[Samba] Samba 4.1.7 AD DC - Local Administrator == Domain Administrator ?!?

Dustin C. Hatch admiralnemo at gmail.com
Sat Jan 4 22:22:10 MST 2014

On 1/4/2014 17:29, Peter Schaefer wrote:
> Hello!
> I have upgraded a Samba 3 NT DC instance to a Samba 4.1.7 AD DC. The
> update created an user called 'DOMAIN/Administrator' which is supposed
> to be the new uber-'root' for the AD domain.
> Now i just discovered using a W7 box that the local administrator user
> of this box (which is called 'Administrator', too) can do all the things
> the 'DOMAIN/Administrator' can do, too. I can browse all network shares
> and see and modify access rights without ever being asked for a
> password, despite the fact the user is just logged-in locally. The W7
> box is domain member, however.
> But: the 'LOCALPC/Administrator' is not a domain user and NEITHER in the
> 'Domain Users' NOR in the 'Domain Administrators' group and is surely
> NOT entitled to have those superpowers, IMNSHO.
> How come? Security bug? Or am I'm not aware of some arcane Windows
> behaviour?
> Regards,
>   Peter

Is the password for the Administrator account on the workstation the 
same as the password for the domain Administrator? If so, Windows will 
seamlessly use that password to authenticate to network services, and 
you will be logged in as the domain Administrator instead.

Typically, in an AD environment, several precautions are taken to 
prevent this: a) don't use the same password for any local account as 
for any domain account; b) disable the local Administrator account c) 
rename and/or disable the domain Administrator account, and instead use 
another user account who is a member of Domain Admins

Hope this helps


More information about the samba mailing list