Wednesday, October 27, 2010

Managing Samba (Part 2 of 6): User rights and privileges

When faced with making Linux and Windows work together securely, system administrators can run into trouble if they don't understand or can't correctly use the administrative security controls that are present in the Microsoft Windows operating system (OS) and the Samba-3 equivalents of those controls.

So, let's take a look at the tools administrators should be familiar with and the rights and privileges that can be managed.

This is part two of  a six-part series, titled Managing Samba. In part one, I covered Windows network identity basics. Stay tuned, as the next article in this series will review the process of establishing a Samba configuration that is able to be securely managed using traditional Windows administrative tools.

Why user rights and privileges matter

Many people get confused by the fact that, by design, Windows NT/2000/XP provides the capacity to restrict access to almost every part of the operating system, yet the facilities that permit files and directories to be secured through use of restrictive access controls are frequently ill-used, if they're used at all.

Microsoft Windows XP Home Edition is commonly configured so that the default user has full administrative privilege and thus bypasses most native operating system security provisions. It is, therefore, no wonder that virus and worm infections can march forward with the utmost pace and force.

Many users expect to have the ability to create accounts and to install software without constraint. My objective is not to discuss the defense mechanisms against virus and worm activity, but to focus on administrative rights and user capabilities.

Windows XP Home Edition does not provide the ability to manage file system access controls. In every respect therefore, the dominant operating system in the consumer market place, Windows XP Home Edition, provides little to no security control capability.

Windows XP Professional provides the capability to manage access control lists (ACLs) on file system resources, but few people learn how to manage them effectively. Despite this, ACLs are a valuable asset in a networked environment and are a common part of Windows security domains. Windows XP Professional also permits the assignment of administrative tasks to users and groups. These facilities are of significant importance in the creation and maintenance of a secure networking environment.

A key reason for the exercise of constraint in corporate networks is the protection of data and, in particular, the protection of confidential data. In the U.S., the Sarbanes-Oxley Act of 2002 is used to enforce restrictive data access in many industries.

Samba-3 is transparent in respect of file system security controls. So long as the underlying file system of the server on which Samba is being hosted has ACL support and, providing that Samba-3 has been compiled to support the handling of ACLs, Windows administrators and users will have the ability to manage ACLs on exported file systems on the Samba-3 server.

Windows domain membership and security

Machine (computer) accounts are used in the Windows NT OS family to store security credentials for domain member servers and workstations. A computer account is created when a Windows client joins a Windows NT4 domain, or when it is made a member of a Microsoft Windows 200x Active Directory domain.

As part of the startup process of a domain member machine, it goes through a validation procedure that includes an exchange of credentials with a domain controller. If the domain member fails to authenticate, using the credentials known for it by domain controllers, the machine will be refused all access by domain servers.

Within the context of a domain logon, the computer account is essential to the way that Microsoft Windows secures authentication. The computer account is used only to authenticate domain member machines during the startup, a security measure designed to block man-in-the-middle attempts to violate network integrity.

Windows Domain Administration Controls

By default, the ability to add machines to the domain is limited to the Windows domain administrator account. The right for other users or groups to add machines to the domain can be granted by the administrator using the appropriate tool.

The Windows NT4 server management tool can be used to manage domain member machines (servers and workstations). The right to add workstations to the Windows NT4 domain can be granted using the Windows NT4 domain user manager. This particular privilege that must be assigned to a user or group so that they can add machines to the domain is called SeMachineAccountPrivilege. The title in the NT4 domain user manager rights management panel is called Add workstations to domain. The list of available privileges that can be assigned in Windows NT4 is shown here:


Additional Windows privileges were added in Windows 2000 and are also available in Windows 2003 and Windows XP Professional. These may be found in Figure 2.



The Windows 200X privileges are a super-set of those available with Windows NT4. Some of the privileges present in the Windows NT4/200X environments are of unique relevance to those operating systems and have no direct equivalent in a UNIX- or Linux-based Samba environment.

The privileges that make sense within a Linux environment have been implemented in Samba-3.0.x since the 3.0.11 release. These are summarized below.


In comparing the privileges that are present in Samba with those supported by Microsoft Windows NT4/2000/2003, those found in Samba are also supported in Windows server products.

Windows administrative privileges can be assigned to Windows users and Windows groups, thereby permitting relatively fine-grained assignment of administrator privileges on an as-needed basis. For example, where it is desirable that a Windows user called joebartemy should be able to add Windows clients to the domain, his account can be assigned the SeMachineAccountPrivilege thus preventing this user from gaining any other administrative capabilities. Likewise, members of the Windows group Marketing Staff can be given the ability to manage printers and print jobs by granting this group the SePrintOperatorPrivilege.

Allocating administrative privileges

Samba versions prior to 3.0.11 required the use of a UNIX account that has UID=0 (the root account) for a number of core administrative operations. Operations that require this level of privilege within the Unix operating system environment include management of user and group accounts, change of file ownership, print job management and so on. Older versions of Samba provided work-around methods to permit some of these essential tasks to be completed. Those that could not be side-stepped simply had to be done by the root account, or its equivalent.

Samba-3.0.11 and later allow the creation and administration of a Samba server without needing to resort to the use of the root account. Users who are members of the Domain Admins group automatically have the necessary privileges to manage all aspects of Samba. Those who need to be assigned specific roles can be given the minimum level of access necessary to perform the tasks they are responsible for. Someone who has been given the SeMachineAccountPrivilege can add machines to the domain and those who have been given the SePrintOperatorPrivilege can now manage printers, print jobs and more.

Management of Windows administrative privileges

Samba-3 provides a command-line tool for the management of user rights and privileges. The use of the net utility, as well as the administration of user rights and privileges are documented in the Samba3-HOWTO book, and correct has also been documented in the Samba3-ByExample book.

An example of use of the net command to assign the ability to add machines -- Samba servers, Windows servers and clients -- to the Samba domain for the domain MIDEARTH and the user jerry is shown here:

net rpc rights grant "MIDEARTH\jerry"
SeMachineAccountPrivilege -S PDC -
Ujtadmin%password


This operation can also be performed by using the Windows NT4 Domain User Manager. This handy utility may be obtained from the Microsoft support Web site. A more recent version of this tool is also available.

An example of use is demonstrated in Figure 4.


The steps that lead up to this Windows panel are:

Log onto Windows XP Professional as a user who has administrative rights.
Launch the UsrMgr.exe.
Click on the Policy tab.
Click on the User Rights entry.


Another tool that can be used to manage user rights is a commercial package called Hyena. The latest at the time of preparation of this article was version 6.5.

The next article in this series will document the configuration of a Samba domain controller so that user rights and privileges can be managed using the tools we have reviewed here.

No comments:

Post a Comment