In a recent Linux Journal article I noticed an interesting piece of information: as of Samba 3.0.11, you can assign rights to users and groups. This eliminates the need to have samba account with the uid of 0 (eg, root), or mapping the Administrator to local uid 0 (which is practically the same thing). In particular it means that the ‘Administrator’ user, and anyone in the ‘Domain Admins’ group, can be given rights to add machines to the domain. This was a major part of a Samba backed windows domain that troubled me.<\/p>\n
I’m running Samba 3.0.21c, packaged by samba.org.<\/p>\n
Both ‘grant’ and ‘revoke’ require a SID and a list of privilege names. net rpc rights grant ‘VALE\\biddle’ SePrintOperatorPrivilege SeDiskOperatorPrivilege<\/p>\n would grant the printer admin and disk manager rights to the user ‘VALE\\biddle<\/p>\n And now my ‘Administrator’ user can perform any of the tasks related to those rights. I’ve only used this to add machines to the domain so far, as I’ve not worked out how to make Windows tie into the samba add user functionality.
\nfile:~# net rpc rights
\nnet rpc rights list [{accounts|privileges} [name|SID]] View available or assigned privileges
\nnet rpc rights grant Assign privilege[s]
\nnet rpc rights revoke Revoke privilege[s]<\/code><\/p>\n
\nFor example<\/p>\n
\nfile:~# net rpc rights list -U root
\nPassword:
\nSeMachineAccountPrivilege Add machines to domain
\nSeTakeOwnershipPrivilege Take ownership of files or other objects
\nSeBackupPrivilege Back up files and directories
\nSeRestorePrivilege Restore files and directories
\nSeRemoteShutdownPrivilege Force shutdown from a remote system
\nSePrintOperatorPrivilege Manage printers
\nSeAddUsersPrivilege Add users and groups to the domain
\nSeDiskOperatorPrivilege Manage disk shares<\/code><\/p>\n
\nfile:~# net rpc rights grant Administrator SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPriviledge -U root
\nPassword:
\nSuccessfully granted rights.
\n<\/code><\/p>\n
\nfile:~# net rpc rights list Administrator -U root
\nPassword:
\nSeMachineAccountPrivilege
\nSeTakeOwnershipPrivilege
\nSeBackupPrivilege
\nSeRestorePrivilege
\nSeRemoteShutdownPrivilege
\nSePrintOperatorPrivilege
\nSeAddUsersPrivilege
\nSeDiskOperatorPrivilege
\n<\/code><\/p>\n
\nResources:<\/p>\n