[Samba] samba AD and Administrator UID

Alessandro Baggi alessandro.baggi at gmail.com
Mon Feb 15 11:25:43 UTC 2016


Il 12/02/2016 16:35, Rowland penny ha scritto:
> On 12/02/16 14:42, Alessandro Baggi wrote:
>> Hi list,
>> maybe you remember my last post about configuring samba4 as AD and
>> related problems.
>>
>> Today I've found another issue, this is not a problem but I need
>> clarification.
>>
>> After domain provisioning (samba-tool domain provision) I got my
>> domain created. During provisiong Administrator user (and other users)
>> and groups are created. During this procedure smbd is off and started
>> after provisionig.Running getent passwd and getent group I found that
>> Administrator User have uid 0 (like root) and Domain Users group have
>> gid 100 (like users group).
>>
>> This type of config is safe? There is not conflict with other user
>> with the same uid/gid? Administrator must have uid 0 or can have
>> another uid?
>>
>> If Administrator can have another uid, how I can specify a different uid?
>>
>> Thanks in advance.
>>
>
> There are two schools of thought here, you can give administrator a
> uidNumber, but this would turn Administrator into just another Unix user
> and as such wouldn't be able to do anything that is required. You can
> work around this by using members of Domain Admins and giving the group
> the required permissions on Unix machines.
>
> The other way is the way that Samba does it, the AD user 'Administrator'
> is mapped to the Unix user 'root' this allows 'Administrator' to change
> Unix settings from windows. You do not actually have to use 'root' to
> change anything on a Unix machine, you can change the settings from a
> windows machine as 'Administrator', this is the way I would suggest
> doing things.
>
> The same goes for 'Domain Users', on a DC, this group is mapped to the
> Unix group 'users'
>
> Rowland
>
>
Hi Rowland,
thank you for the answer.

What do you think is the better approach? In a traditional MS AD service 
Administrator has uid 0, but what are the security implication with 2 
users with the same id, in this case 0.

There are software that I can use for AD samba administration from Win?

Thanks in advance.



More information about the samba mailing list