samba - Feb 2018 - RFC2307: Recommendations for mapping Administrator account

Hi,

I provisioned a new domain with "--use-rfc2307" as I want to use the
"ad" idmap backend on my domain members.

I am thinking of mapping the "Administrator" account to UID 10000
(this is where my UID range for the domain will be starting), as the
account must be known to the domain members (otherwise I got funny
behavior).It seems a lot of people are mapping that account to root
(UID 0) though. Even the Samba Wiki mentions that. Is that such a good
idea?

I know that mapping the account to uidNumber=0 using RFC2307 AD attrs
will not work globally, as this is out of the idmap range. I could map
the account on each member locally using a custom username map, but I
was wondering if this is even desirable.

Does it have any implications on the Samba AD DC, if the Administrator
account has such a custom mapping? From what I understand the UID on
the DC will still be 0.


Thanks,
Frederik

On Wed, 7 Feb 2018 21:37:06 +0100
Fred F via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> I provisioned a new domain with "--use-rfc2307" as I want to use
the
> "ad" idmap backend on my domain members.
> 
> I am thinking of mapping the "Administrator" account to UID 10000
> (this is where my UID range for the domain will be starting), as the
> account must be known to the domain members (otherwise I got funny
> behavior).It seems a lot of people are mapping that account to root
> (UID 0) though. Even the Samba Wiki mentions that. Is that such a good
> idea?
> 
> I know that mapping the account to uidNumber=0 using RFC2307 AD attrs
> will not work globally, as this is out of the idmap range. I could map
> the account on each member locally using a custom username map, but I
> was wondering if this is even desirable.
> 
> Does it have any implications on the Samba AD DC, if the Administrator
> account has such a custom mapping? From what I understand the UID on
> the DC will still be 0.
> 
If you map Administrator to '10000' then it will become '10000'
everywhere and Administrator will become just another Unix user.

Administrator is mapped to '0' on a DC in idmap.ldb, you can also map
Administrator to '0' on a Unix domain member by creating a user.map and
adding the relevant line to smb.conf

The short answer to your question is, do not map Administrator to
'10000'

Rowland

Hi Frederik,
> I provisioned a new domain with "--use-rfc2307" as I want to use
the
> "ad" idmap backend on my domain members.
unless you have really specific requirements, you should really stick 
with RID mapping, it will be easier on the long run.
> I am thinking of mapping the "Administrator" account to UID 10000
> (this is where my UID range for the domain will be starting), as the
> account must be known to the domain members (otherwise I got funny
> behavior).It seems a lot of people are mapping that account to root
> (UID 0) though. Even the Samba Wiki mentions that. Is that such a good
> idea?
root on linux would be the equivalent of "Local System" on Windows. 
Windows Administrator account is definitly not "Local System", so in 
order to follow privileges separation of Windows, I would say it is 
better not to map Administrator to root.

Moreover, in more security conscious context, Administrator account 
should not be used alltogether, since it does not map to a physical 
named person.

The best thing is to disable that account altogether, and have named 
accounts like dcardon-adm part of "domain admins" for specific tasks 
needing "domain admins" rights. But even in this case, except for 
joining a new DC (and a few non frequent other things like changing the 
schema), you shouldn't need "domain admins" level privileges. You
should
just use Delegated rights on the OU you are managing.

Cheers,

Denis
> I know that mapping the account to uidNumber=0 using RFC2307 AD attrs
> will not work globally, as this is out of the idmap range. I could map
> the account on each member locally using a custom username map, but I
> was wondering if this is even desirable.
>
> Does it have any implications on the Samba AD DC, if the Administrator
> account has such a custom mapping? From what I understand the UID on
> the DC will still be 0.
>
>
> Thanks,
> Frederik
>
-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil.it

Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr

On Thu, 8 Feb 2018 10:55:30 +0100
Denis Cardon via samba <samba at lists.samba.org> wrote:
> Hi Frederik,
> 
> > I provisioned a new domain with "--use-rfc2307" as I want to
use the
> > "ad" idmap backend on my domain members.
> 
> unless you have really specific requirements, you should really stick 
> with RID mapping, it will be easier on the long run.
Yes, but then you are stuck with using the same Unix home directory
paths and login shells for everybody.
> 
> > I am thinking of mapping the "Administrator" account to UID
10000
> > (this is where my UID range for the domain will be starting), as the
> > account must be known to the domain members (otherwise I got funny
> > behavior).It seems a lot of people are mapping that account to root
> > (UID 0) though. Even the Samba Wiki mentions that. Is that such a
> > good idea?
> 
> root on linux would be the equivalent of "Local System" on
Windows.
> Windows Administrator account is definitly not "Local System", so
in
> order to follow privileges separation of Windows, I would say it is 
> better not to map Administrator to root.
'root' is not the equivalent 'SYSTEM' and the Samba DC maps
'Administrator' to 'root' by default.
> 
> Moreover, in more security conscious context, Administrator account 
> should not be used alltogether, since it does not map to a physical 
> named person.
If you follow this thinking, then quite a few AD accounts should be
removed.
> 
> The best thing is to disable that account altogether, and have named 
> accounts like dcardon-adm part of "domain admins" for specific
tasks
> needing "domain admins" rights. But even in this case, except for
> joining a new DC (and a few non frequent other things like changing
> the schema), you shouldn't need "domain admins" level
privileges. You
> should just use Delegated rights on the OU you are managing.
> 
By all means create new groups, I use 'Unix Admins' instead of
'Domain
Admins'. This is all down to how the sysadmin wants to work, I
personally wouldn't disable 'Administrator', rename it yes.

Rowland