[Samba] Root user shows up as "administrator"

L.P.H. van Belle belle at bazuin.nl
Tue Feb 16 13:52:28 UTC 2021 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny via
> samba
> Verzonden: dinsdag 16 februari 2021 14:32
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Root user shows up as "administrator"
> 
> On 16/02/2021 12:52, Björn JACKE via samba wrote:
> > On 2021-02-16 at 09:39 +1300 Andrew Bartlett via samba sent off:
> >> The default idmap.ldb entries give UID 0 (root) to the administrator
> >> user to ensure it can change all files.
> >>
> >> I know some other developers disagree about the wisdom of this, but for
> >> now that is what the code does.
> > yes, there are many people who thing that Adminstrator should not have
> > uidNUmber 0 assigned, me too. It can cause issues at several places.
> What
> > Andrew refers to is discussed in
> > https://bugzilla.samba.org/show_bug.cgi?id=9837
> >
> > Björn
> >
> 
> And there are even more that think that making the Windows 'super' user
> into a standard Unix user is a bad idea and could lead to even more
> security problems. If you are having problems with Administrator being
> mapped to the Unix user root, then you are doing something wrong.
> 
> I keep looking at your bug report and thinking that I should just close
> it as being 'invalid', but I just ignore it in the end.
> 
> It has been common practice to map Administrator to root for years, even
> before the advent of Samba AD and I haven't seen any mention of a
> related security problem.
> 
> Rowland
> 

Well, now look again. 

ADDOM\Administrator !=  BUILTIN\Administrator   
The rest is in the bug report. 

basicly it comes to .. 
> And there are even more that think that making the Windows 'super' user
> into a standard Unix user is a bad idea

using BUILTIN\ fixes this in my opinion. 

> could lead to even more security problems.
yes, as any other with sudo or added to Domain Admins or root,
but same here. 
Using BUILTIN\ fixes that. 

As long you obey the following
BUILTIN\Users is mapped to Linux\Users	
BUILTIN\Adminsitrator is mapped to LINUX\root 

ADDOM\Domain Users is mapped to BUILTIN\Users ( windows default ) 
ADDOM\Domain Admins is mapped to BUILTIN\Administrator ( windows default )


Now, Domain admins have selective rights, you assing a GID now, its "like" a normal user, as in windows, but because its also in BUILTIN\Adminsitrator 
it can perform tasks on samba/the systems. 
but only where samba allows you too. 

Thats is bit how im setup. 

my windows Administrator is allow on all shares and all server 
with admin rights, but as Linux user on the real OS, 
Administrator not allowed anything.

LinuxAdmins != Windows Admins. 
i just create 2 logins as admin, 1 is used, one its password
 is in the locked Safe. 

And that is how i protect the linux environment and Windows/Samba environments. 

I hope this helps someone, 

Greetz, 

Louis

More information about the samba mailing list