The net Tool - Administration

The net tool began as a variation of the net.exe command on Windows. The motivation was to be able to perform simple remote administration tasks, such as adding a user or enumerating the open files on a server. To that end, the tool initially supported three main subcommands: RAP, RPC, and ADS. Each of these network commands has a myriad of additional subcommands. This list has grown to include nonnetwork related activities, as is the case with the groupmap subcommand. Chapter 11 expands on the net command, as we examine some simple scripts that make use of Samba tools. All three of these remote administration protocols share a set of common command-line arguments specifying the server and connection credentials.

When using the commands, first ensure that Samba is running, because the net rpc commands make use of the network to communicate rather than directly accessing any local configuration files.

You can anonymously enumerate the available user privileges on a server by running:

  $ net -S localhost -U% rpc rights list
  SeMachineAccountPrivilege  Add machines to domain
   SeTakeOwnershipPrivilege  Take ownership of files or other objects
  <remaining output deleted>

The -S option specifies the server to query and the -U option specifies the username to use when making the connection. Like most Samba tools, these tools let you specify the full connection credentials in the -U option: a username followed by a % character and then the password. In this example, both the username and password are left empty.

It may be necessary in some circumstances, such as connecting to a server belonging to Active Directory, to define the domain for a username as well. This can be accom plished using the -W command-line flag. The following example connects to a server as the user AD\Administrator. If no % character is found in the username, net and other Samba client tools prompt for a password.

  $ net -S localhost -U Administrator -W AD rpc rights list
  Password: <enter password>

Once you are able to successfully enumerate available privileges, it is time to grant specific privileges to users. The capability to manage user rights assignments is implicitly granted to the root user. It is also implicitly granted to members of the Domain Admins group if the server is participating in a domain either as a domain controller or a member server. For now, this example relies on the presence of a root account that can connect to the server.

In this example, assume that there is a Unix user named lizard and that the server’s name is RAIN. We can grant this user the SeDiskOperatorPrivilege by running:

  $ net -S localhost -U root -W RAIN rpc rights \
        grant 'RAIN\lizard' SeDiskOperatorPrivilege
  Password: <enter password for root>  
  Successfully granted rights.

If you receive an error indicating that the named privilege does not exist, ensure that you have spelled the privilege name correctly and that enable privileges = yes is correctly specified in smb.conf.

Privileges can be assigned to any name that can be resolved to a SID. This means that the account being granted a right need not be a local user or group. In fact, a com mon configuration is grant domain groups certain rights on the Samba host in order to leverage the existing domain infrastructure rather than duplicating it locally. (Future chapters expand on this idea.)

It is possible to view specific privilege assignments by using a variant of the net rpc rights list that was discussed earlier. The following command enumerates all accounts stored in Samba’s privilege database (account_policy.tdb) and any rights associated with that user or group:

  $ net -S localhost -U% rpc rights list accounts
  BUILTIN\Print Operators
  No privileges assigned
  ....
  RAIN\lizard
  SeDiskOperatorPrivilege

This command lists all users and groups stored in Samba’s privilege database. If you prefer to list only the rights assigned to a specific name, you can alternatively run this command:

  $ net -S localhost -U% rpc rights list accounts 'RAIN\lizard' 
  SeDiskOperatorPrivilege

Or, if you wish to find all owners of a particular privilege, run:

  $ net -S localhost -U% rpc rights list privileges 
SeDiskOperatorPrivilege
  SeDiskOperatorPrivilege:
    RAIN\lizard

At times it is necessary to remove a privilege assignment from a user or group. The net rpc rights revoke command performs the inverse function to the grant subcom mand. Here the SeDiskOperatorPrivilege previously assigned to lizard is removed:

  $ net -S localhost -U root -W RAIN rpc rights revoke 'RAIN\lizard' \
  SeDiskOperatorPrivilege
  Password: <enter password for root>
  Successfully revoked rights.

In all of these examples, it is possible to list multiple privilege names when listing, granting, or revoking rights. Table 5-17 collects the various options to the net rpc rights command covered in this section.

Table 5-17. net rpc rights commands