samba - Feb 2018 - RFC2307: Recommendations for mapping Administrator account

On Thu, 8 Feb 2018 10:55:30 +0100
Denis Cardon via samba <samba at lists.samba.org> wrote:
> Hi Frederik,
> 
> > I provisioned a new domain with "--use-rfc2307" as I want to
use the
> > "ad" idmap backend on my domain members.
> 
> unless you have really specific requirements, you should really stick 
> with RID mapping, it will be easier on the long run.
Yes, but then you are stuck with using the same Unix home directory
paths and login shells for everybody.
> 
> > I am thinking of mapping the "Administrator" account to UID
10000
> > (this is where my UID range for the domain will be starting), as the
> > account must be known to the domain members (otherwise I got funny
> > behavior).It seems a lot of people are mapping that account to root
> > (UID 0) though. Even the Samba Wiki mentions that. Is that such a
> > good idea?
> 
> root on linux would be the equivalent of "Local System" on
Windows.
> Windows Administrator account is definitly not "Local System", so
in
> order to follow privileges separation of Windows, I would say it is 
> better not to map Administrator to root.
'root' is not the equivalent 'SYSTEM' and the Samba DC maps
'Administrator' to 'root' by default.
> 
> Moreover, in more security conscious context, Administrator account 
> should not be used alltogether, since it does not map to a physical 
> named person.
If you follow this thinking, then quite a few AD accounts should be
removed.
> 
> The best thing is to disable that account altogether, and have named 
> accounts like dcardon-adm part of "domain admins" for specific
tasks
> needing "domain admins" rights. But even in this case, except for
> joining a new DC (and a few non frequent other things like changing
> the schema), you shouldn't need "domain admins" level
privileges. You
> should just use Delegated rights on the OU you are managing.
> 
By all means create new groups, I use 'Unix Admins' instead of
'Domain
Admins'. This is all down to how the sysadmin wants to work, I
personally wouldn't disable 'Administrator', rename it yes.

Rowland

Mandi! Rowland Penny via samba
  In chel di` si favelave...
> > > I provisioned a new domain with "--use-rfc2307" as I
want to use the
> > > "ad" idmap backend on my domain members.
> > unless you have really specific requirements, you should really stick 
> > with RID mapping, it will be easier on the long run.
> Yes, but then you are stuck with using the same Unix home directory
> paths and login shells for everybody.
I add: also, using AD (on domain members) you can control what users
are windows-only (and LDAP) users, and what user are also UNIX/POSIX
ones.

Eg, only users with UID (and with a primary group that have a GID)
appear as UNIX users.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

Hi Rowland,
>>> I provisioned a new domain with "--use-rfc2307" as I want
to use the
>>> "ad" idmap backend on my domain members.
>>
>> unless you have really specific requirements, you should really stick
>> with RID mapping, it will be easier on the long run.
>
> Yes, but then you are stuck with using the same Unix home directory
> paths and login shells for everybody.
Life is a series of trade-offs...
>>> I am thinking of mapping the "Administrator" account to
UID 10000
>>> (this is where my UID range for the domain will be starting), as
the
>>> account must be known to the domain members (otherwise I got funny
>>> behavior).It seems a lot of people are mapping that account to root
>>> (UID 0) though. Even the Samba Wiki mentions that. Is that such a
>>> good idea?
>>
>> root on linux would be the equivalent of "Local System" on
Windows.
>> Windows Administrator account is definitly not "Local
System", so in
>> order to follow privileges separation of Windows, I would say it is
>> better not to map Administrator to root.
>
> 'root' is not the equivalent 'SYSTEM'
could you please elaborate? An account that has all privileges on the 
local system, well, how would you call that?

 > and the Samba DC maps 'Administrator' to 'root' by
default.

better privilege separation is something that is being looked at.

Cheers,

Denis
>> Moreover, in more security conscious context, Administrator account
>> should not be used alltogether, since it does not map to a physical
>> named person.
>
> If you follow this thinking, then quite a few AD accounts should be
> removed.
>
>>
>> The best thing is to disable that account altogether, and have named
>> accounts like dcardon-adm part of "domain admins" for
specific tasks
>> needing "domain admins" rights. But even in this case, except
for
>> joining a new DC (and a few non frequent other things like changing
>> the schema), you shouldn't need "domain admins" level
privileges. You
>> should just use Delegated rights on the OU you are managing.
>>
>
> By all means create new groups, I use 'Unix Admins' instead of
'Domain
> Admins'. This is all down to how the sysadmin wants to work, I
> personally wouldn't disable 'Administrator', rename it yes.
>
> Rowland
>
-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil.it

Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr

Hi,

thank you for your input guys.


2018-02-08 10:55 GMT+01:00 Denis Cardon <dcardon at
tranquil.it>:
> unless you have really specific requirements, you should really stick with
> RID mapping, it will be easier on the long run.
I think that would actually be more pain in the long run, as this
pretty much rules out using Samba/AD with sssd/nss-ldap.


2018-02-08 11:25 GMT+01:00 Marco Gaiarin via samba <samba at
lists.samba.org>:
>> Yes, but then you are stuck with using the same Unix home directory
>> paths and login shells for everybody.
Yeah, I definitely need different login shells. I only want a few
users to actually be able to log into Linux machines. The non-Linux
users should still be resolvable on my Samba file server though, as I
will be setting ACLs for them there (mostly group-based ACLs though,
but group membership should also be resolvable).

> I add: also, using AD (on domain members) you can control what users
> are windows-only (and LDAP) users, and what user are also UNIX/POSIX
> ones.
Well in my scenario I just want all of them to be just "users", but
some of them are not allowed to log in on Linux machines (such as
Administrator). When managing ACLs with POSIX ACLs I need to map all
Samba users and most groups to UIDs/GIDs, that's why I am using
RFC2307 attributes.
>From the discussion I've learned that there is no actual technical
necessity for the Administrator user to be present at all, so I could
either delete/disable it or map it to a regular UID just like any
other regular user. I am not adventurous enough to entirely delete the
account (what about sysvol permission then?), though.  For me the
consistency of UIDs/GIDs on POSIX ACLs is very important, as I will
also be sharing a few directories with both Samba and NFSv4. I guess
I'll go with the UID 10000 mapping then. Local mapping just does not
seem right, as I would run into problems on systems without winbind
(systems with only sssd for example).



Thanks,
Frederik