11 Replies Latest reply: Apr 4, 2013 6:51 AM by RAVI.PALADUGU RSS

Remove administrator from Administrators group

JCASON
Currently Being Moderated

Is there any way to remove user administrator from the Administrators group? 

 

I ran cifs setup and created an administrator account.  Now we want to remove all filer privs.  I tried user modify administrator -g Guests but that causes it to just append the Guests onto the end like:

 

Name: administrator

Info:

Rid: 500

Groups: Administrators,Guests

 

I even deleted the administrator user, and then readded with -g Guests and the result is the same ("Administrators, Guests").

 

In case it matters, this is on a vfiler on a 8.0.3P1 system.

  • Re: Remove administrator from Administrators group
    RAVI.PALADUGU
    Currently Being Moderated

    The Rid value of 500 for the Administrator user corresponds to the last number in the Administrator user’s SID. It is the Built-in account for administering the filer.

     

    Please do:

    ==========

    useradmin group delete group_name :- Deletes the specified group from the storage system.

    Note: All users must be removed from a group before the group itself can be deleted.

     

    useradmin user delete :- Deletes the specified user from the storage system. This command deletes any local user except for "root" and "snmp". The "snmp" administrative user can be disabled by modifying the audit role or "User" group.

    Note: You cannot delete or modify a user with greater capabilities than you have.

     

    Please follow this link for more information on administrator accounts:

    https://library.netapp.com/ecmdocs/ECMM1278285/html/sysadmin/6admacc3.htm#1528063

     

    As this is a built in account I don't think you can delete it. You can always open a case to get assistance from support.

     

    Hope it helps!

     

    Regards,

    Ravi

    • Re: Remove administrator from Administrators group
      JCASON
      Currently Being Moderated

      OK this helps a little, but not quite what I need.  I actually had no problem deleting the account and recreating with:

       

      useradmin user add administrator -c "no admin privs" -g Guests

       

      But my issue is that the account shows back up automatically in the Administrator group:

       

      Name: administrator

      Info: no admin privs

      Rid: 500

      Groups: Administrators,Guests

       

      I also note that the Rid is still 500. 

       

      So is there no way to have an account named "administrator" that is not this reserved account? 

      • Re: Remove administrator from Administrators group
        RAVI.PALADUGU
        Currently Being Moderated

        I strongly believe you cannot have a account name "administrator" with out being it in a "administrators group". Why do you want to have a account name as administrator not being in this group? Why not create a differ group and add users to it with roles you want provide? I just want to understand the scenario, so that i can assist you in a better way.

        • Re: Remove administrator from Administrators group
          JCASON
          Currently Being Moderated

          We are using workgroup authentication for CIFS on a vfiler.  We want to allow passthrough access (no authentication required) for "administrator" from the servers.

           

          We have accomplished this for user Administrator by making the passwords on the server and filer 'administrator' accounts match.  This works fine and Administrator on the servers can browse the CIFS shares without being prompted for credentials.

           

          But, we do not want to have that "administrator" named account to be able to perform filer level administration tasks!  And while it would be nice to say, "just use a different username" which would be a great solution, sometimes we aren't in a position to say that.

           

          I know we also have the option of enabling guest access, but I would prefer to not open it to everyone.

          • Re: Remove administrator from Administrators group
            RAVI.PALADUGU
            Currently Being Moderated

            I actually that that was the scenario you were facing. Did you do CIFS setup in the following way?

             

             

            Description

            This article describes the procedure to set up a filer in Windows workgroup mode.

             

            Procedure

            1. On the filer, enter: cifs setup
            2. Windows Workgroup authentication using the filer's user accounts, when prompted for What type of authentication will this filer use?, enter: 2.
            3. Note: In step 2 above, if using NIS or the filer's /etc/passwd file for Windows Workgroup authentication, enter 3 (/etc/passwd and/or NIS based authentication) instead of 2.
              Also, see 2010648: Cannot authenticate users in a Windows workgroup: enable plain text passwords
            4. These prompts will follow:
              1. Enter Workgroup name.
              2. Create the filer's local administrator account.
            5. To setup local Windows Workgroup users on the filer, use the useradmin useradd [username] command.
            6. Note: If using NIS or the filer's /etc/passwd file for Windows Workgroup authentication, Windows Workgroup users cannot be created using the useradmin command.
            7. Assign appropriate permissions for these local users on the Common Internet File System protocol (CIFS) shares using the cifs access command. See the cifs man page for details.

            The following is a sample of cifs setup output for setting up a Windows Workgroup on a newly installed filer:

            filer> cifs setup
            Enable CIFS access to the filer by a Windows(tm) PC
                     Your filer is currently only visible to PCs on the same net.
            Do you wish to make the system visible via WINS? [no]:
                     CIFS requires local /etc/passwd and /etc/group files formultiprotocol.
                     Default passwd file will be created containing root, pcuser,
                     and nobody.
            Enter the password for root []:
            Retype the password:
                     This filer is currently licensed for CIFS only.
                     The filer will be configured as a NTFS_only filer.  It can
                     be changed to a Multiprotocol filer by reissuing the CIFS setupcommand.
                     The default name of this filer will be FILER.
            Do you want to modify this name? [no]:
                     CIFS supports three types of user authentication:
                     1. Windows Domain authentication.
                     2. Windows Workgroup authentication using the filer's user accounts.
                     3. /etc/passwd and/or NIS based authentication.
            What type of authentication will this filer use? [1]: 2
                     The filer will be part of a Workgroup, and will use local
                     user accounts for authentication.
                     This filer will be a member of the Windows Workgroup WORKGROUP.
            Do you want to modify this name? [no]: WG1
                     Please enter either yes or no.
            Do you want to modify this name? [no]: yes
            Enter the Workgroup for the filer []: WG1
                     It is recommended that you create the local administrator
                     account (FILER\administrator) for this filer.
            Create the FILER\administrator account? [yes]:
            Set the password for FILER\administrator:
            Retype the password:
            Thu Dec 20 11:18:33 PST [rc:info]: User
            added
            Thu Dec 20 11:18:33 PST [rc:notice]: security style for /vol/vol0/ changed from unix to ntfs
            CIFS local server is running.
            filer> Thu Dec 20 11:18:47 PST [nbns_timer:info]: All CIFS name registrations complete for local server

            Since the filer is not registering to a WINS server, clients outside the immediate subnet will be unable to browse for the filer in Network Neighborhood. It is recommended to also setup a local DNS server.  Another way to deal with name resolution is to populate the users with lmhosts or hosts files, although it is possible to use a WINS server even if the user is just in a workgroup.

          • Re: Remove administrator from Administrators group
            RAVI.PALADUGU
            Currently Being Moderated

            Also please follow this link for a detailed explanation.

             

            https://library.netapp.com/ecmdocs/ECMM1278285/html/sysadmin/6admacc3.htm

  • Re: Remove administrator from Administrators group
    JCASON
    Currently Being Moderated

    Ended up opening a case with NetApp support on this. 

     

    If you run CIFS setup > Workgroup Auth and you choose NOT to create the administrator account, you can then add it in like:

     

    useradmin user add administrator -g Guests

     

    And it works fine.

     

    However, if you have already run CIFS setup and chose to create the administrator account, you need to use the domainuser functionality (which apparently also has functionality for Workgroups) to delete it from Administrators.  Good news is this doesn't require CIFS setup to be re-run.  In our case this CIFS instance wasn't in-use at the time, and I'm not sure of the effects on any running production system.

     

    >useradmin user modify administrator -g Guests

    >useradmin domainuser list -g Administrators

    List of SIDS in Administrators

    S-1-5-21-1495248761-1620592545-1363874994-500

    >cifs lookup S-1-5-21-1495248761-1620592545-1363874994-500

    name = FILER\administrator

    > useradmin domainuser delete administrator -g Administrators

    SID = S-1-5-21-1495248761-1620592545-1363874994-500

    Domain User <administrator> successfully deleted from Administrators.

    > useradmin user list

    Name: administrator

    Info:

    Rid: 500

    Groups: Guests

     

    This gives us a user named administrator, but with no filer level administrative privs.

More Like This

  • Retrieving data ...