[Samba] How to fix mapping Administrator to root

[Rowland penny]

On 03/06/2019 10:09, adam_xu--- via samba wrote:
> Hi sambalist,
>
>   I'm using samba ad dc for about 2 years. I have 2 DCs and One file server. I didn't map the Administrator to root because the wiki said:
>
> "Mapping the domain administrator to the local root account is optional. Only configure the mapping if the domain administrator must be able to execute file operations on the domain member using root permissions. You should be aware that mapping Administrator to the root account will not allow you to log onto Unix domain members as Administrator."
>
> so I give the Administrator user a uidNumber and it seem like a unix user. I can get the user info via "getent passwd administrator"

But you have mapped Administrator, just not to root.

On a DC, Administrator is automatically mapped to root in idmap.ldb, on 
a Unix domain member to do the same, you add a user.map. When you gave 
Administrator a uidNumber, you turned it into a normal Unix user with 
the lack of authority this entails.

>
> It seems that everything works fine these years. but I saw some suggestions in the maillist said we "should not give Administrator a uidNumber".
>   So Is there any disvantage if I give a uidNumber to Administrator? and How could I fix that if I already did that? I tries to set the uidNumber to none. but it didn;t make sense. I still got user info like
> getent passwd administrator
> administrator:*:10000:10001:....
>
If you had tried to do something as Administrator on a Unix domain 
member, you would have found the disadvantages, but as it seems you 
haven't, then I would leave things alone, except for removing the 
uidNumber from Administrator and running 'net cache flush' on every Unix 
domain member.

I will rewrite that wikipage.

Rowland