[Samba] How to fix mapping Administrator to root
rpenny at samba.org
Mon Jun 3 09:33:21 UTC 2019
On 03/06/2019 10:09, adam_xu--- via samba wrote:
> Hi sambalist,
> I'm using samba ad dc for about 2 years. I have 2 DCs and One file server. I didn't map the Administrator to root because the wiki said:
> "Mapping the domain administrator to the local root account is optional. Only configure the mapping if the domain administrator must be able to execute file operations on the domain member using root permissions. You should be aware that mapping Administrator to the root account will not allow you to log onto Unix domain members as Administrator."
> so I give the Administrator user a uidNumber and it seem like a unix user. I can get the user info via "getent passwd administrator"
But you have mapped Administrator, just not to root.
On a DC, Administrator is automatically mapped to root in idmap.ldb, on
a Unix domain member to do the same, you add a user.map. When you gave
Administrator a uidNumber, you turned it into a normal Unix user with
the lack of authority this entails.
> It seems that everything works fine these years. but I saw some suggestions in the maillist said we "should not give Administrator a uidNumber".
> So Is there any disvantage if I give a uidNumber to Administrator? and How could I fix that if I already did that? I tries to set the uidNumber to none. but it didn;t make sense. I still got user info like
> getent passwd administrator
If you had tried to do something as Administrator on a Unix domain
member, you would have found the disadvantages, but as it seems you
haven't, then I would leave things alone, except for removing the
uidNumber from Administrator and running 'net cache flush' on every Unix
I will rewrite that wikipage.
More information about the samba