+++ /dev/null
-<?xml version="1.0" encoding="iso-8859-1"?>
-<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
-<chapter id="rights">
-<chapterinfo>
- &author.jerry;
- &author.jht;
-</chapterinfo>
-
-<title>User Rights and Privileges</title>
-
-<para>
-<indexterm><primary>Windows user</primary></indexterm>
-<indexterm><primary>Windows group</primary></indexterm>
-<indexterm><primary>machine accounts</primary></indexterm>
-<indexterm><primary>ADS</primary></indexterm>
-The administration of Windows user, group, and machine accounts in the Samba
-domain-controlled network necessitates interfacing between the MS Windows
-networking environment and the UNIX operating system environment. The right
-(permission) to add machines to the Windows security domain can be assigned
-(set) to non-administrative users both in Windows NT4 domains and
-Active Directory domains.
-</para>
-
-<para>
-<indexterm><primary>Windows NT4/2kX/XPPro</primary></indexterm>
-<indexterm><primary>machine account</primary></indexterm>
-<indexterm><primary>trusted</primary></indexterm>
-<indexterm><primary>user logons</primary></indexterm>
-The addition of Windows NT4/2kX/XPPro machines to the domain necessitates the
-creation of a machine account for each machine added. The machine account is
-a necessity that is used to validate that the machine can be trusted to permit
-user logons.
-</para>
-
-<para>
-<indexterm><primary>user accounts</primary></indexterm>
-<indexterm><primary>special account</primary></indexterm>
-<indexterm><primary>account name</primary></indexterm>
-<indexterm><primary>/bin/false</primary></indexterm>
-<indexterm><primary>/dev/null</primary></indexterm>
-<indexterm><primary>man-in-the-middle</primary></indexterm>
-Machine accounts are analogous to user accounts, and thus in implementing them on a UNIX machine that is
-hosting Samba (i.e., on which Samba is running), it is necessary to create a special type of user account.
-Machine accounts differ from normal user accounts in that the account name (login ID) is terminated with a
-<literal>$</literal> sign. An additional difference is that this type of account should not ever be able to
-log into the UNIX environment as a system user and therefore is set to have a shell of
-<command>/bin/false</command> and a home directory of <command>/dev/null.</command> The machine
-account is used only to authenticate domain member machines during start-up. This security measure
-is designed to block man-in-the-middle attempts to violate network integrity.
-</para>
-
-<note><para>
-<indexterm><primary>computer accounts</primary></indexterm>
-<indexterm><primary>domain member servers</primary></indexterm>
-<indexterm><primary>domain controller</primary></indexterm>
-<indexterm><primary>credentials</primary></indexterm>
-<indexterm><primary>secure authentication</primary></indexterm>
-Machine (computer) accounts are used in the Windows NT OS family to store security
-credentials for domain member servers and workstations. When the domain member
-starts up, it goes through a validation process that includes an exchange of
-credentials with a domain controller. If the domain member fails to authenticate
-using the credentials known for it by domain controllers, the machine will be refused
-all access by domain users. The computer account is essential to the way that MS
-Windows secures authentication.
-</para></note>
-
-<para>
-<indexterm><primary>UNIX system accounts</primary></indexterm>
-<indexterm><primary>system administrator</primary></indexterm>
-<indexterm><primary>root</primary></indexterm>
-<indexterm><primary>UID</primary></indexterm>
-The creation of UNIX system accounts has traditionally been the sole right of
-the system administrator, better known as the <constant>root</constant> account.
-It is possible in the UNIX environment to create multiple users who have the
-same UID. Any UNIX user who has a UID=0 is inherently the same as the
-<constant>root</constant> account user.
-</para>
-
-<para>
-<indexterm><primary>system interface scripts</primary></indexterm>
-<indexterm><primary>CIFS function calls</primary></indexterm>
-<indexterm><primary>root account</primary></indexterm>
-<indexterm><primary>UNIX host system</primary></indexterm>
-All versions of Samba call system interface scripts that permit CIFS function
-calls that are used to manage users, groups, and machine accounts
-in the UNIX environment. All versions of Samba up to and including version 3.0.10
-required the use of a Windows administrator account that unambiguously maps to
-the UNIX <constant>root</constant> account to permit the execution of these
-interface scripts. The requirement to do this has understandably met with some
-disdain and consternation among Samba administrators, particularly where it became
-necessary to permit people who should not possess <constant>root</constant>-level
-access to the UNIX host system.
-</para>
-
-<sect1>
-<title>Rights Management Capabilities</title>
-
-<para>
-<indexterm><primary>Windows privilege model</primary></indexterm>
-<indexterm><primary>privilege model</primary></indexterm>
-<indexterm><primary>rights assigned</primary></indexterm>
-<indexterm><primary>SID</primary></indexterm>
-Samba 3.0.11 introduced support for the Windows privilege model. This model
-allows certain rights to be assigned to a user or group SID. In order to enable
-this feature, <smbconfoption name="enable privileges">yes</smbconfoption>
-must be defined in the <smbconfsection name="global"/> section of the &smb.conf; file.
-</para>
-
-<para>
-<indexterm><primary>rights</primary></indexterm>
-<indexterm><primary>privileges</primary></indexterm>
-<indexterm><primary>manage privileges</primary></indexterm>
-Currently, the rights supported in Samba are listed in <link linkend="rp-privs"/>.
-The remainder of this chapter explains how to manage and use these privileges on Samba servers.
-</para>
-
-<indexterm><primary>SeMachineAccountPrivilege</primary></indexterm>
-<indexterm><primary>SePrintOperatorPrivilege</primary></indexterm>
-<indexterm><primary>SeAddUsersPrivilege</primary></indexterm>
-<indexterm><primary>SeRemoteShutdownPrivilege</primary></indexterm>
-<indexterm><primary>SeDiskOperatorPrivilege</primary></indexterm>
-<indexterm><primary>SeTakeOwnershipPrivilege</primary></indexterm>
-<table id="rp-privs">
- <title>Current Privilege Capabilities</title>
- <tgroup cols="2">
- <colspec align="right"/>
- <colspec align="left"/>
- <thead>
- <row>
- <entry align="left">Privilege</entry>
- <entry align="left">Description</entry>
- </row>
- </thead>
- <tbody>
- <row>
- <entry><para>SeMachineAccountPrivilege</para></entry>
- <entry><para>Add machines to domain</para></entry>
- </row>
- <row>
- <entry><para>SePrintOperatorPrivilege</para></entry>
- <entry><para>Manage printers</para></entry>
- </row>
- <row>
- <entry><para>SeAddUsersPrivilege</para></entry>
- <entry><para>Add users and groups to the domain</para></entry>
- </row>
- <row>
- <entry><para>SeRemoteShutdownPrivilege</para></entry>
- <entry><para>Force shutdown from a remote system</para></entry>
- </row>
- <row>
- <entry><para>SeDiskOperatorPrivilege</para></entry>
- <entry><para>Manage disk share</para></entry>
- </row>
-<!-- These are not used at this time - so void them from the docs.
- <row>
- <entry><para>SeBackupPrivilege</para></entry>
- <entry><para>Back up files and directories</para></entry>
- </row>
- <row>
- <entry><para>SeRestorePrivilege</para></entry>
- <entry><para>Restore files and directories</para></entry>
- </row>
-**** End of commented out section **** -->
- <row>
- <entry><para>SeTakeOwnershipPrivilege</para></entry>
- <entry><para>Take ownership of files or other objects</para></entry>
- </row>
- </tbody>
- </tgroup>
-</table>
-
-<sect2>
-<title>Using the <quote>net rpc rights</quote> Utility</title>
-
-<para>
-<indexterm><primary>managing rights</primary></indexterm>
-<indexterm><primary>rights assigned</primary></indexterm>
-<indexterm><primary>NT4 User Manager for Domains</primary></indexterm>
-<indexterm><primary>command-line utility</primary></indexterm>
-<indexterm><primary>administrative actions</primary></indexterm>
-There are two primary means of managing the rights assigned to users and groups
-on a Samba server. The <command>NT4 User Manager for Domains</command> may be
-used from any Windows NT4, 2000, or XP Professional domain member client to
-connect to a Samba domain controller and view/modify the rights assignments.
-This application, however, appears to have bugs when run on a client running
-Windows 2000 or later; therefore, Samba provides a command-line utility for
-performing the necessary administrative actions.
-</para>
-
-<para>
-The <command>net rpc rights</command> utility in Samba 3.0.11 has three new subcommands:
-</para>
-
-<variablelist>
- <varlistentry><term>list [name|accounts]</term>
- <listitem><para>
-<indexterm><primary>net</primary><secondary>rpc</secondary><tertiary>list</tertiary></indexterm>
-<indexterm><primary>available rights</primary></indexterm>
-<indexterm><primary>privileges assigned</primary></indexterm>
-<indexterm><primary>privileged accounts</primary></indexterm>
- When called with no arguments, <command>net rpc list</command>
- simply lists the available rights on the server. When passed
- a specific user or group name, the tool lists the privileges
- currently assigned to the specified account. When invoked using
- the special string <constant>accounts</constant>,
- <command>net rpc rights list</command> returns a list of all
- privileged accounts on the server and the assigned rights.
- </para></listitem>
- </varlistentry>
-
- <varlistentry><term>grant <user> <right [right ...]></term>
- <listitem><para>
-<indexterm><primary>assign rights</primary></indexterm>
-<indexterm><primary>grant rights</primary></indexterm>
-<indexterm><primary>add client machines</primary></indexterm>
-<indexterm><primary>user or group</primary></indexterm>
- When called with no arguments, this function is used to assign
- a list of rights to a specified user or group. For example,
- to grant the members of the Domain Admins group on a Samba domain controller,
- the capability to add client machines to the domain, one would run:
-<screen>
-&rootprompt; net -S server -U domadmin rpc rights grant \
- 'DOMAIN\Domain Admins' SeMachineAccountPrivilege
-</screen>
- The following syntax has the same result:
-<indexterm><primary>net</primary><secondary>rpc</secondary><tertiary>rights grant</tertiary></indexterm>
-<screen>
-&rootprompt; net rpc rights grant 'DOMAIN\Domain Admins' \
- SeMachineAccountPrivilege -S server -U domadmin
-</screen>
- More than one privilege can be assigned by specifying a
- list of rights separated by spaces. The parameter 'Domain\Domain Admins'
- must be quoted with single ticks or using double-quotes to prevent
- the backslash and the space from being interpreted by the system shell.
- </para></listitem>
- </varlistentry>
-
- <varlistentry><term>revoke <user> <right [right ...]></term>
- <listitem><para>
- This command is similar in format to <command>net rpc rights grant</command>. Its
- effect is to remove an assigned right (or list of rights) from a user or group.
- </para></listitem>
- </varlistentry>
-
-</variablelist>
-
-<note><para>
-<indexterm><primary>member</primary></indexterm>
-<indexterm><primary>Domain Admins</primary></indexterm>
-<indexterm><primary>revoke privileges</primary></indexterm>
-You must be connected as a member of the Domain Admins group to be able to grant or revoke privileges assigned
-to an account. This capability is inherent to the Domain Admins group and is not configurable. There are no
-default rights and privileges, except the ability for a member of the Domain Admins group to assign them.
-This means that all administrative rights and privileges (other than the ability to assign them) must be
-explicitly assigned, even for the Domain Admins group.
-</para></note>
-
-<para>
-<indexterm><primary>performed as root</primary></indexterm>
-<indexterm><primary>necessary rights</primary></indexterm>
-<indexterm><primary>add machine script</primary></indexterm>
-<indexterm><primary></primary></indexterm>
-By default, no privileges are initially assigned to any account because certain actions will be performed as
-root once smbd determines that a user has the necessary rights. For example, when joining a client to a
-Windows domain, <parameter>add machine script</parameter> must be executed with superuser rights in most
-cases. For this reason, you should be very careful about handing out privileges to accounts.
-</para>
-
-<para>
-<indexterm><primary>Access</primary></indexterm>
-<indexterm><primary>root user</primary></indexterm>
-<indexterm><primary>bypasses privilege</primary></indexterm>
-Access as the root user (UID=0) bypasses all privilege checks.
-</para>
-
-</sect2>
-
-<sect2>
-<title>Description of Privileges</title>
-
-<para>
-<indexterm><primary>privileges</primary></indexterm>
-<indexterm><primary>additional privileges</primary></indexterm>
-<indexterm><primary>house-keeping</primary></indexterm>
-The privileges that have been implemented in Samba-3.0.11 are shown below. It is possible, and likely, that
-additional privileges may be implemented in later releases of Samba. It is also likely that any privileges
-currently implemented but not used may be removed from future releases as a housekeeping matter, so it is
-important that the successful as well as unsuccessful use of these facilities should be reported on the Samba
-mailing lists.
-</para>
-
-<variablelist>
- <varlistentry><term>SeAddUsersPrivilege</term>
- <listitem><para>
-<indexterm><primary>SeAddUsersPrivilege</primary></indexterm>
-<indexterm><primary>smbd</primary></indexterm>
-<indexterm><primary>net rpc user add</primary></indexterm>
- This right determines whether or not smbd will allow the
- user to create new user or group accounts via such tools
- as <command>net rpc user add</command> or
- <command>NT4 User Manager for Domains.</command>
- </para></listitem>
- </varlistentry>
-
- <varlistentry><term>SeDiskOperatorPrivilege</term>
- <listitem><para>
-<indexterm><primary>SeDiskOperatorPrivilege</primary></indexterm>
-<indexterm><primary>add/delete/change share</primary></indexterm>
-<indexterm><primary>ACL</primary></indexterm>
- Accounts that possess this right will be able to execute
- scripts defined by the <command>add/delete/change</command>
- share command in &smb.conf; file as root. Such users will
- also be able to modify the ACL associated with file shares
- on the Samba server.
- </para></listitem>
- </varlistentry>
-
- <varlistentry><term>SeMachineAccountPrivilege</term>
- <listitem><para>
-<indexterm><primary>SeMachineAccountPrivilege</primary></indexterm>
-<indexterm><primary>right to join domain</primary></indexterm>
-<indexterm><primary>join client</primary></indexterm>
- This right controls whether or not the user can join client
- machines to a Samba-controlled domain.
- </para></listitem>
- </varlistentry>
-
- <varlistentry><term>SePrintOperatorPrivilege</term>
- <listitem><para>
-<indexterm><primary>SePrintOperatorPrivilege</primary></indexterm>
-<indexterm><primary>privilege</primary></indexterm>
-<indexterm><primary>global right</primary></indexterm>
-<indexterm><primary>administrative rights</primary></indexterm>
-<indexterm><primary>printers admin</primary></indexterm>
- Administrative rights to printers are only controlled exclusively
- by this right and the security descriptor associated with the
- printer object in the registry.
- </para></listitem>
- </varlistentry>
-
- <varlistentry><term>SeRemoteShutdownPrivilege</term>
- <listitem><para>
-<indexterm><primary>SeRemoteShutdownPrivilege</primary></indexterm>
-<indexterm><primary>rebooting server</primary></indexterm>
-<indexterm><primary>aborting shutdown</primary></indexterm>
- Samba provides two hooks for shutting down or rebooting
- the server and for aborting a previously issued shutdown
- command. Since this is an operation normally limited by
- the operating system to the root user, an account must possess this
- right to be able to execute either of these hooks.
- </para></listitem>
- </varlistentry>
-
- <varlistentry><term>SeTakeOwnershipPrivilege</term>
- <listitem><para>
-<indexterm><primary>SeTakeOwnershipPrivilege</primary></indexterm>
-<indexterm><primary>take ownership</primary></indexterm>
- This right permits users to take ownership of files and directories.
- </para></listitem>
- </varlistentry>
-
-</variablelist>
-
-</sect2>
-
-<sect2>
-<title>Privileges Supported by Windows 2000 Domain Controllers</title>
-
-<para>
- For reference purposes, a Windows NT4 Primary Domain Controller reports support for the following
- privileges:
-<indexterm><primary>SeCreateTokenPrivilege</primary></indexterm>
-<indexterm><primary>SeAssignPrimaryTokenPrivilege</primary></indexterm>
-<indexterm><primary>SeLockMemoryPrivilege</primary></indexterm>
-<indexterm><primary>SeIncreaseQuotaPrivilege</primary></indexterm>
-<indexterm><primary>SeMachineAccountPrivilege</primary></indexterm>
-<indexterm><primary>SeTcbPrivilege</primary></indexterm>
-<indexterm><primary>SeSecurityPrivilege</primary></indexterm>
-<indexterm><primary>SeTakeOwnershipPrivilege</primary></indexterm>
-<indexterm><primary>SeLoadDriverPrivilege</primary></indexterm>
-<indexterm><primary>SeSystemProfilePrivilege</primary></indexterm>
-<indexterm><primary>SeSystemtimePrivilege</primary></indexterm>
-<indexterm><primary>SeProfileSingleProcessPrivilege</primary></indexterm>
-<indexterm><primary>SeIncreaseBasePriorityPrivilege</primary></indexterm>
-<indexterm><primary>SeCreatePagefilePrivilege</primary></indexterm>
-<indexterm><primary>SeCreatePermanentPrivilege</primary></indexterm>
-<indexterm><primary>SeBackupPrivilege</primary></indexterm>
-<indexterm><primary>SeRestorePrivilege</primary></indexterm>
-<indexterm><primary>SeShutdownPrivilege</primary></indexterm>
-<indexterm><primary>SeDebugPrivilege</primary></indexterm>
-<indexterm><primary>SeAuditPrivilege</primary></indexterm>
-<indexterm><primary>SeSystemEnvironmentPrivilege</primary></indexterm>
-<indexterm><primary>SeChangeNotifyPrivilege</primary></indexterm>
-<indexterm><primary>SeRemoteShutdownPrivilege</primary></indexterm>
-<screen>
- SeCreateTokenPrivilege Create a token object
- SeAssignPrimaryTokenPrivilege Replace a process level token
- SeLockMemoryPrivilege Lock pages in memory
- SeIncreaseQuotaPrivilege Increase quotas
- SeMachineAccountPrivilege Add workstations to domain
- SeTcbPrivilege Act as part of the operating system
- SeSecurityPrivilege Manage auditing and security log
- SeTakeOwnershipPrivilege Take ownership of files or other objects
- SeLoadDriverPrivilege Load and unload device drivers
- SeSystemProfilePrivilege Profile system performance
- SeSystemtimePrivilege Change the system time
-SeProfileSingleProcessPrivilege Profile single process
-SeIncreaseBasePriorityPrivilege Increase scheduling priority
- SeCreatePagefilePrivilege Create a pagefile
- SeCreatePermanentPrivilege Create permanent shared objects
- SeBackupPrivilege Back up files and directories
- SeRestorePrivilege Restore files and directories
- SeShutdownPrivilege Shut down the system
- SeDebugPrivilege Debug programs
- SeAuditPrivilege Generate security audits
- SeSystemEnvironmentPrivilege Modify firmware environment values
- SeChangeNotifyPrivilege Bypass traverse checking
- SeRemoteShutdownPrivilege Force shutdown from a remote system
-</screen>
- And Windows 200x/XP Domain Controllers and workstations reports to support the following privileges:
-<indexterm><primary>SeCreateTokenPrivilege</primary></indexterm>
-<indexterm><primary>SeAssignPrimaryTokenPrivilege</primary></indexterm>
-<indexterm><primary>SeLockMemoryPrivilege</primary></indexterm>
-<indexterm><primary>SeIncreaseQuotaPrivilege</primary></indexterm>
-<indexterm><primary>SeMachineAccountPrivilege</primary></indexterm>
-<indexterm><primary>SeTcbPrivilege</primary></indexterm>
-<indexterm><primary>SeSecurityPrivilege</primary></indexterm>
-<indexterm><primary>SeTakeOwnershipPrivilege</primary></indexterm>
-<indexterm><primary>SeLoadDriverPrivilege</primary></indexterm>
-<indexterm><primary>SeSystemProfilePrivilege</primary></indexterm>
-<indexterm><primary>SeSystemtimePrivilege</primary></indexterm>
-<indexterm><primary>SeProfileSingleProcessPrivilege</primary></indexterm>
-<indexterm><primary>SeIncreaseBasePriorityPrivilege</primary></indexterm>
-<indexterm><primary>SeCreatePagefilePrivilege</primary></indexterm>
-<indexterm><primary>SeCreatePermanentPrivilege</primary></indexterm>
-<indexterm><primary>SeBackupPrivilege</primary></indexterm>
-<indexterm><primary>SeRestorePrivilege</primary></indexterm>
-<indexterm><primary>SeShutdownPrivilege</primary></indexterm>
-<indexterm><primary>SeDebugPrivilege</primary></indexterm>
-<indexterm><primary>SeAuditPrivilege</primary></indexterm>
-<indexterm><primary>SeSystemEnvironmentPrivilege</primary></indexterm>
-<indexterm><primary>SeChangeNotifyPrivilege</primary></indexterm>
-<indexterm><primary>SeRemoteShutdownPrivilege</primary></indexterm>
-<indexterm><primary>SeUndockPrivilege</primary></indexterm>
-<indexterm><primary>SeSyncAgentPrivilege</primary></indexterm>
-<indexterm><primary>SeEnableDelegationPrivilege</primary></indexterm>
-<indexterm><primary>SeManageVolumePrivilege</primary></indexterm>
-<indexterm><primary>SeImpersonatePrivilege</primary></indexterm>
-<indexterm><primary>SeCreateGlobalPrivilege</primary></indexterm>
-<screen>
- SeCreateTokenPrivilege Create a token object
- SeAssignPrimaryTokenPrivilege Replace a process level token
- SeLockMemoryPrivilege Lock pages in memory
- SeIncreaseQuotaPrivilege Increase quotas
- SeMachineAccountPrivilege Add workstations to domain
- SeTcbPrivilege Act as part of the operating system
- SeSecurityPrivilege Manage auditing and security log
- SeTakeOwnershipPrivilege Take ownership of files or other objects
- SeLoadDriverPrivilege Load and unload device drivers
- SeSystemProfilePrivilege Profile system performance
- SeSystemtimePrivilege Change the system time
-SeProfileSingleProcessPrivilege Profile single process
-SeIncreaseBasePriorityPrivilege Increase scheduling priority
- SeCreatePagefilePrivilege Create a pagefile
- SeCreatePermanentPrivilege Create permanent shared objects
- SeBackupPrivilege Back up files and directories
- SeRestorePrivilege Restore files and directories
- SeShutdownPrivilege Shut down the system
- SeDebugPrivilege Debug programs
- SeAuditPrivilege Generate security audits
- SeSystemEnvironmentPrivilege Modify firmware environment values
- SeChangeNotifyPrivilege Bypass traverse checking
- SeRemoteShutdownPrivilege Force shutdown from a remote system
- SeUndockPrivilege Remove computer from docking station
- SeSyncAgentPrivilege Synchronize directory service data
- SeEnableDelegationPrivilege Enable computer and user accounts to
- be trusted for delegation
- SeManageVolumePrivilege Perform volume maintenance tasks
- SeImpersonatePrivilege Impersonate a client after authentication
- SeCreateGlobalPrivilege Create global objects
-</screen>
-<indexterm><primary>equivalence</primary></indexterm>
- The Samba Team is implementing only those privileges that are logical and useful in the UNIX/Linux
- environment. Many of the Windows 200X/XP privileges have no direct equivalence in UNIX.
- </para>
-
-</sect2>
-
-</sect1>
-
-<sect1>
-<title>The Administrator Domain SID</title>
-
-<para>
-<indexterm><primary>domain Administrator</primary></indexterm>
-<indexterm><primary>User Rights and Privileges</primary></indexterm>
-<indexterm><primary>passdb backend</primary></indexterm>
-<indexterm><primary>SID</primary></indexterm>
-<indexterm><primary>net getlocalsid</primary></indexterm>
-Please note that every Windows NT4 and later server requires a domain Administrator account. Samba versions
-commencing with 3.0.11 permit Administrative duties to be performed via assigned rights and privileges
-(see <link linkend="rights">User Rights and Privileges</link>). An account in the server's passdb backend can
-be set to the well-known RID of the default administrator account. To obtain the domain SID on a Samba domain
-controller, run the following command:
-<screen>
-&rootprompt; net getlocalsid
-SID for domain FOO is: S-1-5-21-4294955119-3368514841-2087710299
-</screen>
-<indexterm><primary>RID</primary></indexterm>
-You may assign the domain administrator RID to an account using the <command>pdbedit</command>
-command as shown here:
-<indexterm><primary>pdbedit</primary></indexterm>
-<screen>
-&rootprompt; pdbedit -U S-1-5-21-4294955119-3368514841-2087710299-500 -u root -r
-</screen>
-</para>
-
-<note><para>
-<indexterm><primary>RID 500</primary></indexterm>
-<indexterm><primary>well known RID</primary></indexterm>
-<indexterm><primary>rights and privileges</primary></indexterm>
-<indexterm><primary>root account</primary></indexterm>
-The RID 500 is the well known standard value of the default Administrator account. It is the RID
-that confers the rights and privileges that the Administrator account has on a Windows machine
-or domain. Under UNIX/Linux the equivalent is UID=0 (the root account).
-</para></note>
-
-<para>
-<indexterm><primary>without Administrator account</primary></indexterm>
-<indexterm><primary>equivalent rights and privileges</primary></indexterm>
-<indexterm><primary>Windows group account</primary></indexterm>
-<indexterm><primary>3.0.11</primary></indexterm>
-Releases of Samba version 3.0.11 and later make it possible to operate without an Administrator account
-provided equivalent rights and privileges have been established for a Windows user or a Windows
-group account.
-</para>
-
-</sect1>
-
-<sect1>
-<title>Common Errors</title>
-
- <sect2>
- <title>What Rights and Privileges Will Permit Windows Client Administration?</title>
-
- <para>
-<indexterm><primary>domain global</primary></indexterm>
-<indexterm><primary>local group</primary></indexterm>
-<indexterm><primary>administrative rights</primary></indexterm>
-<indexterm><primary>Windows client</primary></indexterm>
- When a Windows NT4 (or later) client joins a domain, the domain global <literal>Domain Admins</literal> group
- is added to the membership of the local <literal>Administrators</literal> group on the client. Any user who is
- a member of the domain global <literal>Domain Admins</literal> group will have administrative rights on the
- Windows client.
- </para>
-
- <para>
-<indexterm><primary>desirable solution</primary></indexterm>
-<indexterm><primary>administrative rights and privileges</primary></indexterm>
-<indexterm><primary>Power Users</primary></indexterm>
-<indexterm><primary>domain global user</primary></indexterm>
-<indexterm><primary>domain global group</primary></indexterm>
- This is often not the most desirable solution because it means that the user will have administrative
- rights and privileges on domain servers also. The <literal>Power Users</literal> group on Windows client
- workstations permits local administration of the workstation alone. Any domain global user or domain global
- group can be added to the membership of the local workstation group <literal>Power Users</literal>.
- </para>
-
- <para>
-<indexterm><primary>Nested Group Support</primary></indexterm>
-<indexterm><primary>add domain users and groups to a local group</primary></indexterm>
-<indexterm><primary>net</primary></indexterm>
-<indexterm><primary>Windows workstation.</primary></indexterm>
- See <link linkend="nestedgrpmgmgt">Nested Group Support</link> for an example of how to add domain users
- and groups to a local group that is on a Windows workstation. The use of the <command>net</command>
- command permits this to be done from the Samba server.
- </para>
-
- <para>
-<indexterm><primary>cmd</primary></indexterm>
-<indexterm><primary>cmd shell</primary></indexterm>
-<indexterm><primary>net</primary><secondary>localgroup</secondary></indexterm>
- Another way this can be done is to log onto the Windows workstation as the user
- <literal>Administrator</literal>, then open a <command>cmd</command> shell, then execute:
-<screen>
-&dosprompt; net localgroup administrators /add <userinput>domain_name\entity</userinput>
-</screen>
- where <literal>entity</literal> is either a domain user or a domain group account name.
- </para>
-
- </sect2>
-
-</sect1>
-
-</chapter>
git.samba.org / amitay / samba.git / blobdiff