##
## Samba-Rights-HOWTO
## Gerald (Jerry) Carter <jerry@samba.org>
##


Introduction
============

Samba 3.0.11pre2 introduces support for the Windows
privilege model.  This model allows certain rights to be
assigned to a user or group SID.  In order to enable this
feature, 'enable privileges = yes' must be defined in the
[global] section of the server's smb.conf.

Currently, the following rights are supported in Samba 3:

  SeAddUsersPrivilege        Add users and groups to the domain
  SeDiskOperatorPrivilege    Manage disk shares
  SeMachineAccountPrivilege  Add machines to domain
  SePrintOperatorPrivilege   Manage printers
  SeRemoteShutdownPrivilege  Force shutdown from a remote system
  
The remainder of this HOWTO explains how to manage and use
these privileges on Samba servers.


net rpc rights
==============

There are two primary means of managing the rights assigned
to users and groups on a Samba server.  The 'User Manager
for Domains' may be used from a Windows NT 4.0 client to
connect to a Samba domain controller and view/modify the
rights assignments. However, this application appears to
have bugs when run on a client running Windows 2000 or
later.  Therefore, Samba provides a command line utility for
performing the necessary administrative actions.

The 'net rpc rights' command in Samba 3.0.11 has 3 subcommands

  * list [name|accounts] - When called with no arguments,
    'net rpc list' will simply list the available rights on
    the server.  When passed a specific user or group name,
    the tool lists the privileges currently assigned to the 
    specified account.  When invoked using the special 
    string 'accounts', net rpc rights list' will return a 
    list of all privileged accounts on the server and the  
    assigned rights.
	
  * grant <user> <right [right ...]> - This function is used
    to assign a list of rights to a specified user or group.  
    For example, to grant the members of the Domain Admins 
    group on a Samba DC the capability to add client 
    machines to the domain, one would run

    $ net -S server -U domadmin rpc rights grant \
      'DOMAIN\Domain Admins' SeMachineAccountPrivilege
	
    More than one privilege can be assigned by specifying a 
    list of rights separated by spaces.
  
  * revoke <user> <right [right ...]> - This command is
    similar in format to 'net rpc rights grant'.  It's
    effect is to remove an assigned right (or list of 
    rights) from a user or group.  


Note that you must be connected as a member of the Domain
Admins group to be able to grant or revoke privileges
assigned to an account.  This capability is inherent to the
Domain Admins group and is not configurable.

By default, no privileges are initially assigned to any
account.  The reason for this is that certain actions will
be performed as root once smbd determines that a user has
the necessary rights.  For example, when joining a client to
a Windows domain, the 'add machine script' must be executed
with superuser rights in most cases.  For this reason, you
should be very careful about handing out privileges to
accounts.

Access as the root user (uid == 0) bypasses all privilege
checks.


Description of Privileges
=========================

SeAddUsersPrivilege
  This right determines whether or not smbd will allow the
  user to create new user or group accounts via such tools 
  as 'net rpc user add' or 'User Manager for Domains'.

SeDiskOperatorPrivilege
  Accounts which posses this right will be able to execute  
  scripts defined by the 'add/delete/change share command' 
  in smb.conf as root.  Such users will also be able to 
  modify the ACL associated with file shares on the Samba 
  server.

SeMachineAccountPrivilege 
  Controls whether or not the user is able join client
  machines to a Samba controlled domain.  
  
SePrintOperatorPrivilege
  This privilege operates identically to the 'printer admin'
  option in smb.conf(5) except that is is a global right (not 
  on a per printer basis).  Eventually the smb.conf option will
  be deprecated and administrative rights to printers will be 
  controlled exclusively by this right and the security
  descriptor associated with the printer object in 
  ntprinters.tdb.
  
SeRemoteShutdownPrivilege
  Samba provides two hooks for shutting down or rebooting
  the server and for aborting a previously issued shutdown 
  command.  Since this is an operation normally limited by 
  the OS to the root user, an account must possess this 
  right to be able to execute either of these hooks to any 
  effect.
  
##
## end of Samba-Rights-HOWTO
##