[Samba] Re: Samba-Rights-HOWTO

Manuel Capinha mcapinha at gmail.com
Tue Jan 25 12:27:53 GMT 2005

> It is actually a service level parameter if you look in the smb.conf(5)
> man page.  But really should be a global one in order to call
> OpenPrinter(\\server) with admin rights.  So in practice, it is often
> just defined in [global].

I see. I did check the man page and search the list before I posted,
so it seems there's some misconception about that parameter floating

> > And one question about this new privileges setup:
> > Right now I've got one samba machine acting as a print server. The
> > samba server was joined to an AD domain (W2K3 servers, not Samba).
> >
> > I've got "printer admin = @Domain Admins" in my smb.conf. When the new
> > privileges setup system starts handling the printer admin directive,
> > how will I be able to manage my printers ?
> > I mean, if the "printer admin" directive is going to be deprecated,
> > will samba use my AD controller to get the rights for the printers ?
> The Windows privilege model defines rights (i.e. privileges) to be
> local to a given SAM.  In other words a given machine or set of DC's
> (when referring to a domain SAM).
> So you would just do something like
> net -S samba rpc rights grant 'AD-DOMAIN\Domain Admins' SePrintOperatorPrivilege
> This has nothing to do with any rights defined in the AD domain SAM.
> The rights assignment is local to the Samba server.  You can in actually
> assign a right to any abritary SID whether it si valid or not.
> When a user NT_TOKEN is created, smbd will search its local db for
> all rights assigsned to any SID in the user's token and create a
> privilege mask to be included in that TOKEN.
> Then we the user needs to do something that requires a given right,
> smbd will simply call user_has_privilege( TOKEN, privilege) to check
> whether or not the user has the appropriate right.
> Make sense?

Yup. The user rights are local to each samba server and the users can
be part of an AD domain or not, or even not exist at all! :)
I was under the impression that there was a global way to set this up
in a Windows domain, but I must admit that I know less about Windows
that I know of Samba.

Thanks for making this clearer for me,

More information about the samba mailing list