[Samba] Samba assignment of privileges

Linda Walsh samba at tlinx.org
Fri Oct 9 03:37:51 MDT 2009

Even though Samba doesn't use all of the NT privileges, does it allow assigning them to domain
users or groups?
I.e. this list:
|Group Policy Name                        |Constant Name                    |
|Access this computer from the network    |SeNetworkLogonRight              |
|Access Credential Manager as a trusted   |SeTrustedCredManAccessPrivilege  |
|caller                                   |                                 |
|Act as part of the operating system      |SeTcbPrivilege                   |
|Add workstations to domain               |SeMachineAccountPrivilege        |
|Adjust memory quotas for a process       |SeIncreaseQuotaPrivilege         |
|Allow log on locally                     |SeInteractiveLogonRight          |
|Allow log on through Terminal Services   |SeRemoteInteractiveLogonRight    |
|Back up files and directories            |SeBackupPrivilege                |
|Bypass traverse checking                 |SeChangeNotifyPrivilege          |
|Change the system time                   |SeSystemtimePrivilege            |
|Change the time zone                     |SeTimeZonePrivilege              |
|Create a pagefile                        |SeCreatePagefilePrivilege        |
|Create a token object                    |SeCreateTokenPrivilege           |
|Create global objects                    |SeCreateGlobalPrivilege          |
|Create permanent shared objects          |SeCreatePermanentPrivilege       |
|Create Symbolic Links                    |SeCreateSymbolicLinkPrivilege    |
|Debug programs                           |SeDebugPrivilege                 |
|Deny access to this computer from the    |SeDenyNetworkLogonRight          |
|network                                  |                                 |
|Deny access to this computer from the    |SeDenyBatchLogonRight            |
|network                                  |                                 |
|Deny log on as a service                 |SeDenyServiceLogonRight          |
|Deny log on locally                      |SeDenyInteractiveLogonRight      |
|Deny log on through Terminal Services    |SeDenyRemoteInteractiveLogonRight|
|Enable computer and user accounts to be  |SeEnableDelegationPrivilege      |
|trusted for delegation                   |                                 |
|Force shutdown from a remote system      |SeRemoteShutdownPrivilege        |
|Generate security audits                 |SeAuditPrivilege                 |
|Impersonate a client after authentication|SeImpersonatePrivilege           |
|Increase a process working set           |SeIncreaseWorkingSetPrivilege    |
|Increase scheduling priority             |SeIncreaseBasePriorityPrivilege  |
|Load and unload device drivers           |SeLoadDriverPrivilege            |
|Lock pages in memory                     |SeLockMemoryPrivilege            |
|Log on as a batch job                    |SeBatchLogonRight                |
|Log on as a service                      |SeServiceLogonRight              |
|Manage auditing and security log         |SeSecurityPrivilege              |
|Modify an object label                   |SeRelabelPrivilege               |
|Modify firmware environment values       |SeSystemEnvironmentPrivilege     |
|Perform volume maintenance tasks         |SeManageVolumePrivilege          |
|Profile single process                   |SeProfileSingleProcessPrivilege  |
|Profile system performance               |SeSystemProfilePrivilege         |
|Remove computer from docking station     |SeUndockPrivilege                |
|Replace a process level token            |SeAssignPrimaryTokenPrivilege    |
|Restore files and directories            |SeRestorePrivilege               |
|Shut down the system                     |SeShutdownPrivilege              |
|Synchronize directory service data       |SeSyncAgentPrivilege             |
|Take ownership of files or other objects |SeTakeOwnershipPrivilege         |

When I look at the "net sam rights" command -- I see no way to assign the privilege,
but for Samba to act as a PDC, shouldn't it be able to manage all of the rights/priviledges even
if it doesn't use them itself?

How difficult would it be to manipulate the bits if the actual privs system is already in place?


More information about the samba mailing list