[Samba] Re: Samba-Rights-HOWTO

Gerald (Jerry) Carter jerry at samba.org
Tue Jan 25 03:09:11 GMT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 24 Jan 2005, Manuel Capinha wrote:

> >From the Samba-Rights-HOWTO:
> 
> SePrintOperatorPrivilege
>   This privilege operates identically to the 'printer admin'
>   option in smb.conf(5) except that is is a global right (not 
>   on a per printer basis).  Eventually the smb.conf option will
>   be deprecated and administrative rights to printers will be 
>   controlled exclusively by this right and the security
>   descriptor associated with the printer object in 
>   ntprinters.tdb.
> 
> 
> I was under the impression that "printer admin" is a global right,
> right now. Isn't it so ?

It is actually a service level parameter if you look in the smb.conf(5) 
man page.  But really should be a global one in order to call 
OpenPrinter(\\server) with admin rights.  So in practice, it is often 
just defined in [global].

> And one question about this new privileges setup:
> Right now I've got one samba machine acting as a print server. The
> samba server was joined to an AD domain (W2K3 servers, not Samba).
> 
> I've got "printer admin = @Domain Admins" in my smb.conf. When the new
> privileges setup system starts handling the printer admin directive,
> how will I be able to manage my printers ?
> I mean, if the "printer admin" directive is going to be deprecated,
> will samba use my AD controller to get the rights for the printers ?

The Windows privilege model defines rights (i.e. privileges) to be
local to a given SAM.  In other words a given machine or set of DC's
(when referring to a domain SAM).

So you would just do something like

net -S samba rpc rights grant 'AD-DOMAIN\Domain Admins' SePrintOperatorPrivilege

This has nothing to do with any rights defined in the AD domain SAM.
The rights assignment is local to the Samba server.  You can in actually
assign a right to any abritary SID whether it si valid or not.
When a user NT_TOKEN is created, smbd will search its local db for
all rights assigsned to any SID in the user's token and create a 
privilege mask to be included in that TOKEN.  

Then we the user needs to do something that requires a given right,
smbd will simply call user_has_privilege( TOKEN, privilege) to check 
whether or not the user has the appropriate right.

Make sense?



cheers, jerry
=====================================================================
Alleviating the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc 
"I never saved anything for the swim back."     Ethan Hawk in Gattaca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQFB9bhbIR7qMdg1EfYRAshYAKCDdYkgWeMWaELGiMhShU4flQkRCACfa4p2
iwCcQ4c2KnjBulf+IiDveXI=
=iTNT
-----END PGP SIGNATURE-----


More information about the samba mailing list