[Samba] Samba 4.1.7 AD DC - Local Administrator == Domain Administrator ?!?
Peter Schaefer
peter.schaefer at gmx.de
Sat Jan 4 16:29:26 MST 2014
Hello!
I have upgraded a Samba 3 NT DC instance to a Samba 4.1.7 AD DC. The update created an user called
'DOMAIN/Administrator' which is supposed to be the new uber-'root' for the AD domain.
Now i just discovered using a W7 box that the local administrator user of this box (which is called 'Administrator',
too) can do all the things the 'DOMAIN/Administrator' can do, too. I can browse all network shares and see and modify
access rights without ever being asked for a password, despite the fact the user is just logged-in locally. The W7 box
is domain member, however.
But: the 'LOCALPC/Administrator' is not a domain user and NEITHER in the 'Domain Users' NOR in the 'Domain
Administrators' group and is surely NOT entitled to have those superpowers, IMNSHO.
How come? Security bug? Or am I'm not aware of some arcane Windows behaviour?
Regards,
Peter
More information about the samba
mailing list