Jonathon Reinhart
2019-Jun-17 05:01 UTC
[Samba] Disabling or deleting domain "Administrator" account
Hello, A client is asking about disabling, deleting or renaming the domain "Administrator" account on a Samba AD. I've seen this done on Windows AD domains for security purposes. Assuming the risk of being locked-out is mitigated (i.e. an equivalent user is created and is a member of the same groups), is there any reason this can't be done on a Samba AD as well? Is the "Administrator" account used for anything "special" that would cause problems if the account were disabled, deleted, or renamed? Thank you, Jonathon Reinhart
Andrew Bartlett
2019-Jun-17 05:10 UTC
[Samba] Disabling or deleting domain "Administrator" account
On Mon, 2019-06-17 at 01:01 -0400, Jonathon Reinhart via samba wrote:> Hello, > > A client is asking about disabling, deleting or renaming the domain > "Administrator" account on a Samba AD. I've seen this done on Windows > AD domains for security purposes. > > Assuming the risk of being locked-out is mitigated (i.e. an equivalent > user is created and is a member of the same groups), is there any > reason this can't be done on a Samba AD as well?Much less than on windows, because root can always edit the DB to put it back.> Is the "Administrator" account used for anything "special" that would > cause problems if the account were disabled, deleted, or renamed?Don't delete it. It should be fine to disable it and set a randompassword. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Denis Cardon
2019-Jun-17 09:32 UTC
[Samba] Disabling or deleting domain "Administrator" account
Hi Jonathon,> > A client is asking about disabling, deleting or renaming the domain > "Administrator" account on a Samba AD. I've seen this done on Windows > AD domains for security purposes.administrator account is not nominative, and as such should not be used. So disabling it and creating personal domain admin (for example jdoe-adadm, different from the delegated admin account jdoe-adm, and different from the personal account jdoe) is recommended.> Assuming the risk of being locked-out is mitigated (i.e. an equivalent > user is created and is a member of the same groups), is there any > reason this can't be done on a Samba AD as well?like Andrew was saying, Samba-AD has an advantage here in the sense that Samba is just a service above your Linux OS (or whatever OS you are using). So if you need to re-enable it at some point, you can always ssh to the box and re-enable it. Cheers, Denis> > Is the "Administrator" account used for anything "special" that would > cause problems if the account were disabled, deleted, or renamed? > > Thank you, > Jonathon Reinhart >-- Denis Cardon Tranquil IT 12 avenue Jules Verne (Bat. A) 44230 Saint S?bastien sur Loire (FRANCE) tel : +33 (0) 240 975 755 http://www.tranquil.it Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/ Samba install wiki for Frenchies : https://dev.tranquil.it WAPT, software deployment made easy : https://wapt.fr
Reasonably Related Threads
- Adding user to group doesn't propagate?
- AD administrator can't administer
- Adding user to group doesn't propagate?
- samba-tool group removemembers, not working
- Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.