[PATCH] s4/provision: don't mix local uid numbers with domain mappings
Rowland Penny
rpenny at samba.org
Wed Dec 13 22:21:03 UTC 2017
On Thu, 14 Dec 2017 11:01:11 +1300
Andrew Bartlett via samba-technical <samba-technical at lists.samba.org>
wrote:
> On Wed, 2017-12-13 at 14:42 +0100, Björn Jacke via samba-technical
> wrote:
> > From 514e4d8c57b9189a0a3dddcee1748db832f7b851 Mon Sep 17 00:00:00
> > 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Jacke?= <bjacke at samba.org>
> > Date: Wed, 13 Dec 2017 14:38:03 +0100
> > Subject: [PATCH] s4/provision: don't mix local uid numbers with
> > domain mappings
> >
> > mixing local IDs with domain mapped IDs is a bad idea. Especially
> > don't mess with root's uid 0.
> >
> > BUG: https://bugzilla.samba.org/show_bug.cgi?id=9837
> >
> > Signed-off-by: Bjoern Jacke <bjacke at samba.org>
> > ---
> > python/samba/provision/__init__.py | 6 ++++--
> > 1 file changed, 4 insertions(+), 2 deletions(-)
> >
> > diff --git a/python/samba/provision/__init__.py
> > b/python/samba/provision/__init__.py index d95f46a..b63ef2e 100644
> > --- a/python/samba/provision/__init__.py
> > +++ b/python/samba/provision/__init__.py
> > @@ -786,8 +786,10 @@ def setup_name_mappings(idmap, sid, root_uid,
> > nobody_uid, """
> > idmap.setup_name_mapping("S-1-5-7", idmap.TYPE_UID, nobody_uid)
> >
> > - idmap.setup_name_mapping(sid + "-500", idmap.TYPE_UID,
> > root_uid)
> > - idmap.setup_name_mapping(sid + "-513", idmap.TYPE_GID,
> > users_gid)
> > + # we should not mess with local uid/gid numbers (especially
> > not root's
> > + # and the domain mappings, see bug 9837.
> > + #idmap.setup_name_mapping(sid + "-500", idmap.TYPE_UID,
> > root_uid)
> > + #idmap.setup_name_mapping(sid + "-513", idmap.TYPE_GID,
> > users_gid)
> >
> > def setup_samdb_partitions(samdb_path, logger, lp, session_info,
>
> My primary concern with this is will, after this, administrator have
> the rights of root in terms of being able to override permissions on
> the files owned by others?
>
> Thanks,
>
> Andrew Bartlett
>
As I understand it, if Administrator isn't mapped to root on a
newly provisioned DC, then nobody will be able to make any changes to
the DC from Windows.
This has come up a few times on the samba mailing list when people have
given Administrator a uidNumber that isn't '0'
Rowland
More information about the samba-technical
mailing list