Thank you for the reply. Forgive me if I am not understanding correctly, but.. I have heard conflicting reports about whether or not to assign UID to DOM\administrator, even from threads read on these lists :) However, are DOM\administrator and local "root" not two separate accounts...? One domain admin, one "local" root/admin. So why then would winbind/samba see them as the "same" account... Especially because even if UID is not assigned to DOM\administrator, it will still be assigned an arbitrary UID from the 3000000-4000000 range via idmap.ldb, no? So either way it's going to have a UID assigned... But thru idmap.ldb this may not be consistent between samba DCs as per the Samba wiki... Which brings me back to why I assigned a UID via RFC2307 :) But I digress... I still don't see A. Why samba/winbind would see DOM\administrator and local "root" as the same account, and B. How DOM\administrator having a UID assigned via RFC2307 makes any difference, as it will have SOME UID assigned anyway (by idmap.ldb if not by me), and in either case it will not be 0 Last note... This was with a CONSOLE login that I was able to gain root access... NOT via ssh... So I don't think sshd_config should play a role either here. Regards, David
On 16/04/15 19:26, David Willis wrote:> Thank you for the reply. > > Forgive me if I am not understanding correctly, but.. > > I have heard conflicting reports about whether or not to assign UID to DOM\administrator, even from threads read on these lists :) > > However, are DOM\administrator and local "root" not two separate accounts...? One domain admin, one "local" root/admin. So why then would winbind/samba see them as the "same" account... > > Especially because even if UID is not assigned to DOM\administrator, it will still be assigned an arbitrary UID from the 3000000-4000000 range via idmap.ldb, no? So either way it's going to have a UID assigned... But thru idmap.ldb this may not be consistent between samba DCs as per the Samba wiki... Which brings me back to why I assigned a UID via RFC2307 :) > > But I digress... I still don't see > A. Why samba/winbind would see DOM\administrator and local "root" as the same account, and > B. How DOM\administrator having a UID assigned via RFC2307 makes any difference, as it will have SOME UID assigned anyway (by idmap.ldb if not by me), and in either case it will not be 0 > > Last note... This was with a CONSOLE login that I was able to gain root access... NOT via ssh... So I don't think sshd_config should play a role either here. > > Regards, > > DavidHi, there are two separate points of view here, map 'Administrator' to the 'root' user, or give 'Administrator' a uidNumber. If you do the first then 'Administrator' can change directory settings on a Unix machine from windows (profiles dir, file share dirs etc) without any problem. If you give 'Administrator' a uidNumber, then (s)he becomes just another Unix user and will need to be given the rights to change ownership and mode of directories. Oh, and in answer to 'B', if you don't do anything, 'Administrator' is automatically mapped to root on a Samba4 AD DC. Rowland
Rowland, In case of "B" Do we know all folders which needs to be changed with rights? Or is this only for all shares and folder/file rights. Just asking so i can add it to my script. And to take in mind, in both cases, i already added the group "Domain Admins" to all privileges. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: rowlandpenny at googlemail.com >[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny >Verzonden: vrijdag 17 april 2015 10:02 >Aan: samba at lists.samba.org >Onderwerp: Re: [Samba] Possible Security Hole (Bug?) > >On 16/04/15 19:26, David Willis wrote: >> Thank you for the reply. >> >> Forgive me if I am not understanding correctly, but.. >> >> I have heard conflicting reports about whether or not to >assign UID to DOM\administrator, even from threads read on >these lists :) >> >> However, are DOM\administrator and local "root" not two >separate accounts...? One domain admin, one "local" >root/admin. So why then would winbind/samba see them as the >"same" account... >> >> Especially because even if UID is not assigned to >DOM\administrator, it will still be assigned an arbitrary UID >from the 3000000-4000000 range via idmap.ldb, no? So either >way it's going to have a UID assigned... But thru idmap.ldb >this may not be consistent between samba DCs as per the Samba >wiki... Which brings me back to why I assigned a UID via RFC2307 :) >> >> But I digress... I still don't see >> A. Why samba/winbind would see DOM\administrator and local >"root" as the same account, and >> B. How DOM\administrator having a UID assigned via RFC2307 >makes any difference, as it will have SOME UID assigned anyway >(by idmap.ldb if not by me), and in either case it will not be 0 >> >> Last note... This was with a CONSOLE login that I was able >to gain root access... NOT via ssh... So I don't think >sshd_config should play a role either here. >> >> Regards, >> >> David > >Hi, there are two separate points of view here, map 'Administrator' to >the 'root' user, or give 'Administrator' a uidNumber. If you do the >first then 'Administrator' can change directory settings on a Unix >machine from windows (profiles dir, file share dirs etc) without any >problem. If you give 'Administrator' a uidNumber, then (s)he becomes >just another Unix user and will need to be given the rights to change >ownership and mode of directories. > >Oh, and in answer to 'B', if you don't do anything, 'Administrator' is >automatically mapped to root on a Samba4 AD DC. > >Rowland >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
On 17/04/15 09:34, L.P.H. van Belle wrote:> Rowland, > > In case of "B" > Do we know all folders which needs to be changed with rights? > Or is this only for all shares and folder/file rights. > > Just asking so i can add it to my script. > And to take in mind, in both cases, i already added > the group "Domain Admins" to all privileges. > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: rowlandpenny at googlemail.com >> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny >> Verzonden: vrijdag 17 april 2015 10:02 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Possible Security Hole (Bug?) >> >> On 16/04/15 19:26, David Willis wrote: >>> Thank you for the reply. >>> >>> Forgive me if I am not understanding correctly, but.. >>> >>> I have heard conflicting reports about whether or not to >> assign UID to DOM\administrator, even from threads read on >> these lists :) >>> However, are DOM\administrator and local "root" not two >> separate accounts...? One domain admin, one "local" >> root/admin. So why then would winbind/samba see them as the >> "same" account... >>> Especially because even if UID is not assigned to >> DOM\administrator, it will still be assigned an arbitrary UID > >from the 3000000-4000000 range via idmap.ldb, no? So either >> way it's going to have a UID assigned... But thru idmap.ldb >> this may not be consistent between samba DCs as per the Samba >> wiki... Which brings me back to why I assigned a UID via RFC2307 :) >>> But I digress... I still don't see >>> A. Why samba/winbind would see DOM\administrator and local >> "root" as the same account, and >>> B. How DOM\administrator having a UID assigned via RFC2307 >> makes any difference, as it will have SOME UID assigned anyway >> (by idmap.ldb if not by me), and in either case it will not be 0 >>> Last note... This was with a CONSOLE login that I was able >> to gain root access... NOT via ssh... So I don't think >> sshd_config should play a role either here. >>> Regards, >>> >>> David >> Hi, there are two separate points of view here, map 'Administrator' to >> the 'root' user, or give 'Administrator' a uidNumber. If you do the >> first then 'Administrator' can change directory settings on a Unix >> machine from windows (profiles dir, file share dirs etc) without any >> problem. If you give 'Administrator' a uidNumber, then (s)he becomes >> just another Unix user and will need to be given the rights to change >> ownership and mode of directories. >> >> Oh, and in answer to 'B', if you don't do anything, 'Administrator' is >> automatically mapped to root on a Samba4 AD DC. >> >> Rowland >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >>Hi Louis, as far as I understand it, Administrator can only change directories that (s)he can see from windows, unless 'Administrator' actually logs into a DC. So, as far as your script is concerned, I don't think any changes are required, unless you can think of a way of stopping the Administrator logging into the DC. Rowland
2015-04-17 10:01 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:> On 16/04/15 19:26, David Willis wrote: >> >> Thank you for the reply. >> >> Forgive me if I am not understanding correctly, but.. >> >> I have heard conflicting reports about whether or not to assign UID to >> DOM\administrator, even from threads read on these lists :) >> >> However, are DOM\administrator and local "root" not two separate >> accounts...? One domain admin, one "local" root/admin. So why then would >> winbind/samba see them as the "same" account... >> >> Especially because even if UID is not assigned to DOM\administrator, it >> will still be assigned an arbitrary UID from the 3000000-4000000 range via >> idmap.ldb, no? So either way it's going to have a UID assigned... But thru >> idmap.ldb this may not be consistent between samba DCs as per the Samba >> wiki... Which brings me back to why I assigned a UID via RFC2307 :) >> >> But I digress... I still don't see >> A. Why samba/winbind would see DOM\administrator and local "root" as the >> same account, and >> B. How DOM\administrator having a UID assigned via RFC2307 makes any >> difference, as it will have SOME UID assigned anyway (by idmap.ldb if not by >> me), and in either case it will not be 0 >> >> Last note... This was with a CONSOLE login that I was able to gain root >> access... NOT via ssh... So I don't think sshd_config should play a role >> either here. >> >> Regards, >> >> David > > > Hi, there are two separate points of view here, map 'Administrator' to the > 'root' user, or give 'Administrator' a uidNumber. If you do the first then > 'Administrator' can change directory settings on a Unix machine from windows > (profiles dir, file share dirs etc) without any problem. If you give > 'Administrator' a uidNumber, then (s)he becomes just another Unix user and > will need to be given the rights to change ownership and mode of > directories. >A design choice of Microsofts is to make the AD-group 'DOMAIN\Domain Admins' member of the servers Administrators group during domain join. If you, as a member of 'SERVER\Administrators' choose to remove the Domain Admins is, of course, perfectly valid. As is making a domain user account member of the servers administrators group. Or removing from selected group. So in a sense one could say that 'DOMAIN\Administrator' is just another Windows/Unix user. When Samba is set up as a file and/or printserver, you have to make Unix aware of which domain user account/group that will have got extraordinary rights. As you write. Maybe one should change views and look at the Unix/Samba complex as a virtual host where one of its guests is a file server that owns its playground, the file system it shares. The guest, Samba, utilizes Unix for its purpose. In that case Samba is contained and 'DOMAIN\Administrator' should have a uid-/gidNumber. All domain accounts and groups should have their uid-/gidNumber set. Regards Davor> Oh, and in answer to 'B', if you don't do anything, 'Administrator' is > automatically mapped to root on a Samba4 AD DC. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba