2013-04-02 07:13 PM
Is there any way to remove user administrator from the Administrators group?
I ran cifs setup and created an administrator account. Now we want to remove all filer privs. I tried user modify administrator -g Guests but that causes it to just append the Guests onto the end like:
I even deleted the administrator user, and then readded with -g Guests and the result is the same ("Administrators, Guests").
In case it matters, this is on a vfiler on a 8.0.3P1 system.
Solved! SEE THE SOLUTION
2013-04-02 07:46 PM
The Rid value of 500 for the Administrator user corresponds to the last number in the Administrator user’s SID. It is the Built-in account for administering the filer.
useradmin group delete group_name :- Deletes the specified group from the storage system.
Note: All users must be removed from a group before the group itself can be deleted.
useradmin user delete :- Deletes the specified user from the storage system. This command deletes any local user except for "root" and "snmp". The "snmp" administrative user can be disabled by modifying the audit role or "User" group.
Note: You cannot delete or modify a user with greater capabilities than you have.
Please follow this link for more information on administrator accounts:
As this is a built in account I don't think you can delete it. You can always open a case to get assistance from support.
Hope it helps!
2013-04-03 06:27 AM
OK this helps a little, but not quite what I need. I actually had no problem deleting the account and recreating with:
useradmin user add administrator -c "no admin privs" -g Guests
But my issue is that the account shows back up automatically in the Administrator group:
Info: no admin privs
I also note that the Rid is still 500.
So is there no way to have an account named "administrator" that is not this reserved account?
2013-04-03 07:08 AM
I strongly believe you cannot have a account name "administrator" with out being it in a "administrators group". Why do you want to have a account name as administrator not being in this group? Why not create a differ group and add users to it with roles you want provide? I just want to understand the scenario, so that i can assist you in a better way.
2013-04-03 07:17 AM
We are using workgroup authentication for CIFS on a vfiler. We want to allow passthrough access (no authentication required) for "administrator" from the servers.
We have accomplished this for user Administrator by making the passwords on the server and filer 'administrator' accounts match. This works fine and Administrator on the servers can browse the CIFS shares without being prompted for credentials.
But, we do not want to have that "administrator" named account to be able to perform filer level administration tasks! And while it would be nice to say, "just use a different username" which would be a great solution, sometimes we aren't in a position to say that.
I know we also have the option of enabling guest access, but I would prefer to not open it to everyone.
2013-04-03 07:24 AM
I actually that that was the scenario you were facing. Did you do CIFS setup in the following way?
This article describes the procedure to set up a filer in Windows workgroup mode.
/etc/passwdfile for Windows Workgroup authentication, enter 3 (
/etc/passwdand/or NIS based authentication) instead of 2.
useradmin useradd [username]command.
/etc/passwdfile for Windows Workgroup authentication, Windows Workgroup users cannot be created using the
cifsman page for details.
The following is a sample of cifs setup output for setting up a Windows Workgroup on a newly installed filer:
filer> cifs setup
Enable CIFS access to the filer by a Windows(tm) PC
Your filer is currently only visible to PCs on the same net.
Do you wish to make the system visible via WINS? [no]:
CIFS requires local /etc/passwd and /etc/group files formultiprotocol.
Default passwd file will be created containing root, pcuser,
Enter the password for root :
Retype the password:
This filer is currently licensed for CIFS only.
The filer will be configured as a NTFS_only filer. It can
be changed to a Multiprotocol filer by reissuing the CIFS setupcommand.
The default name of this filer will be FILER.
Do you want to modify this name? [no]:
CIFS supports three types of user authentication:
1. Windows Domain authentication.
2. Windows Workgroup authentication using the filer's user accounts.
3. /etc/passwd and/or NIS based authentication.
What type of authentication will this filer use? : 2
The filer will be part of a Workgroup, and will use local
user accounts for authentication.
This filer will be a member of the Windows Workgroup WORKGROUP.
Do you want to modify this name? [no]: WG1
Please enter either yes or no.
Do you want to modify this name? [no]: yes
Enter the Workgroup for the filer : WG1
It is recommended that you create the local administrator
account (FILER\administrator) for this filer.
Create the FILER\administrator account? [yes]:
Set the password for FILER\administrator:
Retype the password:
Thu Dec 20 11:18:33 PST [rc:info]: User
Thu Dec 20 11:18:33 PST [rc:notice]: security style for /vol/vol0/ changed from unix to ntfs
CIFS local server is running.
filer> Thu Dec 20 11:18:47 PST [nbns_timer:info]: All CIFS name registrations complete for local server
Since the filer is not registering to a WINS server, clients outside the immediate subnet will be unable to browse for the filer in Network Neighborhood. It is recommended to also setup a local DNS server. Another way to deal with name resolution is to populate the users with lmhosts or hosts files, although it is possible to use a WINS server even if the user is just in a workgroup.
2013-04-03 07:51 AM
Yes we did run through CIFS setup in that manner. If we run through CIFS setup (or re-run it), and say NO to the "configure administrator account" part, would that allow us to add an account named administrator that is not Rid 500?
2013-04-03 07:56 AM
I just tested this out in lab and it seems to work. The Rid is the same but it let me just set it as Guests:
>useradmin user list
Info: not an administrator
This should work OK?