because of this :
Correct UID for DOM\Administrator: 10000
Your adminstrator can login..
sshd_config does the following if root is disabled.. ( or no passwd for root..)
1) no root login when root has no password.
2) no root login with uid 0
3) all other.. you can login.
In these cases.. create an extra security group in ssh,
and add the users in it who are allowed to login.
and for samba ( winbind ) Administrator = root.
and for correct working, its really adviced to NOT give Administrator any UID.
and you did... ...
and why not.. see your own question. ;-)
the best explanation i can give ..
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: david_willis at comcast.net
>[mailto:samba-bounces at lists.samba.org] Namens David Willis
>Verzonden: donderdag 16 april 2015 9:33
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] Possible Security Hole (Bug?)
>
>Hello,
>
>
>
>I noticed something that may or may not be a bug in Samba4 on
>an AD DC - I
>may be completely missing something and if that's the case
>please feel free
>to let me know - but.
>
>
>
>If for some reason the Samba4 DC thinks that the UID for an
>account (for
>example, DOM\Administrator) is 0, and you log into that
>account, it logs you
>into the local root account (even if it is disabled, as it is
>by default in
>Ubuntu).
>
>
>
>The case in which I noticed this was when the NIC was temporarily
>disconnected, then reconnected, then the samba service restarted. When
>attempting to login to the domain admin account after this sequence of
>events, it asks for password, then grants access to the local
>root account.
>When doing a "id administrator" it would show uid=0, although
>the groups
>were correct (as were the GIDs).
>
>
>
>I was not able to reproduce this when I repeated the same sequence of
>events, so I am not quite sure what the situation is here or
>why it suddenly
>saw administrator's UID to be 0. Doing a "net cache flush",
>then restarting
>BIND9 and Samba again resolved the issue (UIDs were correct
>and able to log
>into the domain admin account as expected). As I am unsure
>whether or not
>this is a bug, I wanted to send a message here first rather
>than to the bug
>report to see if I could get some more information. However it
>does seem
>like a possible security hole (I wasn't able to reproduce
>this, but if this
>same scenario happened with a non-domain-admin account, it
>would essentially
>allow a non-privileged domain user to gain root access on the
>Samba4 AD DC).
>
>
>
>I should note that in this case, the "administrator" account had
no
>additional privileges on the Samba4 DC - that is, it had not
>been added to
>the local "sudo" group (or any other local groups, for that
>matter). I will
>also note that I seem to recall a similar event happening back
>when I first
>configured the DC on an older version of Samba4 (possibly
>before the correct
>configuration was achieved, which may be why the UID was
>inaccurately seen
>as "0" back at that time).
>
>
>
>Some basic environment info:
>
>
>
>Current Samba4 version - 4.2.0, compiled from source (tarball
>downloaded via
>download.samba.org) w/ gcc compiler (v4.6.3) - using
>new/updated "winbindd"
>functionality as instructed in v4.2.0 release notes
>
>Configured as an AD DC in a domain w/ 2 other DCs, both of the
>other DCs
>running Windows Server 2008R2
>
>OS: Ubuntu Server 12.04.5 LTS
>
>RFC2307 attributes enabled and in use
>
>Correct UID for DOM\Administrator: 10000 (assigned via RFC2307 attrs)
>
>Local root account disabled
>
>No "username mapping" is in use
>
>
>
>Normally, everything is working as expected. This was just one
>situation
>that I came across by accident after disconnecting and
>reconnecting the NIC.
>I will also note that I did attempt a login to the
>DOM\Administrator account
>on the Samba4 DC while the NIC was disconnected (and as
>expected, received a
>"no logon servers" message). Not sure if that is important or not.
>
>
>
>If there is any more information needed please let me know. I
>often read the
>Samba message boards (along with many others, and much
>googling) when I run
>into an issue to find a resolution, but in this case I thought I should
>bring it to someone's attention as it seems that this (could) be a
>significant security issue. If I am missing something here and
>this is not
>the issue that it seems to be then please feel free to let me know.
>
>
>
>Thank you for your time, and for all the work that everyone on
>the team has
>put into this great project over the years!!!
>
>
>
>Regards,
>
>
>
>David
>
>
>
>E-Mail: david_willis at comcast.net
>
>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>