[Samba] RFC2307: Recommendations for mapping Administrator account

Denis Cardon dcardon at tranquil.it
Thu Feb 8 10:37:45 UTC 2018


Hi Rowland,

>>> I provisioned a new domain with "--use-rfc2307" as I want to use the
>>> "ad" idmap backend on my domain members.
>>
>> unless you have really specific requirements, you should really stick
>> with RID mapping, it will be easier on the long run.
>
> Yes, but then you are stuck with using the same Unix home directory
> paths and login shells for everybody.

Life is a series of trade-offs...

>>> I am thinking of mapping the "Administrator" account to UID 10000
>>> (this is where my UID range for the domain will be starting), as the
>>> account must be known to the domain members (otherwise I got funny
>>> behavior).It seems a lot of people are mapping that account to root
>>> (UID 0) though. Even the Samba Wiki mentions that. Is that such a
>>> good idea?
>>
>> root on linux would be the equivalent of "Local System" on Windows.
>> Windows Administrator account is definitly not "Local System", so in
>> order to follow privileges separation of Windows, I would say it is
>> better not to map Administrator to root.
>
> 'root' is not the equivalent 'SYSTEM'

could you please elaborate? An account that has all privileges on the 
local system, well, how would you call that?

 > and the Samba DC maps 'Administrator' to 'root' by default.

better privilege separation is something that is being looked at.

Cheers,

Denis

>> Moreover, in more security conscious context, Administrator account
>> should not be used alltogether, since it does not map to a physical
>> named person.
>
> If you follow this thinking, then quite a few AD accounts should be
> removed.
>
>>
>> The best thing is to disable that account altogether, and have named
>> accounts like dcardon-adm part of "domain admins" for specific tasks
>> needing "domain admins" rights. But even in this case, except for
>> joining a new DC (and a few non frequent other things like changing
>> the schema), you shouldn't need "domain admins" level privileges. You
>> should just use Delegated rights on the OU you are managing.
>>
>
> By all means create new groups, I use 'Unix Admins' instead of 'Domain
> Admins'. This is all down to how the sysadmin wants to work, I
> personally wouldn't disable 'Administrator', rename it yes.
>
> Rowland
>

-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil.it

Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr



More information about the samba mailing list