On 30/01/15 16:55, Hans-Kristian Bakke wrote:> I still do not follow you. An additional reason for including > administrator in the first place, not including that I actually want > it to work against the linux boxes like every other domain user, was > because winbind returns the exact same mapping when using idmap > backend RID with range 300000-499999 (i.e not rfc2307 attributes) > >> wbinfo -i administrator > administrator:*:300500:300513:Administrator:/home/example.com/administrator:/bin/bashOn one of my DC's: wbinfo -i administrator EXAMPLE\Administrator:*:0:10000::/home/EXAMPLE/Administrator:/bin/bash and from idmap.ldb (created by the provision): dn: CN=S-1-5-21-2025076216-3455336656-3842161122-500 cn: S-1-5-21-2025076216-3455336656-3842161122-500 objectClass: sidMap objectSid: S-1-5-21-2025076216-3455336656-3842161122-500 type: ID_TYPE_UID xidNumber: 0 distinguishedName: CN=S-1-5-21-2025076216-3455336656-3842161122-500 Oh look it is mapped to '0' i.e. 'root'> > So the winbind devs obviously also thinks that Administrator should be > mapped like every other domain user.Do you want to retract that last statement ?> The nice thing about this is that RFC2307 enabled winbind hosts, > sssd-ad hosts and winbind hosts still using RID can all coexist > peacefully and with the same UID/GID mapping (a need I had, thus > creating the need for the migration script). > > But as I can see this is strictly a personal thing for you, it is of > course okay to not give administrator a UID. You can just exclude the > user in the script, so the functionality can still be used as a base, > or you can throw it in the garbage if you want to :) I was worried > that there were any technical consequences that I somewhat had missed > for years. > > Regards, > Hans-KristianYes, you seem to be missing the fact that 'Administrator' is a special windows user and shouldn't be turned into a normal Unix user. Rowland
On one of your DCs? As in you run Samba for your DCs? This thread was using Server 2012 R2 as DCs, and that was what my response was aimed at. I am also using Server 2012 R2 for DCs. In this case the Administrator is "just a user" seen from the linux boxes. That Administrator is assigned a root-role in a Samba DC is not a surprise for me as it then becomes more than external windows user, but rather has to somewhat resemble the "full access" special internal role an Administrator has on Windows Domain. With this misunderstanding out of the way I can see your arguments. I find it rather confusing that you use arguments for the Samba DC in a thread for a Server 2012 R2 use case but that might just be me. -- Regards, Hans-Kristian On 30 January 2015 at 18:12, Rowland Penny <rowlandpenny at googlemail.com> wrote:> On 30/01/15 16:55, Hans-Kristian Bakke wrote: >> >> I still do not follow you. An additional reason for including >> administrator in the first place, not including that I actually want >> it to work against the linux boxes like every other domain user, was >> because winbind returns the exact same mapping when using idmap >> backend RID with range 300000-499999 (i.e not rfc2307 attributes) >> >>> wbinfo -i administrator >> >> >> administrator:*:300500:300513:Administrator:/home/example.com/administrator:/bin/bash > > > On one of my DC's: > > wbinfo -i administrator > EXAMPLE\Administrator:*:0:10000::/home/EXAMPLE/Administrator:/bin/bash > > and from idmap.ldb (created by the provision): > > dn: CN=S-1-5-21-2025076216-3455336656-3842161122-500 > cn: S-1-5-21-2025076216-3455336656-3842161122-500 > objectClass: sidMap > objectSid: S-1-5-21-2025076216-3455336656-3842161122-500 > type: ID_TYPE_UID > xidNumber: 0 > distinguishedName: CN=S-1-5-21-2025076216-3455336656-3842161122-500 > > Oh look it is mapped to '0' i.e. 'root' > >> >> So the winbind devs obviously also thinks that Administrator should be >> mapped like every other domain user. > > > Do you want to retract that last statement ? > >> The nice thing about this is that RFC2307 enabled winbind hosts, >> sssd-ad hosts and winbind hosts still using RID can all coexist >> peacefully and with the same UID/GID mapping (a need I had, thus >> creating the need for the migration script). >> >> But as I can see this is strictly a personal thing for you, it is of >> course okay to not give administrator a UID. You can just exclude the >> user in the script, so the functionality can still be used as a base, >> or you can throw it in the garbage if you want to :) I was worried >> that there were any technical consequences that I somewhat had missed >> for years. >> >> Regards, >> Hans-Kristian > > > Yes, you seem to be missing the fact that 'Administrator' is a special > windows user and shouldn't be turned into a normal Unix user. > > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 30/01/15 17:29, Hans-Kristian Bakke wrote:> On one of your DCs? As in you run Samba for your DCs? > > This thread was using Server 2012 R2 as DCs, and that was what my > response was aimed at. I am also using Server 2012 R2 for DCs. In this > case the Administrator is "just a user" seen from the linux boxes. > That Administrator is assigned a root-role in a Samba DC is not a > surprise for me as it then becomes more than external windows user, > but rather has to somewhat resemble the "full access" special internal > role an Administrator has on Windows Domain. > > With this misunderstanding out of the way I can see your arguments. I > find it rather confusing that you use arguments for the Samba DC in a > thread for a Server 2012 R2 use case but that might just be me. > > -- > Regards, > Hans-Kristian > > On 30 January 2015 at 18:12, Rowland Penny <rowlandpenny at googlemail.com> wrote: >> On 30/01/15 16:55, Hans-Kristian Bakke wrote: >>> I still do not follow you. An additional reason for including >>> administrator in the first place, not including that I actually want >>> it to work against the linux boxes like every other domain user, was >>> because winbind returns the exact same mapping when using idmap >>> backend RID with range 300000-499999 (i.e not rfc2307 attributes) >>> >>>> wbinfo -i administrator >>> >>> administrator:*:300500:300513:Administrator:/home/example.com/administrator:/bin/bash >> >> On one of my DC's: >> >> wbinfo -i administrator >> EXAMPLE\Administrator:*:0:10000::/home/EXAMPLE/Administrator:/bin/bash >> >> and from idmap.ldb (created by the provision): >> >> dn: CN=S-1-5-21-2025076216-3455336656-3842161122-500 >> cn: S-1-5-21-2025076216-3455336656-3842161122-500 >> objectClass: sidMap >> objectSid: S-1-5-21-2025076216-3455336656-3842161122-500 >> type: ID_TYPE_UID >> xidNumber: 0 >> distinguishedName: CN=S-1-5-21-2025076216-3455336656-3842161122-500 >> >> Oh look it is mapped to '0' i.e. 'root' >> >>> So the winbind devs obviously also thinks that Administrator should be >>> mapped like every other domain user. >> >> Do you want to retract that last statement ? >> >>> The nice thing about this is that RFC2307 enabled winbind hosts, >>> sssd-ad hosts and winbind hosts still using RID can all coexist >>> peacefully and with the same UID/GID mapping (a need I had, thus >>> creating the need for the migration script). >>> >>> But as I can see this is strictly a personal thing for you, it is of >>> course okay to not give administrator a UID. You can just exclude the >>> user in the script, so the functionality can still be used as a base, >>> or you can throw it in the garbage if you want to :) I was worried >>> that there were any technical consequences that I somewhat had missed >>> for years. >>> >>> Regards, >>> Hans-Kristian >> >> Yes, you seem to be missing the fact that 'Administrator' is a special >> windows user and shouldn't be turned into a normal Unix user. >> >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/sambaThe thread sort of degenerated away from the original topic and as such I can understand why we disagree, but only up to a point. I think we should stop here before it starts getting silly :-) Rowland