Network and Storage Protocols

Remove administrator from Administrators group

JCASON
12,651 Views

Is there any way to remove user administrator from the Administrators group? 

I ran cifs setup and created an administrator account.  Now we want to remove all filer privs.  I tried user modify administrator -g Guests but that causes it to just append the Guests onto the end like:

Name: administrator

Info:

Rid: 500

Groups: Administrators,Guests

I even deleted the administrator user, and then readded with -g Guests and the result is the same ("Administrators, Guests").

In case it matters, this is on a vfiler on a 8.0.3P1 system.

1 ACCEPTED SOLUTION

JCASON
9,012 Views

Ended up opening a case with NetApp support on this. 

If you run CIFS setup > Workgroup Auth and you choose NOT to create the administrator account, you can then add it in like:

useradmin user add administrator -g Guests

And it works fine.

However, if you have already run CIFS setup and chose to create the administrator account, you need to use the domainuser functionality (which apparently also has functionality for Workgroups) to delete it from Administrators.  Good news is this doesn't require CIFS setup to be re-run.  In our case this CIFS instance wasn't in-use at the time, and I'm not sure of the effects on any running production system.

>useradmin user modify administrator -g Guests

>useradmin domainuser list -g Administrators

List of SIDS in Administrators

S-1-5-21-1495248761-1620592545-1363874994-500

>cifs lookup S-1-5-21-1495248761-1620592545-1363874994-500

name = FILER\administrator

> useradmin domainuser delete administrator -g Administrators

SID = S-1-5-21-1495248761-1620592545-1363874994-500

Domain User <administrator> successfully deleted from Administrators.

> useradmin user list

Name: administrator

Info:

Rid: 500

Groups: Guests

This gives us a user named administrator, but with no filer level administrative privs.

View solution in original post

11 REPLIES 11

RAVI_PALADUGU
12,599 Views

The Rid value of 500 for the Administrator user corresponds to the last number in the Administrator user’s SID. It is the Built-in account for administering the filer.

Please do:

==========

useradmin group delete group_name :- Deletes the specified group from the storage system.

Note: All users must be removed from a group before the group itself can be deleted.

useradmin user delete :- Deletes the specified user from the storage system. This command deletes any local user except for "root" and "snmp". The "snmp" administrative user can be disabled by modifying the audit role or "User" group.

Note: You cannot delete or modify a user with greater capabilities than you have.

Please follow this link for more information on administrator accounts:

https://library.netapp.com/ecmdocs/ECMM1278285/html/sysadmin/6admacc3.htm#1528063

As this is a built in account I don't think you can delete it. You can always open a case to get assistance from support.

Hope it helps!

Regards,

Ravi

JCASON
12,599 Views

OK this helps a little, but not quite what I need.  I actually had no problem deleting the account and recreating with:

useradmin user add administrator -c "no admin privs" -g Guests

But my issue is that the account shows back up automatically in the Administrator group:

Name: administrator

Info: no admin privs

Rid: 500

Groups: Administrators,Guests

I also note that the Rid is still 500. 

So is there no way to have an account named "administrator" that is not this reserved account? 

RAVI_PALADUGU
12,600 Views

I strongly believe you cannot have a account name "administrator" with out being it in a "administrators group". Why do you want to have a account name as administrator not being in this group? Why not create a differ group and add users to it with roles you want provide? I just want to understand the scenario, so that i can assist you in a better way.

JCASON
12,600 Views

We are using workgroup authentication for CIFS on a vfiler.  We want to allow passthrough access (no authentication required) for "administrator" from the servers.

We have accomplished this for user Administrator by making the passwords on the server and filer 'administrator' accounts match.  This works fine and Administrator on the servers can browse the CIFS shares without being prompted for credentials.

But, we do not want to have that "administrator" named account to be able to perform filer level administration tasks!  And while it would be nice to say, "just use a different username" which would be a great solution, sometimes we aren't in a position to say that.

I know we also have the option of enabling guest access, but I would prefer to not open it to everyone.

RAVI_PALADUGU
12,600 Views

I actually that that was the scenario you were facing. Did you do CIFS setup in the following way?

Description

This article describes the procedure to set up a filer in Windows workgroup mode.

Procedure

  1. On the filer, enter: cifs setup
  2. Windows Workgroup authentication using the filer's user accounts, when prompted for What type of authentication will this filer use?, enter: 2.
  3. Note: In step 2 above, if using NIS or the filer's /etc/passwd file for Windows Workgroup authentication, enter 3 (/etc/passwd and/or NIS based authentication) instead of 2.
    Also, see 2010648: Cannot authenticate users in a Windows workgroup: enable plain text passwords
  4. These prompts will follow:
    1. Enter Workgroup name.
    2. Create the filer's local administrator account.
  5. To setup local Windows Workgroup users on the filer, use the useradmin useradd [username] command.
  6. Note: If using NIS or the filer's /etc/passwd file for Windows Workgroup authentication, Windows Workgroup users cannot be created using the useradmin command.
  7. Assign appropriate permissions for these local users on the Common Internet File System protocol (CIFS) shares using the cifs access command. See the cifs man page for details.

The following is a sample of cifs setup output for setting up a Windows Workgroup on a newly installed filer:

filer> cifs setup
Enable CIFS access to the filer by a Windows(tm) PC
         Your filer is currently only visible to PCs on the same net.
Do you wish to make the system visible via WINS? [no]:
         CIFS requires local /etc/passwd and /etc/group files formultiprotocol.
         Default passwd file will be created containing root, pcuser,
         and nobody.
Enter the password for root []:
Retype the password:
         This filer is currently licensed for CIFS only.
         The filer will be configured as a NTFS_only filer.  It can
         be changed to a Multiprotocol filer by reissuing the CIFS setupcommand.
         The default name of this filer will be FILER.
Do you want to modify this name? [no]:
         CIFS supports three types of user authentication:
         1. Windows Domain authentication.
         2. Windows Workgroup authentication using the filer's user accounts.
         3. /etc/passwd and/or NIS based authentication.
What type of authentication will this filer use? [1]: 2
         The filer will be part of a Workgroup, and will use local
         user accounts for authentication.
         This filer will be a member of the Windows Workgroup WORKGROUP.
Do you want to modify this name? [no]: WG1
         Please enter either yes or no.
Do you want to modify this name? [no]: yes
Enter the Workgroup for the filer []: WG1
         It is recommended that you create the local administrator
         account (FILER\administrator) for this filer.
Create the FILER\administrator account? [yes]:
Set the password for FILER\administrator:
Retype the password:
Thu Dec 20 11:18:33 PST [rc:info]: User
added
Thu Dec 20 11:18:33 PST [rc:notice]: security style for /vol/vol0/ changed from unix to ntfs
CIFS local server is running.
filer> Thu Dec 20 11:18:47 PST [nbns_timer:info]: All CIFS name registrations complete for local server

Since the filer is not registering to a WINS server, clients outside the immediate subnet will be unable to browse for the filer in Network Neighborhood. It is recommended to also setup a local DNS server.  Another way to deal with name resolution is to populate the users with lmhosts or hosts files, although it is possible to use a WINS server even if the user is just in a workgroup.

JCASON
12,600 Views

Yes we did run through CIFS setup in that manner.  If we run through CIFS setup (or re-run it), and say NO to the "configure administrator account" part, would that allow us to add an account named administrator that is not Rid 500?

JCASON
12,600 Views

I just tested this out in lab and it seems to work.  The Rid is the same but it let me just set it as Guests:

>useradmin user list

Name: administrator

Info: not an administrator

Rid: 500

Groups: Guests

This should work OK?

RAVI_PALADUGU
12,600 Views

Yes, it should work. Please mark this as answered if you a got this resolved.

Hope I helped.

Best Regards,

Ravi

RAVI_PALADUGU
12,600 Views

Also please follow this link for a detailed explanation.

https://library.netapp.com/ecmdocs/ECMM1278285/html/sysadmin/6admacc3.htm

JCASON
9,013 Views

Ended up opening a case with NetApp support on this. 

If you run CIFS setup > Workgroup Auth and you choose NOT to create the administrator account, you can then add it in like:

useradmin user add administrator -g Guests

And it works fine.

However, if you have already run CIFS setup and chose to create the administrator account, you need to use the domainuser functionality (which apparently also has functionality for Workgroups) to delete it from Administrators.  Good news is this doesn't require CIFS setup to be re-run.  In our case this CIFS instance wasn't in-use at the time, and I'm not sure of the effects on any running production system.

>useradmin user modify administrator -g Guests

>useradmin domainuser list -g Administrators

List of SIDS in Administrators

S-1-5-21-1495248761-1620592545-1363874994-500

>cifs lookup S-1-5-21-1495248761-1620592545-1363874994-500

name = FILER\administrator

> useradmin domainuser delete administrator -g Administrators

SID = S-1-5-21-1495248761-1620592545-1363874994-500

Domain User <administrator> successfully deleted from Administrators.

> useradmin user list

Name: administrator

Info:

Rid: 500

Groups: Guests

This gives us a user named administrator, but with no filer level administrative privs.

RAVI_PALADUGU
8,959 Views

Good to hear that the issue is resolved. Thanks for posting the solution hear!

Best Regards,

Ravi

Public