> > It is actually a service level parameter if you look in the smb.conf(5) > man page. But really should be a global one in order to call > OpenPrinter(\\server) with admin rights. So in practice, it is often > just defined in [global].
I see. I did check the man page and search the list before I posted, so it seems there's some misconception about that parameter floating around.. > > > And one question about this new privileges setup: > > Right now I've got one samba machine acting as a print server. The > > samba server was joined to an AD domain (W2K3 servers, not Samba). > > > > I've got "printer admin = @Domain Admins" in my smb.conf. When the new > > privileges setup system starts handling the printer admin directive, > > how will I be able to manage my printers ? > > I mean, if the "printer admin" directive is going to be deprecated, > > will samba use my AD controller to get the rights for the printers ? > > The Windows privilege model defines rights (i.e. privileges) to be > local to a given SAM. In other words a given machine or set of DC's > (when referring to a domain SAM). > > So you would just do something like > > net -S samba rpc rights grant 'AD-DOMAIN\Domain Admins' > SePrintOperatorPrivilege > > This has nothing to do with any rights defined in the AD domain SAM. > The rights assignment is local to the Samba server. You can in actually > assign a right to any abritary SID whether it si valid or not. > When a user NT_TOKEN is created, smbd will search its local db for > all rights assigsned to any SID in the user's token and create a > privilege mask to be included in that TOKEN. > > Then we the user needs to do something that requires a given right, > smbd will simply call user_has_privilege( TOKEN, privilege) to check > whether or not the user has the appropriate right. > > Make sense? Yup. The user rights are local to each samba server and the users can be part of an AD domain or not, or even not exist at all! :) I was under the impression that there was a global way to set this up in a Windows domain, but I must admit that I know less about Windows that I know of Samba. Thanks for making this clearer for me, Manuel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
