Samba Management: Configuration with the net utility, part two

Samba team co-founder John H. Terpstra explains the final steps for configuration of the primary domain controller in the net utility .

In part one of this Samba-3 management tip, we prepared for the big act. Now, the excitement begins. We're ready to use the net utility in the final steps in configuration of the primary domain controller.

Up to this point, no user account has been granted Windows network administrative rights and privileges. Our objective is to give the account mstone full administrative rights. This is simply achieved by making mstone a member of the Linux managersgroup. The managers group is mapped to the Windows Domain Admins group. However, life is not that simple. By default, the Domain Admin group has not rights other than to assign rights and privileges. This means that specific privileges must be assigned even to the Domain Admins group.

Create an administrative user account

Let's verify that mstone is a member of the managers group within the Linux environment:

  • root#> id mstone
  • uid=1001(mstone) gid=100(users) groups=100(users),1001(managers)

Now we must demonstrate that within Samba mstone is a member of the Domain Admins group:

  • root#> net rpc group members "Domain Admins" -S violetsblue -Umstone%n3v3r2l8
  • ROSESARERED\mstone

Good, mstone is a member of the Windows Domain Admins group. This is achieved by way of the mapping we established by executing:

root#> net groupmap modify ntgroup="Domain Admins" unixgroup=managers

Assign rights and privileges to the domain admins group

In this step, the Domain Admins group is assigned (given, or granted) all administrative rights:

  • root#> net rpc rights grant "Domain Admins" \
  • SeMachineAccountPrivilege \
  • SeTakeOwnershipPrivilege \
  • SeBackupPrivilege \
  • SeRestorePrivilege \
  • SeRemoteShutdownPrivilege \
  • SePrintOperatorPrivilege \
  • SeAddUsersPrivilege \
  • SeDiskOperatorPrivilege -S violetsblue -Umstone%n3v3r2l8
  • Successfully granted rights.

Make the PDC a domain member

The next step is to make our PDC a member of its own domain. This step requires domain administrative privilege which mstone has. Execute the following:

  • root#> net rpc join -Umstone%n3v3r2l8
  • Joined domain ROSESARERED

It is a good practice to validate every step, as we have done so far. The domain trust account that was created by joining the domain can appear to proceed correctly, but it may not work. This can be checked simply by executing:

  • root#> net rpc testjoin
  • Join to 'ROSESARERED' is OK

Let's run a further check to see obtain the status of the domain environment:

  • root#> net rpc info -S violetsblue
  • Domain Name: ROSESARERED
  • Domain SID: S-1-5-21-3169455399-2908770435-3209857667
  • Sequence number: 1135058837
  • Num users: 2
  • Num domain groups: 4
  • Num local groups: 0

So far, so good!

Create additional users

So far, the net command has been used to:

  • map Linux groups to Windows groups;
  • check Windows group membership;
  • join the PDC to its own domain;
  • validate the domain account (join); and,
  • check domain informatio (note: not dependent on the join).

In the last step, we confirmed that there are only two Windows user accounts and four Windows group accounts.

Let's add accounts for the users misty, jable, dstornton using the remote management net tool:

  • root#> net rpc user add misty -S violetsblue -Umstone%n3v3r2l8
  • root#> net rpc user add jable -S violetsblue -Umstone%n3v3r2l8
  • root#> net rpc user add dstornton -S violetsblue -Umstone%n3v3r2l8

The use of the net rpc group add facility results in Samba calling the add user script to add the account to the Linux account database (/etc/passwd), followed by addition to the passdb backend (tdbsam) specified in the smb.conf file.

Unfortunately, these accounts do not yet have a password. We must rectify that at once:

  • root#> net rpc password misty secretpw1 -S violetsblue -Umstone%n3v3r2l8
  • root#> net rpc password jable secretpw2 -S violetsblue -Umstone%n3v3r2l8
  • root#> net rpc password dstornton secretpw3 -S violetsblue -Umstone%n3v3r2l8

If the password secretpw1 is not added to the command line, this tool will prompt for the password to be entered. It looks like this:

root#> net rpc password misty -S violetsblue -Umstone%n3v3r2l8
Enter new password for misty: XXXXXXXX

Now let's add misty to the group scientists:

root#> net rpc group addmem scientists misty -S violetsblue -Umstone%n3v3r2l8

It is possible to add the other new members. We can add a new group called warriors by executing this command:

root#> net rpc group add warriors -S violetsblue -Umstone%n3v3r2l8

Let's add misty so she will be a member of the new warriors group:

root#> net rpc group addmem warriors misty -S violetsblue -Umstone%n3v3r2l8

To remove misty from the warriors group, just use the delmem operator, as shown here:

root#> net rpc group delmem warriors misty -S violetsblue -Umstone%n3v3r2l8

Assign user rights

Often, it is necessary to give a user certain limited administrative privileges. An example is making it possible for a normal user to manage printing operations. In this case misty is assigned the printer management capabilities:

  • root#> net rpc rights grant "ROSESARERED\misty" SePrintOperatorPrivilege \
  • -S violetsblue -Umstone%n3v3r2l8

Assigned rights can be examined as shown here:

  • root#> net rpc rights list accounts -S violetsblue -Umstone%n3v3r2l8
  • BUILTIN\Print Operators
  • No privileges assigned
  • BUILTIN\Account Operators
  • No privileges assigned
  • ROSESARERED\Domain Admins
  • SeMachineAccountPrivilege
  • SeTakeOwnershipPrivilege
  • SeBackupPrivilege
  • SeRestorePrivilege
  • SeRemoteShutdownPrivilege
  • SePrintOperatorPrivilege
  • SeAddUsersPrivilege
  • SeDiskOperatorPrivilege
  • BUILTIN\Backup Operators
  • No privileges assigned
  • BUILTIN\Server Operators
  • No privileges assigned
  • ROSESARERED\misty
  • SePrintOperatorPrivilege
  • BUILTIN\Administrators
  • No privileges assigned
  • Everyone
  • No privileges assigned

Wrapping up

The net utility permits very extensive remote management of a Samba server. So far, I have demonstrated how this tool can be used to join a Samba server to its domain, add/delete/change user and group accounts, map Linux groups to Windows groups, add users to groups, and so on. The use of this tool to assign rights and privileges has also been briefly touched upon.

The use of this command is well documented in The Official Samba-3 HOWTO and Reference Guide in chapter 12. The latest version of this document is available from Samba.org. This document is also available from Amazon.com in hard copy under ISBN No: 0131882228.

The series continues

This is the fifth article in my Managing Samba series. Articles in this series have so far explained:

The next article will deal with remote GUI management tools and facilities. It will review various GUI tools that can be used to facilitate network management. Of course, some will quickly point out that if this can be made simple enough, it should be possible to delegate many day-to-day operations to senior user staff and thus reduce the cost of keeping the network operational.

About the author: John H. Terpstra is chief technology officer at PrimaStasys Inc., and a member of SearchOpenSource.com's Editorial Advisory Board. He is author of the new books, Samba-3 by Example: Practical Exercises to Successful Deployment and The Official Samba-3 HOWTO and Reference Guide.

This was first published in January 2006

Dig deeper on Windows-to-Linux migration

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchDataCenter

SearchServerVirtualization

SearchCloudComputing

SearchEnterpriseDesktop

Close