Section 5.4. User Privilege Management

5.4. User Privilege Management

The user privilege model was introduced in Samba 3.0.11 to alleviate the need to log on as root to perform certain administrative duties, such as joining client machines to a Samba domain or managing printer properties. A user privilege, sometimes called a user right, is the inherent capability to perform certain actions regardless of the access control settings. For example, a printer administrator should be able to manage printer settings irrespective of whether the printer's security descriptor allows his user account administrative access. Currently Samba supports eight different privileges, which are described in Table 5-15, along with references to the chapter that fully covers each one.

Table 5-15. Samba user privileges




Add, modify, and delete users, as well as group membership (Chapter 9).


Not currently used.


Create, modify, and remove file shares, as well as modify share ACLs (Chapter 9).


Create, modify, and remove printers, print drivers, and forms (Chapter 7).


Add and remove client machines from a Samba domain (Chapter 9).


Issues requests to initiate and abort a shutdown of the Samba server (Chapter 9).


Set the ownership of a file or directory to an arbitrary user (Chapter 6).


Take possession of a file or directory (Chapter 6).

The first thing that must be done to take advantage of this administration delegation model is to enable the feature in smb.conf:

 [global]     enable privileges = yes 

Table 5-16 provides a short description of the enable privileges parameter, as well as its current default value.

Table 5-16. User-privilege-related parameters






enable privileges


Controls whether smbd supports the assignment and honoring of user rights assignments.




[a] Future versions of Samba will enable this feature by default. Be sure to check the current smb.conf(5) manpage for your version.

Once this feature is enabled, the primary means of managing privilege assignments on a Samba server is the rpc rights subcommand of the net utility.

It is possible to manipulate user rights assignments with the Windows NT 4.0 User Manager for Domains utility, but only when run from a Windows NT 4.0 client. This specific functionality in usrmgr.exe does not work correctly when run from a Windows 2000 or later client, due to a bug in the application.

5.4.1. The net Tool

The net tool began as a variation of the net.exe command on Windows. The motivation was to be able to perform simple remote administration tasks, such as adding a user or enumerating the open files on a server. To that end, the tool initially supported three main subcommands: RAP, RPC, and ADS. Each of these network commands has a myriad of additional subcommands. This list has grown to include nonnetwork related activities, as is the case with the groupmap subcommand. Chapter 11 expands on the net command, as we examine some simple scripts that make use of Samba tools. All three of these remote administration protocols share a set of common command-line arguments specifying the server and connection credentials.

When using the commands, first ensure that Samba is running, because the net rpc commands make use of the network to communicate rather than directly accessing any local configuration files.

You can anonymously enumerate the available user privileges on a server by running:

 $ net -S localhost -U% rpc rights list SeMachineAccountPrivilege  Add machines to domain  SeTakeOwnershipPrivilege  Take ownership of files or other objects <remaining output deleted> 

The -S option specifies the server to query and the -U option specifies the username to use when making the connection. Like most Samba tools, these tools let you specify the full connection credentials in the -U option: a username followed by a % character and then the password. In this example, both the username and password are left empty.

It may be necessary in some circumstances, such as connecting to a server belonging to Active Directory, to define the domain for a username as well. This can be accomplished using the -W command-line flag. The following example connects to a server as the user AD\Administrator. If no % character is found in the username, net and other Samba client tools prompt for a password.

 $ net -S localhost -U Administrator -W AD rpc rights list  Password: <enter password>  

Once you are able to successfully enumerate available privileges, it is time to grant specific privileges to users. The capability to manage user rights assignments is implicitly granted to the root user. It is also implicitly granted to members of the Domain Admins group if the server is participating in a domain either as a domain controller or a member server. For now, this example relies on the presence of a root account that can connect to the server.

In this example, assume that there is a Unix user named lizard and that the server's name is RAIN. We can grant this user the SeDiskOperatorPrivilege by running:

 $ net -S localhost -U root -W RAIN rpc rights \        grant 'RAIN\lizard' SeDiskOperatorPrivilege  Password: <enter password for root>  Successfully granted rights. 

If you receive an error indicating that the named privilege does not exist, ensure that you have spelled the privilege name correctly and that enable privileges = yes is correctly specified in smb.conf.

Privileges can be assigned to any name that can be resolved to a SID. This means that the account being granted a right need not be a local user or group. In fact, a common configuration is grant domain groups certain rights on the Samba host in order to leverage the existing domain infrastructure rather than duplicating it locally. (Future chapters expand on this idea.)

It is possible to view specific privilege assignments by using a variant of the net rpc rights list that was discussed earlier. The following command enumerates all accounts stored in Samba's privilege database (account_policy.tdb) and any rights associated with that user or group:

 $ net -S localhost -U% rpc rights list accounts BUILTIN\Print Operators No privileges assigned .... RAIN\lizard SeDiskOperatorPrivilege 

This command lists all users and groups stored in Samba's privilege database. If you prefer to list only the rights assigned to a specific name, you can alternatively run this command:

 $ net -S localhost -U% rpc rights list accounts 'RAIN\lizard' SeDiskOperatorPrivilege 

Or, if you wish to find all owners of a particular privilege, run:

 $ net -S localhost -U% rpc rights list privileges SeDiskOperatorPrivilege SeDiskOperatorPrivilege:   RAIN\lizard 

At times it is necessary to remove a privilege assignment from a user or group. The net rpc rights revoke command performs the inverse function to the grant subcommand. Here the SeDiskOperatorPrivilege previously assigned to lizard is removed:

 $ net -S localhost -U root -W RAIN rpc rights revoke 'RAIN\lizard' \ SeDiskOperatorPrivilege Password: <enter password for root> Successfully revoked rights. 

In all of these examples, it is possible to list multiple privilege names when listing, granting, or revoking rights. Table 5-17 collects the various options to the net rpc rights command covered in this section.

Table 5-17. net rpc rights commands



list [{accounts,privileges} [name]]

Enumerate supported privileges or assigned rights.

grant name right [right]

Assign a list of user privileges to a user or group.

revoke name right [right]

Remove a list of assigned privileges from a user or group.

Using Samba
Using Samba: A File and Print Server for Linux, Unix & Mac OS X, 3rd Edition
ISBN: 0596007698
EAN: 2147483647
Year: 2004
Pages: 135 © 2008-2017.
If you may any questions please contact us: