[Samba] RFC2307: Recommendations for mapping Administrator account
Rowland Penny
rpenny at samba.org
Thu Feb 8 08:42:58 UTC 2018
On Wed, 7 Feb 2018 21:37:06 +0100
Fred F via samba <samba at lists.samba.org> wrote:
> Hi,
>
> I provisioned a new domain with "--use-rfc2307" as I want to use the
> "ad" idmap backend on my domain members.
>
> I am thinking of mapping the "Administrator" account to UID 10000
> (this is where my UID range for the domain will be starting), as the
> account must be known to the domain members (otherwise I got funny
> behavior).It seems a lot of people are mapping that account to root
> (UID 0) though. Even the Samba Wiki mentions that. Is that such a good
> idea?
>
> I know that mapping the account to uidNumber=0 using RFC2307 AD attrs
> will not work globally, as this is out of the idmap range. I could map
> the account on each member locally using a custom username map, but I
> was wondering if this is even desirable.
>
> Does it have any implications on the Samba AD DC, if the Administrator
> account has such a custom mapping? From what I understand the UID on
> the DC will still be 0.
>
If you map Administrator to '10000' then it will become '10000'
everywhere and Administrator will become just another Unix user.
Administrator is mapped to '0' on a DC in idmap.ldb, you can also map
Administrator to '0' on a Unix domain member by creating a user.map and
adding the relevant line to smb.conf
The short answer to your question is, do not map Administrator to
'10000'
Rowland
More information about the samba
mailing list