| |
Using the “net rpc rights” Utility
There are two primary means of managing the rights assigned to users and groups
on a Samba server. The
NT4 User Manager for Domains
may be
used from any Windows NT4, 2000, or XP Professional domain member client to
connect to a Samba domain controller and view/modify the rights assignments.
This application, however, appears to have bugs when run on a client running
Windows 2000 or later; therefore, Samba provides a command-line utility for
performing the necessary administrative actions.
The
net rpc rights
utility in Samba 3.0.11 has three new subcommands:
-
list [name|accounts]
-
When called with no arguments,
net rpc list
simply lists the available rights on the server. When passed
a specific user or group name, the tool lists the privileges
currently assigned to the specified account. When invoked using
the special string accounts,
net rpc rights list
returns a list of all
privileged accounts on the server and the assigned rights.
-
grant <user> <right [right ...]>
-
When called with no arguments, this function is used to assign
a list of rights to a specified user or group. For example,
to grant the members of the Domain Admins group on a Samba domain controller,
the capability to add client machines to the domain, one would run:
root# net -S server -U domadmin rpc rights grant \
'DOMAIN\Domain Admins' SeMachineAccountPrivilege
The following syntax has the same result:
root# net rpc rights grant 'DOMAIN\Domain Admins' \
SeMachineAccountPrivilege -S server -U domadmin
More than one privilege can be assigned by specifying a
list of rights separated by spaces. The parameter 'Domain\Domain Admins'
must be quoted with single ticks or using double-quotes to prevent
the backslash and the space from being interpreted by the system shell.
-
revoke <user> <right [right ...]>
-
This command is similar in format to
net rpc rights grant
. Its
effect is to remove an assigned right (or list of rights) from a user or group.
|
|
