[Samba] Samba 4.1.7 AD DC - Local Administrator == Domain Administrator ?!?
Dustin C. Hatch
admiralnemo at gmail.com
Sat Jan 4 22:22:10 MST 2014
On 1/4/2014 17:29, Peter Schaefer wrote:
> Hello!
>
> I have upgraded a Samba 3 NT DC instance to a Samba 4.1.7 AD DC. The
> update created an user called 'DOMAIN/Administrator' which is supposed
> to be the new uber-'root' for the AD domain.
>
> Now i just discovered using a W7 box that the local administrator user
> of this box (which is called 'Administrator', too) can do all the things
> the 'DOMAIN/Administrator' can do, too. I can browse all network shares
> and see and modify access rights without ever being asked for a
> password, despite the fact the user is just logged-in locally. The W7
> box is domain member, however.
>
> But: the 'LOCALPC/Administrator' is not a domain user and NEITHER in the
> 'Domain Users' NOR in the 'Domain Administrators' group and is surely
> NOT entitled to have those superpowers, IMNSHO.
>
> How come? Security bug? Or am I'm not aware of some arcane Windows
> behaviour?
>
> Regards,
> Peter
Is the password for the Administrator account on the workstation the
same as the password for the domain Administrator? If so, Windows will
seamlessly use that password to authenticate to network services, and
you will be logged in as the domain Administrator instead.
Typically, in an AD environment, several precautions are taken to
prevent this: a) don't use the same password for any local account as
for any domain account; b) disable the local Administrator account c)
rename and/or disable the domain Administrator account, and instead use
another user account who is a member of Domain Admins
Hope this helps
--
♫Dustin
http://dustin.hatch.name/
More information about the samba
mailing list