[PATCH] s4/provision: don't mix local uid numbers with domain mappings
Rowland Penny
rpenny at samba.org
Thu Dec 14 11:14:26 UTC 2017
On Thu, 14 Dec 2017 11:53:46 +0100
Björn Jacke via samba-technical <samba-technical at lists.samba.org> wrote:
> On 2017-12-14 at 11:01 +1300 Andrew Bartlett via samba-technical sent
> off:
> > My primary concern with this is will, after this, administrator have
> > the rights of root in terms of being able to override permissions on
> > the files owned by others?
>
> of course, other domain admin members, who don't have uidNumber=0
> would have issues also otherwise. On the other hand there are plenty
> of problems when uid 0 randomly resolves to a non-root user with a
> home directory which is not /root/. I'm a bit puzzed that you argue
> against this now after
> https://bugzilla.samba.org/show_bug.cgi?id=9837 was reported in the
> early days of Samba 4.0 (5 years ago), and you did never comment on
> it, not even after Michael also mentioned that this should urgently
> be changed. On fileservers there are file permissions and privileges
> to handle things right. Bringing up a broken idmap configuration
> involving the messing up of the root user by default to enable people
> to get admin rights on fileservers is really bad.
>
> Björn
Administrator only gets the ID '0' by default on a Samba DC, you have
to map Administrator to root manually on a Unix domain member.
I cannot think of any problems caused by mapping Administrator to root
on a DC, your problems seem to be self inflicted.
If you have ssh setup correctly, you cannot login as Administrator,
just as root cannot login.
Rowland
More information about the samba-technical
mailing list