[Samba] Question regarding 'username map' & 'min domain uid'
Kees van Vloten
keesvanvloten at gmail.com
Wed Oct 9 19:01:05 UTC 2024
On 09-10-2024 20:41, Rowland Penny via samba wrote:
> On Wed, 09 Oct 2024 17:36:34 +0000
> bd730c5053df9efb via samba<samba at lists.samba.org> wrote:
>
>> Hi all!
>>
>> I was following a recent thread here and read Rowland Penny's answer
>> (https://lists.samba.org/archive/samba/2024-October/249858.html)
>> stating
>>
>> [...]I have stopped using 'username map' & 'min domain uid' because,
>> has you have now found out, you do not need them, just use (As
>> Windows advises) a member of Domain Admins.[...]
>>
>> Since I have followed the samba wiki for most of my installs (E.g.
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Mapping_the_Domain_Administrator_Account_to_the_Local_root_User)
>> I've been using this exact method.
>>
>> So my question is, how has this changed? What is the recommended way
>> of doing it now?
> Mapping Administrator to root was done on Samba AD DCs from the very
> start of Samba 4 and it was also recommended to map Administrator on a
> Unix domain member, this may never have been needed.
>
> However, a CVE CVE-2020-25717 was fixed at 4.15.3 and to get the old
> behaviour, you also had to add 'min domain uid = 0' to smb.conf on the
> Unix domain member. This fact finally percolated into my brain and I
> then tested if Administrator was required, my testing proved to myself
> that the Administrator mapping was not required, I just had to use a
> member of Domain Admins. Was this because of the CVE, or was the
> mapping never required ? I do not know, I just know that, in my
> opinion, the mapping is not required now, YMMV.
>
> I have added a note to the wikipage.
>
> Rowland
Do you consider this:
https://lists.samba.org/archive/samba/2022-March/239861.html (Ticket
expires after 10h) as a solved issue in recent versions of Samba?
Your advice back then was to add:
username map = /etc/samba/user.map
min domain uid = 0
The user.map contains:
!root = SAMDOM\Administrator
I am still using these settings on all domain-members.
- Kees.
>
>
>
More information about the samba
mailing list