[Samba] nscd, ldap and the root/Administrator account

Tony Earnshaw tonye at billy.demon.nl
Thu May 5 11:23:04 GMT 2005

tor, 05.05.2005 kl. 12.02 skrev taso:

> The smbldap-populate script in smbldap-tools-0.8.8-1 (and other versions)
> no longer adds a user called Administrator - it adds a user called root. So
> what you now get is:
> # getent passwd | fgrep x:0
> root:x:0:0:root:/root:/bin/bash
> root:x:0:0:Netbios Domain Administrator:/home/root:/bin/false

Yet another reason for me not to use the smbldap-tools. There are
several others.

> The first entry comes from /etc/passwd while the second comes from LDAP.
> I would feel happier if the LDAP root user had the same values as the
> /etc/passwd root user for common attributes, Ie home directory -> /root
> and shell -> /bin/bash. Would anyone hazard a guess as to what I would
> screw up by doing that?

You wouldn't screw up anything, apart from security.

> Why is it it necessary to have an LDAP root user anyway? Would it work
> to have an LDAP Administrator user instead and map him to /etc/passwd
> root (as someone has previously mentioned)?

I don't recall what Samba version you're using, but if I recall
correctly, the only thing the root user was ever needed for, was joining
machines to a domain. Presumably because he had to write to restricted
files. From Samba 3.0.11 the privilege SeMachineAccountPrivilege can be
assigned to a mortal to do this, so root isn't necessary at all from
that version upward.

That was the vision of the samba team. I don't have a root user in LDAP
any longer, I don't need him. The point about Administrator is, that
he's only good for anything in Windows and it's his SID that counts. Why
Idealx would want to turn everything back to what it was before and muck
up security by reimplementing a second 0:0 object I can't even guess.

> > http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
> > http://www.samba.org/samba/docs/Samba-Guide.pdf
> > 
> I don't know about the HOWTO-Collection but the example in the Guide shows:
> #  getent passwd | grep root
> root:x:998:512:Netbios Domain Administrator:/home:/bin/false
> Why does LDAP root have uid 998 and what happened to the /ete/password root user?

On my rigs, though getent works normally for LDAP-based posixAccount
users, it doesn't give duplicates. If a user (e.g. root) is only present
in /etc/passwd, it will return that entry. If there's a duplicate entry
in passwd and LDAP (e.g. tonni)  it will only return the passwd entry,
not the LDAP entry. Otherwise it returns the LDAP entry. It never
returns more than one entry.


Nothing sucksseeds like a pigeon without a beak ...

mail: tonye at billy.demon.nl
They'll love us, won't they? They feed us, don't they? ...

More information about the samba mailing list