5.4. User Privilege Management
The user privilege model was introduced in Samba 3.0.11 to alleviate the need to log on as root to perform certain administrative duties, such as joining client machines to a Samba domain or managing printer properties. A user privilege, sometimes called a user right, is the inherent capability to perform certain actions regardless of the access control settings. For example, a printer administrator should be able to manage printer settings irrespective of whether the printer's security descriptor allows his user account administrative access. Currently Samba supports eight different privileges, which are described in Table 5-15, along with references to the chapter that fully covers each one.
The first thing that must be done to take advantage of this administration delegation model is to enable the feature in smb.conf:
[global] enable privileges = yes
Table 5-16 provides a short description of the enable privileges parameter, as well as its current default value.
Once this feature is enabled, the primary means of managing privilege assignments on a Samba server is the rpc rights subcommand of the net utility.
5.4.1. The net Tool
The net tool began as a variation of the net.exe command on Windows. The motivation was to be able to perform simple remote administration tasks, such as adding a user or enumerating the open files on a server. To that end, the tool initially supported three main subcommands: RAP, RPC, and ADS. Each of these network commands has a myriad of additional subcommands. This list has grown to include nonnetwork related activities, as is the case with the groupmap subcommand. Chapter 11 expands on the net command, as we examine some simple scripts that make use of Samba tools. All three of these remote administration protocols share a set of common command-line arguments specifying the server and connection credentials.
When using the commands, first ensure that Samba is running, because the net rpc commands make use of the network to communicate rather than directly accessing any local configuration files.
You can anonymously enumerate the available user privileges on a server by running:
$ net -S localhost -U% rpc rights list SeMachineAccountPrivilege Add machines to domain SeTakeOwnershipPrivilege Take ownership of files or other objects <remaining output deleted>
The -S option specifies the server to query and the -U option specifies the username to use when making the connection. Like most Samba tools, these tools let you specify the full connection credentials in the -U option: a username followed by a % character and then the password. In this example, both the username and password are left empty.
It may be necessary in some circumstances, such as connecting to a server belonging to Active Directory, to define the domain for a username as well. This can be accomplished using the -W command-line flag. The following example connects to a server as the user AD\Administrator. If no % character is found in the username, net and other Samba client tools prompt for a password.
$ net -S localhost -U Administrator -W AD rpc rights list Password: <enter password>
Once you are able to successfully enumerate available privileges, it is time to grant specific privileges to users. The capability to manage user rights assignments is implicitly granted to the root user. It is also implicitly granted to members of the Domain Admins group if the server is participating in a domain either as a domain controller or a member server. For now, this example relies on the presence of a root account that can connect to the server.
In this example, assume that there is a Unix user named lizard and that the server's name is RAIN. We can grant this user the SeDiskOperatorPrivilege by running:
$ net -S localhost -U root -W RAIN rpc rights \ grant 'RAIN\lizard' SeDiskOperatorPrivilege Password: <enter password for root> Successfully granted rights.
Privileges can be assigned to any name that can be resolved to a SID. This means that the account being granted a right need not be a local user or group. In fact, a common configuration is grant domain groups certain rights on the Samba host in order to leverage the existing domain infrastructure rather than duplicating it locally. (Future chapters expand on this idea.)
It is possible to view specific privilege assignments by using a variant of the net rpc rights list that was discussed earlier. The following command enumerates all accounts stored in Samba's privilege database (account_policy.tdb) and any rights associated with that user or group:
$ net -S localhost -U% rpc rights list accounts BUILTIN\Print Operators No privileges assigned .... RAIN\lizard SeDiskOperatorPrivilege
This command lists all users and groups stored in Samba's privilege database. If you prefer to list only the rights assigned to a specific name, you can alternatively run this command:
$ net -S localhost -U% rpc rights list accounts 'RAIN\lizard' SeDiskOperatorPrivilege
Or, if you wish to find all owners of a particular privilege, run:
$ net -S localhost -U% rpc rights list privileges SeDiskOperatorPrivilege SeDiskOperatorPrivilege: RAIN\lizard
At times it is necessary to remove a privilege assignment from a user or group. The net rpc rights revoke command performs the inverse function to the grant subcommand. Here the SeDiskOperatorPrivilege previously assigned to lizard is removed:
$ net -S localhost -U root -W RAIN rpc rights revoke 'RAIN\lizard' \ SeDiskOperatorPrivilege Password: <enter password for root> Successfully revoked rights.
In all of these examples, it is possible to list multiple privilege names when listing, granting, or revoking rights. Table 5-17 collects the various options to the net rpc rights command covered in this section.