for Domains utility, but only when run from a Windows NT 4.0 client. This specific functionality in usrmgr.exe does not work correctly when run from a Windows 2000 or later client, due to a bug in the application.