bd730c5053df9efb
2024-Oct-09 17:36 UTC
[Samba] Question regarding 'username map' & 'min domain uid'
Hi all! I was following a recent thread here and read Rowland Penny's answer (https://lists.samba.org/archive/samba/2024-October/249858.html) stating [...]I have stopped using 'username map' & 'min domain uid' because, has you have now found out, you do not need them, just use (As Windows advises) a member of Domain Admins.[...] Since I have followed the samba wiki for most of my installs (E.g. https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Mapping_the_Domain_Administrator_Account_to_the_Local_root_User) I've been using this exact method. So my question is, how has this changed? What is the recommended way of doing it now? Thanks in advance! Best regards, Dave.
Rowland Penny
2024-Oct-09 18:41 UTC
[Samba] Question regarding 'username map' & 'min domain uid'
On Wed, 09 Oct 2024 17:36:34 +0000 bd730c5053df9efb via samba <samba at lists.samba.org> wrote:> Hi all! > > I was following a recent thread here and read Rowland Penny's answer > (https://lists.samba.org/archive/samba/2024-October/249858.html) > stating > > [...]I have stopped using 'username map' & 'min domain uid' because, > has you have now found out, you do not need them, just use (As > Windows advises) a member of Domain Admins.[...] > > Since I have followed the samba wiki for most of my installs (E.g. > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Mapping_the_Domain_Administrator_Account_to_the_Local_root_User) > I've been using this exact method. > > So my question is, how has this changed? What is the recommended way > of doing it now?Mapping Administrator to root was done on Samba AD DCs from the very start of Samba 4 and it was also recommended to map Administrator on a Unix domain member, this may never have been needed. However, a CVE CVE-2020-25717 was fixed at 4.15.3 and to get the old behaviour, you also had to add 'min domain uid = 0' to smb.conf on the Unix domain member. This fact finally percolated into my brain and I then tested if Administrator was required, my testing proved to myself that the Administrator mapping was not required, I just had to use a member of Domain Admins. Was this because of the CVE, or was the mapping never required ? I do not know, I just know that, in my opinion, the mapping is not required now, YMMV. I have added a note to the wikipage. Rowland