bd730c5053df9efb
2024-Oct-10 18:46 UTC
[Samba] Question regarding 'username map' & 'min domain uid'
On Wednesday, October 9th, 2024 at 15:41, Rowland Penny via samba <samba at lists.samba.org> wrote:> On Wed, 09 Oct 2024 17:36:34 +0000 > bd730c5053df9efb via samba samba at lists.samba.org wrote: > > > Hi all! > > > > I was following a recent thread here and read Rowland Penny's answer > > (https://lists.samba.org/archive/samba/2024-October/249858.html) > > stating > > > > [...]I have stopped using 'username map' & 'min domain uid' because, > > has you have now found out, you do not need them, just use (As > > Windows advises) a member of Domain Admins.[...] > > > > Since I have followed the samba wiki for most of my installs (E.g. > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Mapping_the_Domain_Administrator_Account_to_the_Local_root_User) > > I've been using this exact method. > > > > So my question is, how has this changed? What is the recommended way > > of doing it now? > > > Mapping Administrator to root was done on Samba AD DCs from the very > start of Samba 4 and it was also recommended to map Administrator on a > Unix domain member, this may never have been needed. > > However, a CVE CVE-2020-25717 was fixed at 4.15.3 and to get the old > behaviour, you also had to add 'min domain uid = 0' to smb.conf on the > Unix domain member. This fact finally percolated into my brain and I > then tested if Administrator was required, my testing proved to myself > that the Administrator mapping was not required, I just had to use a > member of Domain Admins. Was this because of the CVE, or was the > mapping never required ? I do not know, I just know that, in my > opinion, the mapping is not required now, YMMV. > > I have added a note to the wikipage. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaHi Rowland! Thank you for your reply but wouldn't operations like the one described in https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Setting_Share_Permissions_and_ACLs fail if the uid of the user that is performing said operations does not map to uid = 0? Thanks! Best regards, Dave.
Rowland Penny
2024-Oct-10 19:14 UTC
[Samba] Question regarding 'username map' & 'min domain uid'
On Thu, 10 Oct 2024 18:46:04 +0000 bd730c5053df9efb <bd730c5053df9efb at proton.me> wrote:> > Hi Rowland! > > Thank you for your reply but wouldn't operations like the one > described in > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Setting_Share_Permissions_and_ACLs > fail if the uid of the user that is performing said operations does > not map to uid = 0? >No, but you have to set Domain Admins as the group on the shares directory, give Domain Admins the SeDiskOperatorPrivilege privilege and you should be able to set/change permissions from Windows. Rowland