Matthias Kühne | Ellerhold AG
2021-Feb-15 14:55 UTC
[Samba] Root user shows up as "administrator"
Hello, we're in the process of migrating our Open Directory to Samba 4.13 in Debian 10. Our setup will be 8 DCs (1 for each location + 1 primary) and a few dozen more linux machines. Each of these machine should grant domain users rights to auth via SSH and samba. This should be true for our DCs too! So I want to ssh my-domain-user at dc-1 and manage the machine. Our test scenario worked really good (thx for such an awesome suite and the how-tos in the wiki!) but there is a minor problem in our live setup now. Sometimes (when exactly idk!) if I switch to the root user via "su" or "sudo -i" it wont display the "root" as active user but "DOMAIN\administrator". "whoami" spits out "DOMAIN\administrator", "id" gives "uid=0(DOMAIN\administrator) gid=0(root) groups=0(root)". The administrator user has a UID (10372) but "id DOMAIN\\administrator" gives uid=0(DOMAIN\administrator) gid=10072(DOMAIN\domain users) groups=10072(DOMAIN\domain users),100000512(DOMAIN\domain admins),100000519(DOMAIN\enterprise admins),100000520(DOMAIN\group policy creator owners),100000518(DOMAIN\schema admins),100000572(DOMAIN\denied rodc password replication group),3000009(BUILTIN\users),3000000(BUILTIN\administrators) This is the smb.conf of the server in question: [global] ??? workgroup? = DOMAIN ??? realm????? = DOMAIN ??? dns proxy? = no ??? load printers?????????? = no ??? printing??????????????? = bsd ??? printcap name?????????? = /dev/null ??? disable spoolss???????? = Yes ??? show add printer wizard = no ??? max log size ??? ?????? = 1000 ??? panic action ??? ??? ?? = /usr/share/samba/panic-action %d ??? server role???????????? = active directory domain controller ??? netbios name??????????? = DC-2 ??? server services????? ?? = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate ??? idmap_ldb:use rfc2307?? = Yes ??? tls enabled???????? ? ? = Yes ??? tls keyfile??????? ?? ? = /etc/samba/certificates/dc-2.key ??? tls certfile?????? ?? ? = /etc/samba/certificates/dc-2.crt ??? tls cafile???????? ?? ? = /usr/local/share/ca-certificates/ca.crt ??? security??????????? ? ? = USER ??? template shell????????? = /bin/bash ??? template homedir??????? = /home/DOMAIN/%U [netlogon] ??? path????? = /var/lib/samba/sysvol/DOMAIN/scripts ??? read only = No [sysvol] ??? path????? = /var/lib/samba/sysvol ??? read only = No My nssswitch.conf is setup like this: passwd:??? compat winbind group:???? compat winbind shadow:??? compat gshadow:?? files hosts:???? files mdns4_minimal [NOTFOUND=return] dns networks:? files protocols: db files services:? db files ethers:??? db files rpc:?????? db files netgroup:? nis I've used "https://apt.van-belle.nl/debian buster-samba413" as source repository to install this Samba version: Samba 2:4.13.2+dfsg-0.1buster1 libnss-winbind:amd64? 2:4.13.2+dfsg-0.1buster1 Any help on fixing this issue is very much appreciated! Thank you in advance and have a nice day! -- Matthias K?hne Senior Webentwickler Datenschutzbeauftragter Ellerhold Aktiengesellschaft Friedrich-List-Str. 4 01445 Radebeul Telefon: +49 (0) 351 83933-61 Telefax: +49 (0) 351 83933-99 Web www.ellerhold.de Twitter www.twitter.com/Ellerhold_AG Youtube www.youtube.com/user/ellerholdgruppe Amtsgericht Dresden / HRB 23769 Vorstand: Stephan Ellerhold, Maximilian Ellerhold Vorsitzender des Aufsichtsrates: Frank Ellerhold ---------------- Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges l?schen dieser E-Mail und der Anlagen. Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/ This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments. You can find our privacy policy here: http://www.ellerhold.de/datenschutz/
On 15/02/2021 14:55, Matthias K?hne | Ellerhold AG via samba wrote:> Hello, > > we're in the process of migrating our Open Directory to Samba 4.13 in > Debian 10. Our setup will be 8 DCs (1 for each location + 1 primary) and > a few dozen more linux machines. Each of these machine should grant > domain users rights to auth via SSH and samba. This should be true for > our DCs too! So I want to ssh my-domain-user at dc-1 and manage the machine. >Two things to start with, remove 'security = USER' from the DC's smb.conf (you might also want to reconsider some of the other lines you added) and I take it that: The administrator user has a UID (10372) means you have given Administrator a uidNumber attribute containing '10372', if so, remove it. On a Samba DC, Administrator is mapped to the ID '0'. You use root on Unix and Administrator on Windows. Then when Administrator (on Windows) tries to do something on Unix, it does it as root. Rowland
On Mon, 2021-02-15 at 15:55 +0100, Matthias K?hne | Ellerhold AG via samba wrote:> Hello, > > we're in the process of migrating our Open Directory to Samba 4.13 > in > Debian 10. Our setup will be 8 DCs (1 for each location + 1 primary) > and > a few dozen more linux machines. Each of these machine should grant > domain users rights to auth via SSH and samba. This should be true > for > our DCs too! So I want to ssh my-domain-user at dc-1 and manage the > machine. > > Our test scenario worked really good (thx for such an awesome suite > and > the how-tos in the wiki!) but there is a minor problem in our live > setup > now. > > Sometimes (when exactly idk!) if I switch to the root user via "su" > or > "sudo -i" it wont display the "root" as active user but > "DOMAIN\administrator". "whoami" spits out "DOMAIN\administrator", > "id" > gives "uid=0(DOMAIN\administrator) gid=0(root) groups=0(root)". > > The administrator user has a UID (10372) but "id > DOMAIN\\administrator" > gives > > uid=0(DOMAIN\administrator) gid=10072(DOMAIN\domain users) > groups=10072(DOMAIN\domain users),100000512(DOMAIN\domain > admins),100000519(DOMAIN\enterprise admins),100000520(DOMAIN\group > policy creator owners),100000518(DOMAIN\schema > admins),100000572(DOMAIN\denied rodc password replication > group),3000009(BUILTIN\users),3000000(BUILTIN\administrators)The default idmap.ldb entries give UID 0 (root) to the administrator user to ensure it can change all files. I know some other developers disagree about the wisdom of this, but for now that is what the code does. This is probably trumping whatever you think is assigning UID 10372 to 'administrator'. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions