[Samba] Root user shows up as "administrator"
Rowland penny
rpenny at samba.org
Wed Feb 17 09:03:18 UTC 2021
On 17/02/2021 08:22, L.P.H. van Belle via samba wrote:
>> The problem with that is, there doesn't seem to be a BUILTIN\Administrator
> correct, thats exactly my point.
> ow, and now i see i wrote it wrong..
>
>> root at dc4:~# wbinfo -n BUILTIN\\Administrator
>> failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not lookup name BUILTIN\Administrator
> I would have expected to see, S-1-5-21-<machine>-500
In theory, yes. Each domain computer (Windows and Samba) has a local and
domain SID, but there isn't and shouldn't be a 'S-1-5-21-localsid-500'
SID in AD, so how can you map something that doesn't exist to the 'root'
user ?
There is also the little matter that the local SID is, well, 'local' 😁
> And in my opinion, this should be the one we should map.
> what i mean with "builtin\Administrator
>
> The built-in domain, it contains groups that define roles on a local machine. S-1-5-21-<machine>-500, By default, it is the only user account that is given full control over the system.
> So this is the user we should use the map to root.
>
> in addition.
> BUILTIN_ADMINISTRATORS S-1-5-32-544 The built-in group.
The BUILTIN SIDS all start with 'S-1-5-32'
>
> After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Administrators group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Administrators group also is added to the Administrators group.
>
> https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab
>
> And i see I "miss used" BUILTIN\Adminsitrator here.. sorry.
>
> just, how i see it is..
>
> S-1-5-21-<machine>-500 should be mapped to User root.
But it doesn't exist on a Unix machine and is disabled on Windows
> BUILTIN_ADMINISTRATORS should be mapped to Group root
This would entail giving 'Administrators' the gidNumber '0' and this
appears to be where we came in.
> BUILTIN_USERS should be mapped to Group users
The group 'users' is mapped to Domain Users
> BUILTIN_GUESTS should be mapped to Group nobody
'ANONYMOUS' is mapped to 'nobody and 'Guests' is disabled on Windows.
>
> And resulting in, now its always ok, even if you are without the domain,
> if the server isnt AD or domain joined and after its join, the domain groups
> are member of the above builtin groups.
>
> Just my view on it.
We are all entitled to have our own view on things.
Rowland
More information about the samba
mailing list