[Samba] rfc2307 deprecated in Windows 2012 R2?

Rowland Penny rowlandpenny at googlemail.com
Fri Jan 30 09:35:44 MST 2015 

On 30/01/15 16:20, Hans-Kristian Bakke wrote:
> I do not understand the point about issues with administrator beeing
> mapped to a "random" rfc2307 UID. You need to explain the details
> surrounding that part to me as my experience is that this is OK and
> even necessary.
>
> The only reason for not giving Administrator a "random" UID/GID that I
> can think of is perhaps if you are doing some mapping of Administrator
> to root, something which I am personally strongly against as they are
> _not_ the same users from any central authentication point of view. It
> is just a hack for people that are doing the mistake of actually using
> the administrator account for linux administration, when it shouldn't
> really be used for anything at all, even on windows boxes, as you of
> should be adding dedicated admin accounts for each admin.
>
> The script only gives users and groups that are non-local (i.e domain
> users that would actually be used for logins with non-zero SIDs)
> uid/gids. Administrator is one of them and giving it an UID of
> 300500/whatever is absolutely correct and necessary if administrator
> is going to be able to login to the linux boxes like everybody else.
>  From a linux box's view in a Windows DC domain administrator is no
> different from other users. Add your admin group to sudoers and ssh
> allowgroups and you are done. This works beatifully in several well
> tested and abused production systems, also with ACLs with
> administrator added.
>
>
>

Well, there you go, you and I are at opposite ends of the spectrum. I am 
strongly against giving 'Administrator' a 'uidNumber' because you are 
turning a special windows user into an ordinary Unix user.
I personally think that 'Administrator' should be mapped to the root 
user (user 0), if you want another windows user to do administration on 
a Unix machine, create one and give this user a 'uidNumber'. It may help 
if you go look in idmap.ldb and see what the devs have mapped 
'Administrator' to.

Rowland

More information about the samba mailing list