[Samba] DOMAIN\Administrator mapped to root vs. CVE-2020-25717 fix including "min domain uid" = 1000

[r.barclay at habmalnefrage.de]

Hi,

I run a small Linux based network that uses Samba for login (AD) and SMB file sharing.

There are only 2 Windows machines:
1) A virtual machine running Windows 10 Pro that I only use to administer shares and permissions with a GUI.
2) A sparely used Windows notebook

Recently I nedded to set some new permissions. Happens once in a few months.
So I logged into the Windows 10 machine as DOMAIN\Administrator. That worked fine.

But sadly I couldn't access my fileserver. Windows wouldn't show its shares. And If I directly navigate to a share ("\\fileserver.ad.mydom.intranet\myshare"), it would show error 0x80004005.

After some hours I figured out the reason:

The DOMAIN\Administrator is mapped to root on the domain controller:
!root = DOMAIN\Administrator

The fileserver log shows:
make_server_info_info3: Username 'DOMAIN\Administrator' is invalid on this system, it does not meet 'min domain uid' restriction (0 < 1000): NT_STATUS_INVALID_TOKEN

This made me find out about the fix for CVE-2020-25717:
https://www.samba.org/samba/security/CVE-2020-25717.html

It introduced a setting "min domain uid", which is 1000 by default. So it excluded my Administrator being mapped to root.

If I add
min domain uid = 0
to the smb.conf of the fileserver, everything works fine again. :)

So I could manage the permissions and finish work. :)

But... This change was probably introduced for good reasons. And I worked around it. What do you think?
Did I open up a horrible security hole?
What are the implications?
Should "DOMAIN\Administrator" actually never be mapped to root?
As far as I remember the set up years ago, some things didn't work without that.

Thanks in advance for your advice!
Reginald

PS: I'd love to get rid of Windows entirely in this network. Is there a smooth Linux console only way to administer share and folder permissions for groups and users without the Windows GUI nowadays?