samba - Oct 2024 - Question regarding 'username map' & 'min domain uid'

On Wed, 09 Oct 2024 17:36:34 +0000
bd730c5053df9efb via samba <samba at lists.samba.org> wrote:
> Hi all!
> 
> I was following a recent thread here and read Rowland Penny's answer
> (https://lists.samba.org/archive/samba/2024-October/249858.html)
> stating
> 
> [...]I have stopped using 'username map' & 'min domain
uid' because,
> has you have now found out, you do not need them, just use (As
> Windows advises) a member of Domain Admins.[...]
> 
> Since I have followed the samba wiki for most of my installs (E.g.
>
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Mapping_the_Domain_Administrator_Account_to_the_Local_root_User)
> I've been using this exact method.
> 
> So my question is, how has this changed? What is the recommended way
> of doing it now?
Mapping Administrator to root was done on Samba AD DCs from the very
start of Samba 4 and it was also recommended to map Administrator on a
Unix domain member, this may never have been needed.

However, a CVE CVE-2020-25717 was fixed at 4.15.3 and to get the old
behaviour, you also had to add 'min domain uid = 0' to smb.conf on the
Unix domain member. This fact finally percolated into my brain and I
then tested if Administrator was required, my testing proved to myself
that the Administrator mapping was not required, I just had to use a
member of Domain Admins. Was this because of the CVE, or was the
mapping never required ? I do not know, I just know that, in my
opinion, the mapping is not required now, YMMV.

I have added a note to the wikipage.

Rowland

On 09-10-2024 20:41, Rowland Penny via samba wrote:
> On Wed, 09 Oct 2024 17:36:34 +0000
> bd730c5053df9efb via samba<samba at lists.samba.org>  wrote:
>
>> Hi all!
>>
>> I was following a recent thread here and read Rowland Penny's
answer
>> (https://lists.samba.org/archive/samba/2024-October/249858.html)
>> stating
>>
>> [...]I have stopped using 'username map' & 'min domain
uid' because,
>> has you have now found out, you do not need them, just use (As
>> Windows advises) a member of Domain Admins.[...]
>>
>> Since I have followed the samba wiki for most of my installs (E.g.
>>
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Mapping_the_Domain_Administrator_Account_to_the_Local_root_User)
>> I've been using this exact method.
>>
>> So my question is, how has this changed? What is the recommended way
>> of doing it now?
> Mapping Administrator to root was done on Samba AD DCs from the very
> start of Samba 4 and it was also recommended to map Administrator on a
> Unix domain member, this may never have been needed.
>
> However, a CVE CVE-2020-25717 was fixed at 4.15.3 and to get the old
> behaviour, you also had to add 'min domain uid = 0' to smb.conf on
the
> Unix domain member. This fact finally percolated into my brain and I
> then tested if Administrator was required, my testing proved to myself
> that the Administrator mapping was not required, I just had to use a
> member of Domain Admins. Was this because of the CVE, or was the
> mapping never required ? I do not know, I just know that, in my
> opinion, the mapping is not required now, YMMV.
>
> I have added a note to the wikipage.
>
> Rowland
Do you consider this: 
https://lists.samba.org/archive/samba/2022-March/239861.html (Ticket 
expires after 10h) as a solved issue in recent versions of Samba?

Your advice back then was to add:

   username map = /etc/samba/user.map
   min domain uid = 0

The user.map contains:

!root = SAMDOM\Administrator

I am still using these settings on all domain-members.

- Kees.
>   
>
>

On Wednesday, October 9th, 2024 at 15:41, Rowland Penny via samba <samba at
lists.samba.org> wrote:
> On Wed, 09 Oct 2024 17:36:34 +0000
> bd730c5053df9efb via samba samba at lists.samba.org wrote:
> 
> > Hi all!
> > 
> > I was following a recent thread here and read Rowland Penny's
answer
> > (https://lists.samba.org/archive/samba/2024-October/249858.html)
> > stating
> > 
> > [...]I have stopped using 'username map' & 'min domain
uid' because,
> > has you have now found out, you do not need them, just use (As
> > Windows advises) a member of Domain Admins.[...]
> > 
> > Since I have followed the samba wiki for most of my installs (E.g.
> >
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Mapping_the_Domain_Administrator_Account_to_the_Local_root_User)
> > I've been using this exact method.
> > 
> > So my question is, how has this changed? What is the recommended way
> > of doing it now?
> 
> 
> Mapping Administrator to root was done on Samba AD DCs from the very
> start of Samba 4 and it was also recommended to map Administrator on a
> Unix domain member, this may never have been needed.
> 
> However, a CVE CVE-2020-25717 was fixed at 4.15.3 and to get the old
> behaviour, you also had to add 'min domain uid = 0' to smb.conf on
the
> Unix domain member. This fact finally percolated into my brain and I
> then tested if Administrator was required, my testing proved to myself
> that the Administrator mapping was not required, I just had to use a
> member of Domain Admins. Was this because of the CVE, or was the
> mapping never required ? I do not know, I just know that, in my
> opinion, the mapping is not required now, YMMV.
> 
> I have added a note to the wikipage.
> 
> Rowland
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
Hi Rowland!

Thank you for your reply but wouldn't operations like the one described in
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Setting_Share_Permissions_and_ACLs
fail if the uid of the user that is performing said operations does not map to
uid = 0?

Thanks!
Best regards,
Dave.