[Samba] Root user shows up as "administrator"
L.P.H. van Belle
belle at bazuin.nl
Tue Feb 16 14:07:57 UTC 2021
Sorry, missed this, ..
> ADDOM\Domain Admins is mapped to BUILTIN\Administrators
> BUILTIN\Adminsitrators is mapped to LINUX\root
missed the S in group BUILTIN\Administrators
>
> Well, now look again.
>
> ADDOM\Administrator != BUILTIN\Administrator
> The rest is in the bug report.
>
> basicly it comes to ..
> > And there are even more that think that making the Windows 'super' user
> > into a standard Unix user is a bad idea
>
> using BUILTIN\ fixes this in my opinion.
>
> > could lead to even more security problems.
> yes, as any other with sudo or added to Domain Admins or root,
> but same here.
> Using BUILTIN\ fixes that.
>
> As long you obey the following
> BUILTIN\Users is mapped to Linux\Users
> BUILTIN\Adminsitrator is mapped to LINUX\root
>
> ADDOM\Domain Users is mapped to BUILTIN\Users ( windows default )
> ADDOM\Domain Admins is mapped to BUILTIN\Administrator ( windows default )
>
>
> Now, Domain admins have selective rights, you assing a GID now, its "like"
> a normal user, as in windows, but because its also in
> BUILTIN\Adminsitrator
> it can perform tasks on samba/the systems.
> but only where samba allows you too.
>
> Thats is bit how im setup.
>
> my windows Administrator is allow on all shares and all server
> with admin rights, but as Linux user on the real OS,
> Administrator not allowed anything.
>
> LinuxAdmins != Windows Admins.
> i just create 2 logins as admin, 1 is used, one its password
> is in the locked Safe.
>
> And that is how i protect the linux environment and Windows/Samba
> environments.
>
> I hope this helps someone,
>
> Greetz,
>
> Louis
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list