> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny
via
> samba
> Verzonden: dinsdag 16 februari 2021 14:32
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Root user shows up as "administrator"
>
> On 16/02/2021 12:52, Bj?rn JACKE via samba wrote:
> > On 2021-02-16 at 09:39 +1300 Andrew Bartlett via samba sent off:
> >> The default idmap.ldb entries give UID 0 (root) to the
administrator
> >> user to ensure it can change all files.
> >>
> >> I know some other developers disagree about the wisdom of this,
but for
> >> now that is what the code does.
> > yes, there are many people who thing that Adminstrator should not have
> > uidNUmber 0 assigned, me too. It can cause issues at several places.
> What
> > Andrew refers to is discussed in
> > https://bugzilla.samba.org/show_bug.cgi?id=9837
> >
> > Bj?rn
> >
>
> And there are even more that think that making the Windows 'super'
user
> into a standard Unix user is a bad idea and could lead to even more
> security problems. If you are having problems with Administrator being
> mapped to the Unix user root, then you are doing something wrong.
>
> I keep looking at your bug report and thinking that I should just close
> it as being 'invalid', but I just ignore it in the end.
>
> It has been common practice to map Administrator to root for years, even
> before the advent of Samba AD and I haven't seen any mention of a
> related security problem.
>
> Rowland
>
Well, now look again.
ADDOM\Administrator != BUILTIN\Administrator
The rest is in the bug report.
basicly it comes to .. > And there are even more that think that making the Windows 'super'
user
> into a standard Unix user is a bad idea
using BUILTIN\ fixes this in my opinion.
> could lead to even more security problems.
yes, as any other with sudo or added to Domain Admins or root,
but same here.
Using BUILTIN\ fixes that.
As long you obey the following
BUILTIN\Users is mapped to Linux\Users
BUILTIN\Adminsitrator is mapped to LINUX\root
ADDOM\Domain Users is mapped to BUILTIN\Users ( windows default )
ADDOM\Domain Admins is mapped to BUILTIN\Administrator ( windows default )
Now, Domain admins have selective rights, you assing a GID now, its
"like" a normal user, as in windows, but because its also in
BUILTIN\Adminsitrator
it can perform tasks on samba/the systems.
but only where samba allows you too.
Thats is bit how im setup.
my windows Administrator is allow on all shares and all server
with admin rights, but as Linux user on the real OS,
Administrator not allowed anything.
LinuxAdmins != Windows Admins.
i just create 2 logins as admin, 1 is used, one its password
is in the locked Safe.
And that is how i protect the linux environment and Windows/Samba environments.
I hope this helps someone,
Greetz,
Louis