[Samba] Root user shows up as "administrator"
L.P.H. van Belle
belle at bazuin.nl
Wed Feb 17 08:22:59 UTC 2021
>
> The problem with that is, there doesn't seem to be a BUILTIN\Administrator
correct, thats exactly my point.
ow, and now i see i wrote it wrong..
>
> root at dc4:~# wbinfo -n BUILTIN\\Administrator
> failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
> Could not lookup name BUILTIN\Administrator
I would have expected to see, S-1-5-21-<machine>-500
And in my opinion, this should be the one we should map.
what i mean with "builtin\Administrator
The built-in domain, it contains groups that define roles on a local machine. S-1-5-21-<machine>-500, By default, it is the only user account that is given full control over the system.
So this is the user we should use the map to root.
in addition.
BUILTIN_ADMINISTRATORS S-1-5-32-544 The built-in group.
After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Administrators group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Administrators group also is added to the Administrators group.
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab
And i see I "miss used" BUILTIN\Adminsitrator here.. sorry.
just, how i see it is..
S-1-5-21-<machine>-500 should be mapped to User root.
BUILTIN_ADMINISTRATORS should be mapped to Group root
BUILTIN_USERS should be mapped to Group users
BUILTIN_GUESTS should be mapped to Group nobody
And resulting in, now its always ok, even if you are without the domain,
if the server isnt AD or domain joined and after its join, the domain groups
are member of the above builtin groups.
Just my view on it.
Greetz,
Louis
More information about the samba
mailing list