Categories
Tool of the Week WLUG

Assigning rights to users with Samba

In a recent Linux Journal article I noticed an interesting piece of information: as of Samba 3.0.11, you can assign rights to users and groups. This eliminates the need to have samba account with the uid of 0 (eg, root), or mapping the Administrator to local uid 0 (which is practically the same thing). In particular it means that the ‘Administrator’ user, and anyone in the ‘Domain Admins’ group, can be given rights to add machines to the domain. This was a major part of a Samba backed windows domain that troubled me.

I’m running Samba 3.0.21c, packaged by samba.org.


file:~# net rpc rights
net rpc rights list [{accounts|privileges} [name|SID]] View available or assigned privileges
net rpc rights grant Assign privilege[s]
net rpc rights revoke Revoke privilege[s]

Both ‘grant’ and ‘revoke’ require a SID and a list of privilege names.
For example

net rpc rights grant ‘VALE\biddle’ SePrintOperatorPrivilege SeDiskOperatorPrivilege

would grant the printer admin and disk manager rights to the user ‘VALE\biddle


file:~# net rpc rights list -U root
Password:
SeMachineAccountPrivilege Add machines to domain
SeTakeOwnershipPrivilege Take ownership of files or other objects
SeBackupPrivilege Back up files and directories
SeRestorePrivilege Restore files and directories
SeRemoteShutdownPrivilege Force shutdown from a remote system
SePrintOperatorPrivilege Manage printers
SeAddUsersPrivilege Add users and groups to the domain
SeDiskOperatorPrivilege Manage disk shares


file:~# net rpc rights grant Administrator SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPriviledge -U root
Password:
Successfully granted rights.


file:~# net rpc rights list Administrator -U root
Password:
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege

And now my ‘Administrator’ user can perform any of the tasks related to those rights. I’ve only used this to add machines to the domain so far, as I’ve not worked out how to make Windows tie into the samba add user functionality.
Resources: