On 30/01/15 16:20, Hans-Kristian Bakke wrote:> I do not understand the point about issues with administrator beeing > mapped to a "random" rfc2307 UID. You need to explain the details > surrounding that part to me as my experience is that this is OK and > even necessary. > > The only reason for not giving Administrator a "random" UID/GID that I > can think of is perhaps if you are doing some mapping of Administrator > to root, something which I am personally strongly against as they are > _not_ the same users from any central authentication point of view. It > is just a hack for people that are doing the mistake of actually using > the administrator account for linux administration, when it shouldn't > really be used for anything at all, even on windows boxes, as you of > should be adding dedicated admin accounts for each admin. > > The script only gives users and groups that are non-local (i.e domain > users that would actually be used for logins with non-zero SIDs) > uid/gids. Administrator is one of them and giving it an UID of > 300500/whatever is absolutely correct and necessary if administrator > is going to be able to login to the linux boxes like everybody else. > From a linux box's view in a Windows DC domain administrator is no > different from other users. Add your admin group to sudoers and ssh > allowgroups and you are done. This works beatifully in several well > tested and abused production systems, also with ACLs with > administrator added. > > >Well, there you go, you and I are at opposite ends of the spectrum. I am strongly against giving 'Administrator' a 'uidNumber' because you are turning a special windows user into an ordinary Unix user. I personally think that 'Administrator' should be mapped to the root user (user 0), if you want another windows user to do administration on a Unix machine, create one and give this user a 'uidNumber'. It may help if you go look in idmap.ldb and see what the devs have mapped 'Administrator' to. Rowland
I still do not follow you. An additional reason for including administrator in the first place, not including that I actually want it to work against the linux boxes like every other domain user, was because winbind returns the exact same mapping when using idmap backend RID with range 300000-499999 (i.e not rfc2307 attributes)> wbinfo -i administratoradministrator:*:300500:300513:Administrator:/home/example.com/administrator:/bin/bash So the winbind devs obviously also thinks that Administrator should be mapped like every other domain user. The nice thing about this is that RFC2307 enabled winbind hosts, sssd-ad hosts and winbind hosts still using RID can all coexist peacefully and with the same UID/GID mapping (a need I had, thus creating the need for the migration script). But as I can see this is strictly a personal thing for you, it is of course okay to not give administrator a UID. You can just exclude the user in the script, so the functionality can still be used as a base, or you can throw it in the garbage if you want to :) I was worried that there were any technical consequences that I somewhat had missed for years. Regards, Hans-Kristian On 30 January 2015 at 17:35, Rowland Penny <rowlandpenny at googlemail.com> wrote:> On 30/01/15 16:20, Hans-Kristian Bakke wrote: >> >> I do not understand the point about issues with administrator beeing >> mapped to a "random" rfc2307 UID. You need to explain the details >> surrounding that part to me as my experience is that this is OK and >> even necessary. >> >> The only reason for not giving Administrator a "random" UID/GID that I >> can think of is perhaps if you are doing some mapping of Administrator >> to root, something which I am personally strongly against as they are >> _not_ the same users from any central authentication point of view. It >> is just a hack for people that are doing the mistake of actually using >> the administrator account for linux administration, when it shouldn't >> really be used for anything at all, even on windows boxes, as you of >> should be adding dedicated admin accounts for each admin. >> >> The script only gives users and groups that are non-local (i.e domain >> users that would actually be used for logins with non-zero SIDs) >> uid/gids. Administrator is one of them and giving it an UID of >> 300500/whatever is absolutely correct and necessary if administrator >> is going to be able to login to the linux boxes like everybody else. >> From a linux box's view in a Windows DC domain administrator is no >> different from other users. Add your admin group to sudoers and ssh >> allowgroups and you are done. This works beatifully in several well >> tested and abused production systems, also with ACLs with >> administrator added. >> >> >> > > Well, there you go, you and I are at opposite ends of the spectrum. I am > strongly against giving 'Administrator' a 'uidNumber' because you are > turning a special windows user into an ordinary Unix user. > I personally think that 'Administrator' should be mapped to the root user > (user 0), if you want another windows user to do administration on a Unix > machine, create one and give this user a 'uidNumber'. It may help if you go > look in idmap.ldb and see what the devs have mapped 'Administrator' to. > > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 30/01/15 16:55, Hans-Kristian Bakke wrote:> I still do not follow you. An additional reason for including > administrator in the first place, not including that I actually want > it to work against the linux boxes like every other domain user, was > because winbind returns the exact same mapping when using idmap > backend RID with range 300000-499999 (i.e not rfc2307 attributes) > >> wbinfo -i administrator > administrator:*:300500:300513:Administrator:/home/example.com/administrator:/bin/bashOn one of my DC's: wbinfo -i administrator EXAMPLE\Administrator:*:0:10000::/home/EXAMPLE/Administrator:/bin/bash and from idmap.ldb (created by the provision): dn: CN=S-1-5-21-2025076216-3455336656-3842161122-500 cn: S-1-5-21-2025076216-3455336656-3842161122-500 objectClass: sidMap objectSid: S-1-5-21-2025076216-3455336656-3842161122-500 type: ID_TYPE_UID xidNumber: 0 distinguishedName: CN=S-1-5-21-2025076216-3455336656-3842161122-500 Oh look it is mapped to '0' i.e. 'root'> > So the winbind devs obviously also thinks that Administrator should be > mapped like every other domain user.Do you want to retract that last statement ?> The nice thing about this is that RFC2307 enabled winbind hosts, > sssd-ad hosts and winbind hosts still using RID can all coexist > peacefully and with the same UID/GID mapping (a need I had, thus > creating the need for the migration script). > > But as I can see this is strictly a personal thing for you, it is of > course okay to not give administrator a UID. You can just exclude the > user in the script, so the functionality can still be used as a base, > or you can throw it in the garbage if you want to :) I was worried > that there were any technical consequences that I somewhat had missed > for years. > > Regards, > Hans-KristianYes, you seem to be missing the fact that 'Administrator' is a special windows user and shouldn't be turned into a normal Unix user. Rowland