[Samba] Samba 4.1.7 AD DC - Local Administrator == Domain Administrator ?!?

Peter Schaefer peter.schaefer at gmx.de
Sat Jan 4 16:29:26 MST 2014


Hello!

I have upgraded a Samba 3 NT DC instance to a Samba 4.1.7 AD DC. The update created an user called 
'DOMAIN/Administrator' which is supposed to be the new uber-'root' for the AD domain.

Now i just discovered using a W7 box that the local administrator user of this box (which is called 'Administrator', 
too) can do all the things the 'DOMAIN/Administrator' can do, too. I can browse all network shares and see and modify 
access rights without ever being asked for a password, despite the fact the user is just logged-in locally. The W7 box 
is domain member, however.

But: the 'LOCALPC/Administrator' is not a domain user and NEITHER in the 'Domain Users' NOR in the 'Domain 
Administrators' group and is surely NOT entitled to have those superpowers, IMNSHO.

How come? Security bug? Or am I'm not aware of some arcane Windows behaviour?

Regards,
  Peter


More information about the samba mailing list