Up to this point, no user account has been granted Windows network administrative rights and privileges. Our objective is to give the account mstone full administrative rights. This is simply achieved by making mstone a member of the Linux managersgroup. The managers group is mapped to the Windows Domain Admins group. However, life is not that simple. By default, the Domain Admin group has not rights other than to assign rights and privileges. This means that specific privileges must be assigned even to the Domain Admins group.
Create an administrative user account
Let's verify that mstone is a member of the managers group within the Linux environment:
root#> id mstone
uid=1001(mstone) gid=100(users) groups=100(users),1001(managers)
Now we must demonstrate that within Samba mstone is a member of the Domain Admins group:
root#> net rpc group members "Domain Admins" -S violetsblue -Umstone%n3v3r2l8
ROSESARERED\mstone
Good, mstone is a member of the Windows Domain Admins group. This is achieved by way of the mapping we established by executing:
root#> net groupmap modify ntgroup="Domain Admins" unixgroup=managers
Assign rights and privileges to the domain admins group
In this step, the Domain Admins group is assigned (given, or granted) all administrative rights:
root#> net rpc rights grant "Domain Admins" \
SeMachineAccountPrivilege \
SeTakeOwnershipPrivilege \
SeBackupPrivilege \
SeRestorePrivilege \
SeRemoteShutdownPrivilege \
SePrintOperatorPrivilege \
SeAddUsersPrivilege \
SeDiskOperatorPrivilege -S violetsblue -Umstone%n3v3r2l8
Successfully granted rights.
Make the PDC a domain member
The next step is to make our PDC a member of its own domain. This step requires domain administrative privilege which mstone has. Execute the following:
root#> net rpc join -Umstone%n3v3r2l8
Joined domain ROSESARERED
It is a good practice to validate every step, as we have done so far. The domain trust account that was created by joining the domain can appear to proceed correctly, but it may not work. This can be checked simply by executing:
root#> net rpc testjoin
Join to 'ROSESARERED' is OK
Let's run a further check to see obtain the status of the domain environment:
root#> net rpc info -S violetsblue
Domain Name: ROSESARERED
Domain SID: S-1-5-21-3169455399-2908770435-3209857667
Sequence number: 1135058837
Num users: 2
Num domain groups: 4
Num local groups: 0
So far, so good!
Create additional users
So far, the net command has been used to:
- map Linux groups to Windows groups;
- check Windows group membership;
- join the PDC to its own domain;
- validate the domain account (join); and,
- check domain information (note: not dependent on the join).
In the last step, we confirmed that there are only two Windows user accounts and four Windows group accounts.
Let's add accounts for the users misty, jable, dstornton using the remote management net tool:
root#> net rpc user add misty -S violetsblue -Umstone%n3v3r2l8
root#> net rpc user add jable -S violetsblue -Umstone%n3v3r2l8
root#> net rpc user add dstornton -S violetsblue -Umstone%n3v3r2l8
The use of the net rpc group add facility results in Samba calling the add user script to add the account to the Linux account database (/etc/passwd), followed by addition to the passdb backend (tdbsam) specified in the smb.conf file.
Unfortunately, these accounts do not yet have a password. We must rectify that at once:
root#> net rpc password misty secretpw1 -S violetsblue -Umstone%n3v3r2l8
root#> net rpc password jable secretpw2 -S violetsblue -Umstone%n3v3r2l8
root#> net rpc password dstornton secretpw3 -S violetsblue -Umstone%n3v3r2l8
If the password secretpw1 is not added to the command line, this tool will prompt for the password to be entered. It looks like this:
root#> net rpc password misty -S violetsblue -Umstone%n3v3r2l8
Enter new password for misty: XXXXXXXX
Now let's add misty to the group scientists:
root#> net rpc group addmem scientists misty -S violetsblue -Umstone%n3v3r2l8
It is possible to add the other new members. We can add a new group called warriors by executing this command:
root#> net rpc group add warriors -S violetsblue -Umstone%n3v3r2l8
Let's add misty so she will be a member of the new warriors group:
root#> net rpc group addmem warriors misty -S violetsblue -Umstone%n3v3r2l8
To remove misty from the warriors group, just use the delmem operator, as shown here:
root#> net rpc group delmem warriors misty -S violetsblue -Umstone%n3v3r2l8
Assign user rights
Often, it is necessary to give a user certain limited administrative privileges. An example is making it possible for a normal user to manage printing operations. In this case misty is assigned the printer management capabilities:
root#> net rpc rights grant "ROSESARERED\misty" SePrintOperatorPrivilege \
-S violetsblue -Umstone%n3v3r2l8
Assigned rights can be examined as shown here:
root#> net rpc rights list accounts -S violetsblue -Umstone%n3v3r2l8
BUILTIN\Print Operators
No privileges assigned
BUILTIN\Account Operators
No privileges assigned
ROSESARERED\Domain Admins
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
BUILTIN\Backup Operators
No privileges assigned
BUILTIN\Server Operators
No privileges assigned
ROSESARERED\misty
SePrintOperatorPrivilege
BUILTIN\Administrators
No privileges assigned
Everyone
No privileges assigned
Wrapping up
The net utility permits very extensive remote management of a Samba server. So far, I have demonstrated how this tool can be used to join a Samba server to its domain, add/delete/change user and group accounts, map Linux groups to Windows groups, add users to groups, and so on. The use of this tool to assign rights and privileges has also been briefly touched upon.
The use of this command is well documented in The Official Samba-3 HOWTO and Reference Guide in chapter 12. The latest version of this document is available from Samba.org. This document is also available from Amazon.com in hard copy under ISBN No: 0131882228.
The series continues
This is the fifth article in my Managing Samba series. Articles in this series have so far explained:
- Windows network identity basics and their use in Samba-3;
- Windows NT/200x user rights and privileges in Samba 3.0.11 and later;
- Domain control parameters and operating system interface scripts in the Samba smb.conf file.
- The pdbedit utility to manage domain and user account policy settings.
The next article will deal with remote GUI management tools and facilities. It will review various GUI tools that can be used to facilitate network management. Of course, some will quickly point out that if this can be made simple enough, it should be possible to delegate many day-to-day operations to senior user staff and thus reduce the cost of keeping the network operational.
No comments:
Post a Comment