[Samba] samba AD and Administrator UID

Thu Feb 18 17:24:14 UTC 2016

Il 15/02/2016 12:59, Rowland penny ha scritto:
> On 15/02/16 11:25, Alessandro Baggi wrote:
>> Il 12/02/2016 16:35, Rowland penny ha scritto:
>>> On 12/02/16 14:42, Alessandro Baggi wrote:
>>>> Hi list,
>>>> maybe you remember my last post about configuring samba4 as AD and
>>>> related problems.
>>>>
>>>> Today I've found another issue, this is not a problem but I need
>>>> clarification.
>>>>
>>>> After domain provisioning (samba-tool domain provision) I got my
>>>> domain created. During provisiong Administrator user (and other users)
>>>> and groups are created. During this procedure smbd is off and started
>>>> after provisionig.Running getent passwd and getent group I found that
>>>> Administrator User have uid 0 (like root) and Domain Users group have
>>>> gid 100 (like users group).
>>>>
>>>> This type of config is safe? There is not conflict with other user
>>>> with the same uid/gid? Administrator must have uid 0 or can have
>>>> another uid?
>>>>
>>>> If Administrator can have another uid, how I can specify a different
>>>> uid?
>>>>
>>>> Thanks in advance.
>>>>
>>>
>>> There are two schools of thought here, you can give administrator a
>>> uidNumber, but this would turn Administrator into just another Unix user
>>> and as such wouldn't be able to do anything that is required. You can
>>> work around this by using members of Domain Admins and giving the group
>>> the required permissions on Unix machines.
>>>
>>> The other way is the way that Samba does it, the AD user 'Administrator'
>>> is mapped to the Unix user 'root' this allows 'Administrator' to change
>>> Unix settings from windows. You do not actually have to use 'root' to
>>> change anything on a Unix machine, you can change the settings from a
>>> windows machine as 'Administrator', this is the way I would suggest
>>> doing things.
>>>
>>> The same goes for 'Domain Users', on a DC, this group is mapped to the
>>> Unix group 'users'
>>>
>>> Rowland
>>>
>>>
>> Hi Rowland,
>> thank you for the answer.
>>
>> What do you think is the better approach? In a traditional MS AD
>> service Administrator has uid 0, but what are the security implication
>> with 2 users with the same id, in this case 0.
>
> You haven't really got to two users with uid '0', what you have got is
> the 'root' user on Unix, this must be '0', and the 'Administrator' user
> on windows which has the RID '500'. The 'Administrator' user gets mapped
> to 'root' and inherits root's permissions, so as far as the two systems
> are concerned, you only have one user on each system, but the windows
> one impersonates the Unix one when required.
>
>>
>> There are software that I can use for AD samba administration from Win?
>>
>
> You can use ADUC.
>
> Rowland
>> Thanks in advance.
>>
>
>
Thanks for clarification.