[Samba] Root user shows up as "administrator"

Rowland penny rpenny at samba.org
Wed Feb 17 09:03:18 UTC 2021

On 17/02/2021 08:22, L.P.H. van Belle via samba wrote:
>> The problem with that is, there doesn't seem to be a BUILTIN\Administrator
> correct, thats exactly my point.
> ow, and now i see i wrote it wrong..
>> root at dc4:~# wbinfo -n BUILTIN\\Administrator
>> failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not lookup name BUILTIN\Administrator
> I would have expected to see, S-1-5-21-<machine>-500

In theory, yes. Each domain computer (Windows and Samba) has a local and 
domain SID, but there isn't and shouldn't be a 'S-1-5-21-localsid-500' 
SID in AD, so how can you map something that doesn't exist to the 'root' 
user ?

There is also the little matter that the local SID is, well, 'local'  😁

> And in my opinion, this should be the one we should map.
> what i mean with "builtin\Administrator
> The built-in domain, it contains groups that define roles on a local machine.  S-1-5-21-<machine>-500, By default, it is the only user account that is given full control over the system.
> So this is the user we should use the map to root.
> in addition.
> BUILTIN_ADMINISTRATORS   S-1-5-32-544   The built-in group.

The BUILTIN SIDS all start with 'S-1-5-32'

> After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Administrators group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Administrators group also is added to the Administrators group.
> https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab
> And i see I "miss used" BUILTIN\Adminsitrator here.. sorry.
> just, how i see it is..
> S-1-5-21-<machine>-500 should be mapped to User root.

But it doesn't exist on a Unix machine and is disabled on Windows

> BUILTIN_ADMINISTRATORS should be mapped to Group root

This would entail giving 'Administrators' the gidNumber '0' and this 
appears to be where we came in.

> BUILTIN_USERS 		should be mapped to Group users

The group 'users' is mapped to Domain Users

> BUILTIN_GUESTS		should be mapped to Group nobody

'ANONYMOUS' is mapped to 'nobody and 'Guests' is disabled on Windows.

> And resulting in, now its always ok, even if you are without the domain,
> if the server isnt AD or domain joined and after its join, the domain groups
> are member of the above builtin groups.
> Just my view on it.

We are all entitled to have our own view on things.


More information about the samba mailing list