> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny via > samba > Verzonden: dinsdag 16 februari 2021 14:32 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Root user shows up as "administrator" > > On 16/02/2021 12:52, Bj?rn JACKE via samba wrote: > > On 2021-02-16 at 09:39 +1300 Andrew Bartlett via samba sent off: > >> The default idmap.ldb entries give UID 0 (root) to the administrator > >> user to ensure it can change all files. > >> > >> I know some other developers disagree about the wisdom of this, but for > >> now that is what the code does. > > yes, there are many people who thing that Adminstrator should not have > > uidNUmber 0 assigned, me too. It can cause issues at several places. > What > > Andrew refers to is discussed in > > https://bugzilla.samba.org/show_bug.cgi?id=9837 > > > > Bj?rn > > > > And there are even more that think that making the Windows 'super' user > into a standard Unix user is a bad idea and could lead to even more > security problems. If you are having problems with Administrator being > mapped to the Unix user root, then you are doing something wrong. > > I keep looking at your bug report and thinking that I should just close > it as being 'invalid', but I just ignore it in the end. > > It has been common practice to map Administrator to root for years, even > before the advent of Samba AD and I haven't seen any mention of a > related security problem. > > Rowland >Well, now look again. ADDOM\Administrator != BUILTIN\Administrator The rest is in the bug report. basicly it comes to ..> And there are even more that think that making the Windows 'super' user > into a standard Unix user is a bad ideausing BUILTIN\ fixes this in my opinion.> could lead to even more security problems.yes, as any other with sudo or added to Domain Admins or root, but same here. Using BUILTIN\ fixes that. As long you obey the following BUILTIN\Users is mapped to Linux\Users BUILTIN\Adminsitrator is mapped to LINUX\root ADDOM\Domain Users is mapped to BUILTIN\Users ( windows default ) ADDOM\Domain Admins is mapped to BUILTIN\Administrator ( windows default ) Now, Domain admins have selective rights, you assing a GID now, its "like" a normal user, as in windows, but because its also in BUILTIN\Adminsitrator it can perform tasks on samba/the systems. but only where samba allows you too. Thats is bit how im setup. my windows Administrator is allow on all shares and all server with admin rights, but as Linux user on the real OS, Administrator not allowed anything. LinuxAdmins != Windows Admins. i just create 2 logins as admin, 1 is used, one its password is in the locked Safe. And that is how i protect the linux environment and Windows/Samba environments. I hope this helps someone, Greetz, Louis
On 16/02/2021 13:52, L.P.H. van Belle via samba wrote:> Well, now look again. > > ADDOM\Administrator != BUILTIN\Administrator > The rest is in the bug report.The problem with that is, there doesn't seem to be a BUILTIN\Administrator root at dc4:~# wbinfo -n BUILTIN\\Administrator failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name BUILTIN\Administrator There is BUILTIN\Administrators root at dc4:~# wbinfo -n BUILTIN\\Administrators S-1-5-32-544 SID_ALIAS (4) And a Domain Administrator root at dc4:~# wbinfo -n Administrator S-1-5-21-1768301897-3342589593-1064908849-500 SID_USER (1) If I use 'S-1-5-32' and Administrator RID, I still cannot find BUILTIN\\Administrator root at dc4:~# wbinfo -s S-1-5-32-500 failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup sid S-1-5-32-500 If also look in idmap.ldb , I find this: dn: CN=S-1-5-21-1768301897-3342589593-1064908849-500 cn: S-1-5-21-1768301897-3342589593-1064908849-500 objectClass: sidMap objectSid: S-1-5-21-1768301897-3342589593-1064908849-500 type: ID_TYPE_UID xidNumber: 0 distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-500> > basicly it comes to .. >> And there are even more that think that making the Windows 'super' user >> into a standard Unix user is a bad idea > using BUILTIN\ fixes this in my opinion. >Yes, but where are you getting 'BUILTIN\Administrator' from ?? Rowland
> > The problem with that is, there doesn't seem to be a BUILTIN\Administratorcorrect, thats exactly my point. ow, and now i see i wrote it wrong..> > root at dc4:~# wbinfo -n BUILTIN\\Administrator > failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND > Could not lookup name BUILTIN\AdministratorI would have expected to see, S-1-5-21-<machine>-500 And in my opinion, this should be the one we should map. what i mean with "builtin\Administrator The built-in domain, it contains groups that define roles on a local machine. S-1-5-21-<machine>-500, By default, it is the only user account that is given full control over the system. So this is the user we should use the map to root. in addition. BUILTIN_ADMINISTRATORS S-1-5-32-544 The built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Administrators group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Administrators group also is added to the Administrators group. https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab And i see I "miss used" BUILTIN\Adminsitrator here.. sorry. just, how i see it is.. S-1-5-21-<machine>-500 should be mapped to User root. BUILTIN_ADMINISTRATORS should be mapped to Group root BUILTIN_USERS should be mapped to Group users BUILTIN_GUESTS should be mapped to Group nobody And resulting in, now its always ok, even if you are without the domain, if the server isnt AD or domain joined and after its join, the domain groups are member of the above builtin groups. Just my view on it. Greetz, Louis