Rowland Penny
2018-Feb-08 10:16 UTC
[Samba] RFC2307: Recommendations for mapping Administrator account
On Thu, 8 Feb 2018 10:55:30 +0100 Denis Cardon via samba <samba at lists.samba.org> wrote:> Hi Frederik, > > > I provisioned a new domain with "--use-rfc2307" as I want to use the > > "ad" idmap backend on my domain members. > > unless you have really specific requirements, you should really stick > with RID mapping, it will be easier on the long run.Yes, but then you are stuck with using the same Unix home directory paths and login shells for everybody.> > > I am thinking of mapping the "Administrator" account to UID 10000 > > (this is where my UID range for the domain will be starting), as the > > account must be known to the domain members (otherwise I got funny > > behavior).It seems a lot of people are mapping that account to root > > (UID 0) though. Even the Samba Wiki mentions that. Is that such a > > good idea? > > root on linux would be the equivalent of "Local System" on Windows. > Windows Administrator account is definitly not "Local System", so in > order to follow privileges separation of Windows, I would say it is > better not to map Administrator to root.'root' is not the equivalent 'SYSTEM' and the Samba DC maps 'Administrator' to 'root' by default.> > Moreover, in more security conscious context, Administrator account > should not be used alltogether, since it does not map to a physical > named person.If you follow this thinking, then quite a few AD accounts should be removed.> > The best thing is to disable that account altogether, and have named > accounts like dcardon-adm part of "domain admins" for specific tasks > needing "domain admins" rights. But even in this case, except for > joining a new DC (and a few non frequent other things like changing > the schema), you shouldn't need "domain admins" level privileges. You > should just use Delegated rights on the OU you are managing. >By all means create new groups, I use 'Unix Admins' instead of 'Domain Admins'. This is all down to how the sysadmin wants to work, I personally wouldn't disable 'Administrator', rename it yes. Rowland
Marco Gaiarin
2018-Feb-08 10:25 UTC
[Samba] RFC2307: Recommendations for mapping Administrator account
Mandi! Rowland Penny via samba In chel di` si favelave...> > > I provisioned a new domain with "--use-rfc2307" as I want to use the > > > "ad" idmap backend on my domain members. > > unless you have really specific requirements, you should really stick > > with RID mapping, it will be easier on the long run. > Yes, but then you are stuck with using the same Unix home directory > paths and login shells for everybody.I add: also, using AD (on domain members) you can control what users are windows-only (and LDAP) users, and what user are also UNIX/POSIX ones. Eg, only users with UID (and with a primary group that have a GID) appear as UNIX users. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Denis Cardon
2018-Feb-08 10:37 UTC
[Samba] RFC2307: Recommendations for mapping Administrator account
Hi Rowland,>>> I provisioned a new domain with "--use-rfc2307" as I want to use the >>> "ad" idmap backend on my domain members. >> >> unless you have really specific requirements, you should really stick >> with RID mapping, it will be easier on the long run. > > Yes, but then you are stuck with using the same Unix home directory > paths and login shells for everybody.Life is a series of trade-offs...>>> I am thinking of mapping the "Administrator" account to UID 10000 >>> (this is where my UID range for the domain will be starting), as the >>> account must be known to the domain members (otherwise I got funny >>> behavior).It seems a lot of people are mapping that account to root >>> (UID 0) though. Even the Samba Wiki mentions that. Is that such a >>> good idea? >> >> root on linux would be the equivalent of "Local System" on Windows. >> Windows Administrator account is definitly not "Local System", so in >> order to follow privileges separation of Windows, I would say it is >> better not to map Administrator to root. > > 'root' is not the equivalent 'SYSTEM'could you please elaborate? An account that has all privileges on the local system, well, how would you call that? > and the Samba DC maps 'Administrator' to 'root' by default. better privilege separation is something that is being looked at. Cheers, Denis>> Moreover, in more security conscious context, Administrator account >> should not be used alltogether, since it does not map to a physical >> named person. > > If you follow this thinking, then quite a few AD accounts should be > removed. > >> >> The best thing is to disable that account altogether, and have named >> accounts like dcardon-adm part of "domain admins" for specific tasks >> needing "domain admins" rights. But even in this case, except for >> joining a new DC (and a few non frequent other things like changing >> the schema), you shouldn't need "domain admins" level privileges. You >> should just use Delegated rights on the OU you are managing. >> > > By all means create new groups, I use 'Unix Admins' instead of 'Domain > Admins'. This is all down to how the sysadmin wants to work, I > personally wouldn't disable 'Administrator', rename it yes. > > Rowland >-- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil.it Samba install wiki for Frenchies : https://dev.tranquil.it WAPT, software deployment made easy : https://wapt.fr
Fred F
2018-Feb-08 18:01 UTC
[Samba] RFC2307: Recommendations for mapping Administrator account
Hi, thank you for your input guys. 2018-02-08 10:55 GMT+01:00 Denis Cardon <dcardon at tranquil.it>:> unless you have really specific requirements, you should really stick with > RID mapping, it will be easier on the long run.I think that would actually be more pain in the long run, as this pretty much rules out using Samba/AD with sssd/nss-ldap. 2018-02-08 11:25 GMT+01:00 Marco Gaiarin via samba <samba at lists.samba.org>:>> Yes, but then you are stuck with using the same Unix home directory >> paths and login shells for everybody.Yeah, I definitely need different login shells. I only want a few users to actually be able to log into Linux machines. The non-Linux users should still be resolvable on my Samba file server though, as I will be setting ACLs for them there (mostly group-based ACLs though, but group membership should also be resolvable).> I add: also, using AD (on domain members) you can control what users > are windows-only (and LDAP) users, and what user are also UNIX/POSIX > ones.Well in my scenario I just want all of them to be just "users", but some of them are not allowed to log in on Linux machines (such as Administrator). When managing ACLs with POSIX ACLs I need to map all Samba users and most groups to UIDs/GIDs, that's why I am using RFC2307 attributes.>From the discussion I've learned that there is no actual technicalnecessity for the Administrator user to be present at all, so I could either delete/disable it or map it to a regular UID just like any other regular user. I am not adventurous enough to entirely delete the account (what about sysvol permission then?), though. For me the consistency of UIDs/GIDs on POSIX ACLs is very important, as I will also be sharing a few directories with both Samba and NFSv4. I guess I'll go with the UID 10000 mapping then. Local mapping just does not seem right, as I would run into problems on systems without winbind (systems with only sssd for example). Thanks, Frederik
Maybe Matching Threads
- RFC2307: Recommendations for mapping Administrator account
- Upgraded a member server to 4.8, rfc2307 data?
- Avoiding uid conflicts between rfc2307 user/groups and computers
- Upgraded a member server to 4.8, rfc2307 data?
- Upgraded a member server to 4.8, rfc2307 data?