Peter Schaefer
2014-Jan-04 23:29 UTC
[Samba] Samba 4.1.7 AD DC - Local Administrator == Domain Administrator ?!?
Hello! I have upgraded a Samba 3 NT DC instance to a Samba 4.1.7 AD DC. The update created an user called 'DOMAIN/Administrator' which is supposed to be the new uber-'root' for the AD domain. Now i just discovered using a W7 box that the local administrator user of this box (which is called 'Administrator', too) can do all the things the 'DOMAIN/Administrator' can do, too. I can browse all network shares and see and modify access rights without ever being asked for a password, despite the fact the user is just logged-in locally. The W7 box is domain member, however. But: the 'LOCALPC/Administrator' is not a domain user and NEITHER in the 'Domain Users' NOR in the 'Domain Administrators' group and is surely NOT entitled to have those superpowers, IMNSHO. How come? Security bug? Or am I'm not aware of some arcane Windows behaviour? Regards, Peter
Dustin C. Hatch
2014-Jan-05 05:22 UTC
[Samba] Samba 4.1.7 AD DC - Local Administrator == Domain Administrator ?!?
On 1/4/2014 17:29, Peter Schaefer wrote:> Hello! > > I have upgraded a Samba 3 NT DC instance to a Samba 4.1.7 AD DC. The > update created an user called 'DOMAIN/Administrator' which is supposed > to be the new uber-'root' for the AD domain. > > Now i just discovered using a W7 box that the local administrator user > of this box (which is called 'Administrator', too) can do all the things > the 'DOMAIN/Administrator' can do, too. I can browse all network shares > and see and modify access rights without ever being asked for a > password, despite the fact the user is just logged-in locally. The W7 > box is domain member, however. > > But: the 'LOCALPC/Administrator' is not a domain user and NEITHER in the > 'Domain Users' NOR in the 'Domain Administrators' group and is surely > NOT entitled to have those superpowers, IMNSHO. > > How come? Security bug? Or am I'm not aware of some arcane Windows > behaviour? > > Regards, > PeterIs the password for the Administrator account on the workstation the same as the password for the domain Administrator? If so, Windows will seamlessly use that password to authenticate to network services, and you will be logged in as the domain Administrator instead. Typically, in an AD environment, several precautions are taken to prevent this: a) don't use the same password for any local account as for any domain account; b) disable the local Administrator account c) rename and/or disable the domain Administrator account, and instead use another user account who is a member of Domain Admins Hope this helps -- ?Dustin http://dustin.hatch.name/