Web lists-archives.com

Re: [Samba] RFC2307: Recommendations for mapping Administrator account




On Wed, 7 Feb 2018 21:37:06 +0100
Fred F via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi,
> 
> I provisioned a new domain with "--use-rfc2307" as I want to use the
> "ad" idmap backend on my domain members.
> 
> I am thinking of mapping the "Administrator" account to UID 10000
> (this is where my UID range for the domain will be starting), as the
> account must be known to the domain members (otherwise I got funny
> behavior).It seems a lot of people are mapping that account to root
> (UID 0) though. Even the Samba Wiki mentions that. Is that such a good
> idea?
> 
> I know that mapping the account to uidNumber=0 using RFC2307 AD attrs
> will not work globally, as this is out of the idmap range. I could map
> the account on each member locally using a custom username map, but I
> was wondering if this is even desirable.
> 
> Does it have any implications on the Samba AD DC, if the Administrator
> account has such a custom mapping? From what I understand the UID on
> the DC will still be 0.
> 

If you map Administrator to '10000' then it will become '10000'
everywhere and Administrator will become just another Unix user.

Administrator is mapped to '0' on a DC in idmap.ldb, you can also map
Administrator to '0' on a Unix domain member by creating a user.map and
adding the relevant line to smb.conf

The short answer to your question is, do not map Administrator to
'10000'

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba