Il 12/02/2016 16:35, Rowland penny ha scritto:> On 12/02/16 14:42, Alessandro Baggi wrote: >> Hi list, >> maybe you remember my last post about configuring samba4 as AD and >> related problems. >> >> Today I've found another issue, this is not a problem but I need >> clarification. >> >> After domain provisioning (samba-tool domain provision) I got my >> domain created. During provisiong Administrator user (and other users) >> and groups are created. During this procedure smbd is off and started >> after provisionig.Running getent passwd and getent group I found that >> Administrator User have uid 0 (like root) and Domain Users group have >> gid 100 (like users group). >> >> This type of config is safe? There is not conflict with other user >> with the same uid/gid? Administrator must have uid 0 or can have >> another uid? >> >> If Administrator can have another uid, how I can specify a different uid? >> >> Thanks in advance. >> > > There are two schools of thought here, you can give administrator a > uidNumber, but this would turn Administrator into just another Unix user > and as such wouldn't be able to do anything that is required. You can > work around this by using members of Domain Admins and giving the group > the required permissions on Unix machines. > > The other way is the way that Samba does it, the AD user 'Administrator' > is mapped to the Unix user 'root' this allows 'Administrator' to change > Unix settings from windows. You do not actually have to use 'root' to > change anything on a Unix machine, you can change the settings from a > windows machine as 'Administrator', this is the way I would suggest > doing things. > > The same goes for 'Domain Users', on a DC, this group is mapped to the > Unix group 'users' > > Rowland > >Hi Rowland, thank you for the answer. What do you think is the better approach? In a traditional MS AD service Administrator has uid 0, but what are the security implication with 2 users with the same id, in this case 0. There are software that I can use for AD samba administration from Win? Thanks in advance.
On 15/02/16 11:25, Alessandro Baggi wrote:> Il 12/02/2016 16:35, Rowland penny ha scritto: >> On 12/02/16 14:42, Alessandro Baggi wrote: >>> Hi list, >>> maybe you remember my last post about configuring samba4 as AD and >>> related problems. >>> >>> Today I've found another issue, this is not a problem but I need >>> clarification. >>> >>> After domain provisioning (samba-tool domain provision) I got my >>> domain created. During provisiong Administrator user (and other users) >>> and groups are created. During this procedure smbd is off and started >>> after provisionig.Running getent passwd and getent group I found that >>> Administrator User have uid 0 (like root) and Domain Users group have >>> gid 100 (like users group). >>> >>> This type of config is safe? There is not conflict with other user >>> with the same uid/gid? Administrator must have uid 0 or can have >>> another uid? >>> >>> If Administrator can have another uid, how I can specify a different >>> uid? >>> >>> Thanks in advance. >>> >> >> There are two schools of thought here, you can give administrator a >> uidNumber, but this would turn Administrator into just another Unix user >> and as such wouldn't be able to do anything that is required. You can >> work around this by using members of Domain Admins and giving the group >> the required permissions on Unix machines. >> >> The other way is the way that Samba does it, the AD user 'Administrator' >> is mapped to the Unix user 'root' this allows 'Administrator' to change >> Unix settings from windows. You do not actually have to use 'root' to >> change anything on a Unix machine, you can change the settings from a >> windows machine as 'Administrator', this is the way I would suggest >> doing things. >> >> The same goes for 'Domain Users', on a DC, this group is mapped to the >> Unix group 'users' >> >> Rowland >> >> > Hi Rowland, > thank you for the answer. > > What do you think is the better approach? In a traditional MS AD > service Administrator has uid 0, but what are the security implication > with 2 users with the same id, in this case 0.You haven't really got to two users with uid '0', what you have got is the 'root' user on Unix, this must be '0', and the 'Administrator' user on windows which has the RID '500'. The 'Administrator' user gets mapped to 'root' and inherits root's permissions, so as far as the two systems are concerned, you only have one user on each system, but the windows one impersonates the Unix one when required.> > There are software that I can use for AD samba administration from Win? >You can use ADUC. Rowland> Thanks in advance. >
Il 15/02/2016 12:59, Rowland penny ha scritto:> On 15/02/16 11:25, Alessandro Baggi wrote: >> Il 12/02/2016 16:35, Rowland penny ha scritto: >>> On 12/02/16 14:42, Alessandro Baggi wrote: >>>> Hi list, >>>> maybe you remember my last post about configuring samba4 as AD and >>>> related problems. >>>> >>>> Today I've found another issue, this is not a problem but I need >>>> clarification. >>>> >>>> After domain provisioning (samba-tool domain provision) I got my >>>> domain created. During provisiong Administrator user (and other users) >>>> and groups are created. During this procedure smbd is off and started >>>> after provisionig.Running getent passwd and getent group I found that >>>> Administrator User have uid 0 (like root) and Domain Users group have >>>> gid 100 (like users group). >>>> >>>> This type of config is safe? There is not conflict with other user >>>> with the same uid/gid? Administrator must have uid 0 or can have >>>> another uid? >>>> >>>> If Administrator can have another uid, how I can specify a different >>>> uid? >>>> >>>> Thanks in advance. >>>> >>> >>> There are two schools of thought here, you can give administrator a >>> uidNumber, but this would turn Administrator into just another Unix user >>> and as such wouldn't be able to do anything that is required. You can >>> work around this by using members of Domain Admins and giving the group >>> the required permissions on Unix machines. >>> >>> The other way is the way that Samba does it, the AD user 'Administrator' >>> is mapped to the Unix user 'root' this allows 'Administrator' to change >>> Unix settings from windows. You do not actually have to use 'root' to >>> change anything on a Unix machine, you can change the settings from a >>> windows machine as 'Administrator', this is the way I would suggest >>> doing things. >>> >>> The same goes for 'Domain Users', on a DC, this group is mapped to the >>> Unix group 'users' >>> >>> Rowland >>> >>> >> Hi Rowland, >> thank you for the answer. >> >> What do you think is the better approach? In a traditional MS AD >> service Administrator has uid 0, but what are the security implication >> with 2 users with the same id, in this case 0. > > You haven't really got to two users with uid '0', what you have got is > the 'root' user on Unix, this must be '0', and the 'Administrator' user > on windows which has the RID '500'. The 'Administrator' user gets mapped > to 'root' and inherits root's permissions, so as far as the two systems > are concerned, you only have one user on each system, but the windows > one impersonates the Unix one when required. > >> >> There are software that I can use for AD samba administration from Win? >> > > You can use ADUC. > > Rowland >> Thanks in advance. >> > >Thanks for clarification.