Hi list, maybe you remember my last post about configuring samba4 as AD and related problems. Today I've found another issue, this is not a problem but I need clarification. After domain provisioning (samba-tool domain provision) I got my domain created. During provisiong Administrator user (and other users) and groups are created. During this procedure smbd is off and started after provisionig.Running getent passwd and getent group I found that Administrator User have uid 0 (like root) and Domain Users group have gid 100 (like users group). This type of config is safe? There is not conflict with other user with the same uid/gid? Administrator must have uid 0 or can have another uid? If Administrator can have another uid, how I can specify a different uid? Thanks in advance.
On 12/02/16 14:42, Alessandro Baggi wrote:> Hi list, > maybe you remember my last post about configuring samba4 as AD and > related problems. > > Today I've found another issue, this is not a problem but I need > clarification. > > After domain provisioning (samba-tool domain provision) I got my > domain created. During provisiong Administrator user (and other users) > and groups are created. During this procedure smbd is off and started > after provisionig.Running getent passwd and getent group I found that > Administrator User have uid 0 (like root) and Domain Users group have > gid 100 (like users group). > > This type of config is safe? There is not conflict with other user > with the same uid/gid? Administrator must have uid 0 or can have > another uid? > > If Administrator can have another uid, how I can specify a different uid? > > Thanks in advance. >There are two schools of thought here, you can give administrator a uidNumber, but this would turn Administrator into just another Unix user and as such wouldn't be able to do anything that is required. You can work around this by using members of Domain Admins and giving the group the required permissions on Unix machines. The other way is the way that Samba does it, the AD user 'Administrator' is mapped to the Unix user 'root' this allows 'Administrator' to change Unix settings from windows. You do not actually have to use 'root' to change anything on a Unix machine, you can change the settings from a windows machine as 'Administrator', this is the way I would suggest doing things. The same goes for 'Domain Users', on a DC, this group is mapped to the Unix group 'users' Rowland
Il 12/02/2016 16:35, Rowland penny ha scritto:> On 12/02/16 14:42, Alessandro Baggi wrote: >> Hi list, >> maybe you remember my last post about configuring samba4 as AD and >> related problems. >> >> Today I've found another issue, this is not a problem but I need >> clarification. >> >> After domain provisioning (samba-tool domain provision) I got my >> domain created. During provisiong Administrator user (and other users) >> and groups are created. During this procedure smbd is off and started >> after provisionig.Running getent passwd and getent group I found that >> Administrator User have uid 0 (like root) and Domain Users group have >> gid 100 (like users group). >> >> This type of config is safe? There is not conflict with other user >> with the same uid/gid? Administrator must have uid 0 or can have >> another uid? >> >> If Administrator can have another uid, how I can specify a different uid? >> >> Thanks in advance. >> > > There are two schools of thought here, you can give administrator a > uidNumber, but this would turn Administrator into just another Unix user > and as such wouldn't be able to do anything that is required. You can > work around this by using members of Domain Admins and giving the group > the required permissions on Unix machines. > > The other way is the way that Samba does it, the AD user 'Administrator' > is mapped to the Unix user 'root' this allows 'Administrator' to change > Unix settings from windows. You do not actually have to use 'root' to > change anything on a Unix machine, you can change the settings from a > windows machine as 'Administrator', this is the way I would suggest > doing things. > > The same goes for 'Domain Users', on a DC, this group is mapped to the > Unix group 'users' > > Rowland > >Hi Rowland, thank you for the answer. What do you think is the better approach? In a traditional MS AD service Administrator has uid 0, but what are the security implication with 2 users with the same id, in this case 0. There are software that I can use for AD samba administration from Win? Thanks in advance.