[Samba] RFC2307: Recommendations for mapping Administrator account
Denis Cardon
dcardon at tranquil.it
Thu Feb 8 09:55:30 UTC 2018
Hi Frederik,
> I provisioned a new domain with "--use-rfc2307" as I want to use the
> "ad" idmap backend on my domain members.
unless you have really specific requirements, you should really stick
with RID mapping, it will be easier on the long run.
> I am thinking of mapping the "Administrator" account to UID 10000
> (this is where my UID range for the domain will be starting), as the
> account must be known to the domain members (otherwise I got funny
> behavior).It seems a lot of people are mapping that account to root
> (UID 0) though. Even the Samba Wiki mentions that. Is that such a good
> idea?
root on linux would be the equivalent of "Local System" on Windows.
Windows Administrator account is definitly not "Local System", so in
order to follow privileges separation of Windows, I would say it is
better not to map Administrator to root.
Moreover, in more security conscious context, Administrator account
should not be used alltogether, since it does not map to a physical
named person.
The best thing is to disable that account altogether, and have named
accounts like dcardon-adm part of "domain admins" for specific tasks
needing "domain admins" rights. But even in this case, except for
joining a new DC (and a few non frequent other things like changing the
schema), you shouldn't need "domain admins" level privileges. You should
just use Delegated rights on the OU you are managing.
Cheers,
Denis
> I know that mapping the account to uidNumber=0 using RFC2307 AD attrs
> will not work globally, as this is out of the idmap range. I could map
> the account on each member locally using a custom username map, but I
> was wondering if this is even desirable.
>
> Does it have any implications on the Samba AD DC, if the Administrator
> account has such a custom mapping? From what I understand the UID on
> the DC will still be 0.
>
>
> Thanks,
> Frederik
>
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil.it
Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr
More information about the samba
mailing list