samba - Jun 2019 - Disabling or deleting domain "Administrator" account

Hello,

A client is asking about disabling, deleting or renaming the domain
"Administrator" account on a Samba AD. I've seen this done on
Windows
AD domains for security purposes.

Assuming the risk of being locked-out is mitigated (i.e. an equivalent
user is created and is a member of the same groups), is there any
reason this can't be done on a Samba AD as well?

Is the "Administrator" account used for anything "special"
that would
cause problems if the account were disabled, deleted, or renamed?

Thank you,
Jonathon Reinhart

On Mon, 2019-06-17 at 01:01 -0400, Jonathon Reinhart via samba
wrote:
> Hello,
> 
> A client is asking about disabling, deleting or renaming the domain
> "Administrator" account on a Samba AD. I've seen this done on
Windows
> AD domains for security purposes.
> 
> Assuming the risk of being locked-out is mitigated (i.e. an equivalent
> user is created and is a member of the same groups), is there any
> reason this can't be done on a Samba AD as well?
Much less than on windows, because root can always edit the DB to put
it back. 
> Is the "Administrator" account used for anything
"special" that would
> cause problems if the account were disabled, deleted, or renamed?
Don't delete it.  It should be fine to disable it and set a randompassword. 

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Hi Jonathon,
>
> A client is asking about disabling, deleting or renaming the domain
> "Administrator" account on a Samba AD. I've seen this done on
Windows
> AD domains for security purposes.
administrator account is not nominative, and as such should not be used. 
So disabling it and creating personal domain admin (for example 
jdoe-adadm, different from the delegated admin account jdoe-adm, and 
different from the personal account jdoe) is recommended.
> Assuming the risk of being locked-out is mitigated (i.e. an equivalent
> user is created and is a member of the same groups), is there any
> reason this can't be done on a Samba AD as well?
like Andrew was saying, Samba-AD has an advantage here in the sense that 
Samba is just a service above your Linux OS (or whatever OS you are 
using). So if you need to re-enable it at some point, you can always ssh 
to the box and re-enable it.

Cheers,

Denis
>
> Is the "Administrator" account used for anything
"special" that would
> cause problems if the account were disabled, deleted, or renamed?
>
> Thank you,
> Jonathon Reinhart
>
-- 
Denis Cardon
Tranquil IT
12 avenue Jules Verne (Bat. A)
44230 Saint S?bastien sur Loire (FRANCE)
tel : +33 (0) 240 975 755
http://www.tranquil.it

Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/
Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr