[Samba] Root user shows up as "administrator"

L.P.H. van Belle belle at bazuin.nl
Tue Feb 16 14:07:57 UTC 2021


Sorry, missed this, .. 


> ADDOM\Domain Admins is mapped to BUILTIN\Administrators
> BUILTIN\Adminsitrators is mapped to LINUX\root 

missed the S in group BUILTIN\Administrators


> 
> Well, now look again.
> 
> ADDOM\Administrator !=  BUILTIN\Administrator
> The rest is in the bug report.
> 
> basicly it comes to ..
> > And there are even more that think that making the Windows 'super' user
> > into a standard Unix user is a bad idea
> 
> using BUILTIN\ fixes this in my opinion.
> 
> > could lead to even more security problems.
> yes, as any other with sudo or added to Domain Admins or root,
> but same here.
> Using BUILTIN\ fixes that.
> 
> As long you obey the following
> BUILTIN\Users is mapped to Linux\Users
> BUILTIN\Adminsitrator is mapped to LINUX\root
> 
> ADDOM\Domain Users is mapped to BUILTIN\Users ( windows default )
> ADDOM\Domain Admins is mapped to BUILTIN\Administrator ( windows default )
> 
> 
> Now, Domain admins have selective rights, you assing a GID now, its "like"
> a normal user, as in windows, but because its also in
> BUILTIN\Adminsitrator
> it can perform tasks on samba/the systems.
> but only where samba allows you too.
> 
> Thats is bit how im setup.
> 
> my windows Administrator is allow on all shares and all server
> with admin rights, but as Linux user on the real OS,
> Administrator not allowed anything.
> 
> LinuxAdmins != Windows Admins.
> i just create 2 logins as admin, 1 is used, one its password
>  is in the locked Safe.
> 
> And that is how i protect the linux environment and Windows/Samba
> environments.
> 
> I hope this helps someone,
> 
> Greetz,
> 
> Louis
> 
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba





More information about the samba mailing list