[Samba] RFC2307: Recommendations for mapping Administrator account

Rowland Penny rpenny at samba.org
Thu Feb 8 10:16:00 UTC 2018 

On Thu, 8 Feb 2018 10:55:30 +0100
Denis Cardon via samba <samba at lists.samba.org> wrote:

> Hi Frederik,
> 
> > I provisioned a new domain with "--use-rfc2307" as I want to use the
> > "ad" idmap backend on my domain members.
> 
> unless you have really specific requirements, you should really stick 
> with RID mapping, it will be easier on the long run.

Yes, but then you are stuck with using the same Unix home directory
paths and login shells for everybody.

> 
> > I am thinking of mapping the "Administrator" account to UID 10000
> > (this is where my UID range for the domain will be starting), as the
> > account must be known to the domain members (otherwise I got funny
> > behavior).It seems a lot of people are mapping that account to root
> > (UID 0) though. Even the Samba Wiki mentions that. Is that such a
> > good idea?
> 
> root on linux would be the equivalent of "Local System" on Windows. 
> Windows Administrator account is definitly not "Local System", so in 
> order to follow privileges separation of Windows, I would say it is 
> better not to map Administrator to root.

'root' is not the equivalent 'SYSTEM' and the Samba DC maps
'Administrator' to 'root' by default.

> 
> Moreover, in more security conscious context, Administrator account 
> should not be used alltogether, since it does not map to a physical 
> named person.

If you follow this thinking, then quite a few AD accounts should be
removed.

> 
> The best thing is to disable that account altogether, and have named 
> accounts like dcardon-adm part of "domain admins" for specific tasks 
> needing "domain admins" rights. But even in this case, except for 
> joining a new DC (and a few non frequent other things like changing
> the schema), you shouldn't need "domain admins" level privileges. You
> should just use Delegated rights on the OU you are managing.
> 

By all means create new groups, I use 'Unix Admins' instead of 'Domain
Admins'. This is all down to how the sysadmin wants to work, I
personally wouldn't disable 'Administrator', rename it yes.

Rowland

More information about the samba mailing list