Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there any way to remove user administrator from the Administrators group?
I ran cifs setup and created an administrator account. Now we want to remove all filer privs. I tried user modify administrator -g Guests but that causes it to just append the Guests onto the end like:
Name: administrator
Info:
Rid: 500
Groups: Administrators,Guests
I even deleted the administrator user, and then readded with -g Guests and the result is the same ("Administrators, Guests").
In case it matters, this is on a vfiler on a 8.0.3P1 system.
Solved! See The Solution
View By:
- View By:
-
CIFS and SMB
1 ACCEPTED SOLUTION
migration has accepted the solution
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ended up opening a case with NetApp support on this.
If you run CIFS setup > Workgroup Auth and you choose NOT to create the administrator account, you can then add it in like:
useradmin user add administrator -g Guests
And it works fine.
However, if you have already run CIFS setup and chose to create the administrator account, you need to use the domainuser functionality (which apparently also has functionality for Workgroups) to delete it from Administrators. Good news is this doesn't require CIFS setup to be re-run. In our case this CIFS instance wasn't in-use at the time, and I'm not sure of the effects on any running production system.
>useradmin user modify administrator -g Guests
>useradmin domainuser list -g Administrators
List of SIDS in Administrators
S-1-5-21-1495248761-1620592545-1363874994-500
>cifs lookup S-1-5-21-1495248761-1620592545-1363874994-500
name = FILER\administrator
> useradmin domainuser delete administrator -g Administrators
SID = S-1-5-21-1495248761-1620592545-1363874994-500
Domain User <administrator> successfully deleted from Administrators.
> useradmin user list
Name: administrator
Info:
Rid: 500
Groups: Guests
This gives us a user named administrator, but with no filer level administrative privs.
11 REPLIES 11
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Rid value of 500 for the Administrator user corresponds to the last number in the Administrator user’s SID. It is the Built-in account for administering the filer.
Please do:
==========
useradmin group delete group_name :- Deletes the specified group from the storage system.
Note: All users must be removed from a group before the group itself can be deleted.
useradmin user delete :- Deletes the specified user from the storage system. This command deletes any local user except for "root" and "snmp". The "snmp" administrative user can be disabled by modifying the audit role or "User" group.
Note: You cannot delete or modify a user with greater capabilities than you have.
Please follow this link for more information on administrator accounts:
https://library.netapp.com/ecmdocs/ECMM1278285/html/sysadmin/6admacc3.htm#1528063
As this is a built in account I don't think you can delete it. You can always open a case to get assistance from support.
Hope it helps!
Regards,
Ravi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK this helps a little, but not quite what I need. I actually had no problem deleting the account and recreating with:
useradmin user add administrator -c "no admin privs" -g Guests
But my issue is that the account shows back up automatically in the Administrator group:
Name: administrator
Info: no admin privs
Rid: 500
Groups: Administrators,Guests
I also note that the Rid is still 500.
So is there no way to have an account named "administrator" that is not this reserved account?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I strongly believe you cannot have a account name "administrator" with out being it in a "administrators group". Why do you want to have a account name as administrator not being in this group? Why not create a differ group and add users to it with roles you want provide? I just want to understand the scenario, so that i can assist you in a better way.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are using workgroup authentication for CIFS on a vfiler. We want to allow passthrough access (no authentication required) for "administrator" from the servers.
We have accomplished this for user Administrator by making the passwords on the server and filer 'administrator' accounts match. This works fine and Administrator on the servers can browse the CIFS shares without being prompted for credentials.
But, we do not want to have that "administrator" named account to be able to perform filer level administration tasks! And while it would be nice to say, "just use a different username" which would be a great solution, sometimes we aren't in a position to say that.
I know we also have the option of enabling guest access, but I would prefer to not open it to everyone.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I actually that that was the scenario you were facing. Did you do CIFS setup in the following way?
Description
This article describes the procedure to set up a filer in Windows workgroup mode.
Procedure
- On the filer, enter:
cifs setup
- Windows Workgroup authentication using the filer's user accounts, when prompted for What type of authentication will this filer use?, enter: 2. Note: In step 2 above, if using NIS or the filer's
- These prompts will follow:
- Enter Workgroup name.
- Create the filer's local administrator account.
- To setup local Windows Workgroup users on the filer, use the
useradmin useradd [username]
command. Note: If using NIS or the filer's - Assign appropriate permissions for these local users on the Common Internet File System protocol (CIFS) shares using the cifs access command. See the
cifs
man page for details.
/etc/passwd
file for Windows Workgroup authentication, enter 3 (/etc/passwd
and/or NIS based authentication) instead of 2.Also, see 2010648: Cannot authenticate users in a Windows workgroup: enable plain text passwords
/etc/passwd
file for Windows Workgroup authentication, Windows Workgroup users cannot be created using the useradmin
command.The following is a sample of cifs setup output for setting up a Windows Workgroup on a newly installed filer:
filer> cifs setup
Enable CIFS access to the filer by a Windows(tm) PC
Your filer is currently only visible to PCs on the same net.
Do you wish to make the system visible via WINS? [no]:
CIFS requires local /etc/passwd and /etc/group files formultiprotocol.
Default passwd file will be created containing root, pcuser,
and nobody.
Enter the password for root []:
Retype the password:
This filer is currently licensed for CIFS only.
The filer will be configured as a NTFS_only filer. It can
be changed to a Multiprotocol filer by reissuing the CIFS setupcommand.
The default name of this filer will be FILER.
Do you want to modify this name? [no]:
CIFS supports three types of user authentication:
1. Windows Domain authentication.
2. Windows Workgroup authentication using the filer's user accounts.
3. /etc/passwd and/or NIS based authentication.
What type of authentication will this filer use? [1]: 2
The filer will be part of a Workgroup, and will use local
user accounts for authentication.
This filer will be a member of the Windows Workgroup WORKGROUP.
Do you want to modify this name? [no]: WG1
Please enter either yes or no.
Do you want to modify this name? [no]: yes
Enter the Workgroup for the filer []: WG1
It is recommended that you create the local administrator
account (FILER\administrator) for this filer.
Create the FILER\administrator account? [yes]:
Set the password for FILER\administrator:
Retype the password:
Thu Dec 20 11:18:33 PST [rc:info]: User added
Thu Dec 20 11:18:33 PST [rc:notice]: security style for /vol/vol0/ changed from unix to ntfs
CIFS local server is running.
filer> Thu Dec 20 11:18:47 PST [nbns_timer:info]: All CIFS name registrations complete for local server
Since the filer is not registering to a WINS server, clients outside the immediate subnet will be unable to browse for the filer in Network Neighborhood. It is recommended to also setup a local DNS server. Another way to deal with name resolution is to populate the users with lmhosts or hosts files, although it is possible to use a WINS server even if the user is just in a workgroup.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes we did run through CIFS setup in that manner. If we run through CIFS setup (or re-run it), and say NO to the "configure administrator account" part, would that allow us to add an account named administrator that is not Rid 500?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just tested this out in lab and it seems to work. The Rid is the same but it let me just set it as Guests:
>useradmin user list
Name: administrator
Info: not an administrator
Rid: 500
Groups: Guests
This should work OK?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it should work. Please mark this as answered if you a got this resolved.
Hope I helped.
Best Regards,
Ravi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also please follow this link for a detailed explanation.
https://library.netapp.com/ecmdocs/ECMM1278285/html/sysadmin/6admacc3.htm
migration has accepted the solution
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ended up opening a case with NetApp support on this.
If you run CIFS setup > Workgroup Auth and you choose NOT to create the administrator account, you can then add it in like:
useradmin user add administrator -g Guests
And it works fine.
However, if you have already run CIFS setup and chose to create the administrator account, you need to use the domainuser functionality (which apparently also has functionality for Workgroups) to delete it from Administrators. Good news is this doesn't require CIFS setup to be re-run. In our case this CIFS instance wasn't in-use at the time, and I'm not sure of the effects on any running production system.
>useradmin user modify administrator -g Guests
>useradmin domainuser list -g Administrators
List of SIDS in Administrators
S-1-5-21-1495248761-1620592545-1363874994-500
>cifs lookup S-1-5-21-1495248761-1620592545-1363874994-500
name = FILER\administrator
> useradmin domainuser delete administrator -g Administrators
SID = S-1-5-21-1495248761-1620592545-1363874994-500
Domain User <administrator> successfully deleted from Administrators.
> useradmin user list
Name: administrator
Info:
Rid: 500
Groups: Guests
This gives us a user named administrator, but with no filer level administrative privs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good to hear that the issue is resolved. Thanks for posting the solution hear!
Best Regards,
Ravi