[Samba] RFC2307: Recommendations for mapping Administrator account
Rowland Penny
rpenny at samba.org
Thu Feb 8 10:16:00 UTC 2018
On Thu, 8 Feb 2018 10:55:30 +0100
Denis Cardon via samba <samba at lists.samba.org> wrote:
> Hi Frederik,
>
> > I provisioned a new domain with "--use-rfc2307" as I want to use the
> > "ad" idmap backend on my domain members.
>
> unless you have really specific requirements, you should really stick
> with RID mapping, it will be easier on the long run.
Yes, but then you are stuck with using the same Unix home directory
paths and login shells for everybody.
>
> > I am thinking of mapping the "Administrator" account to UID 10000
> > (this is where my UID range for the domain will be starting), as the
> > account must be known to the domain members (otherwise I got funny
> > behavior).It seems a lot of people are mapping that account to root
> > (UID 0) though. Even the Samba Wiki mentions that. Is that such a
> > good idea?
>
> root on linux would be the equivalent of "Local System" on Windows.
> Windows Administrator account is definitly not "Local System", so in
> order to follow privileges separation of Windows, I would say it is
> better not to map Administrator to root.
'root' is not the equivalent 'SYSTEM' and the Samba DC maps
'Administrator' to 'root' by default.
>
> Moreover, in more security conscious context, Administrator account
> should not be used alltogether, since it does not map to a physical
> named person.
If you follow this thinking, then quite a few AD accounts should be
removed.
>
> The best thing is to disable that account altogether, and have named
> accounts like dcardon-adm part of "domain admins" for specific tasks
> needing "domain admins" rights. But even in this case, except for
> joining a new DC (and a few non frequent other things like changing
> the schema), you shouldn't need "domain admins" level privileges. You
> should just use Delegated rights on the OU you are managing.
>
By all means create new groups, I use 'Unix Admins' instead of 'Domain
Admins'. This is all down to how the sysadmin wants to work, I
personally wouldn't disable 'Administrator', rename it yes.
Rowland
More information about the samba
mailing list