Web lists-archives.com

Re: [Samba] RFC2307: Recommendations for mapping Administrator account




Hi Frederik,

I provisioned a new domain with "--use-rfc2307" as I want to use the
"ad" idmap backend on my domain members.

unless you have really specific requirements, you should really stick with RID mapping, it will be easier on the long run.

I am thinking of mapping the "Administrator" account to UID 10000
(this is where my UID range for the domain will be starting), as the
account must be known to the domain members (otherwise I got funny
behavior).It seems a lot of people are mapping that account to root
(UID 0) though. Even the Samba Wiki mentions that. Is that such a good
idea?

root on linux would be the equivalent of "Local System" on Windows. Windows Administrator account is definitly not "Local System", so in order to follow privileges separation of Windows, I would say it is better not to map Administrator to root.

Moreover, in more security conscious context, Administrator account should not be used alltogether, since it does not map to a physical named person.

The best thing is to disable that account altogether, and have named accounts like dcardon-adm part of "domain admins" for specific tasks needing "domain admins" rights. But even in this case, except for joining a new DC (and a few non frequent other things like changing the schema), you shouldn't need "domain admins" level privileges. You should just use Delegated rights on the OU you are managing.

Cheers,

Denis

I know that mapping the account to uidNumber=0 using RFC2307 AD attrs
will not work globally, as this is out of the idmap range. I could map
the account on each member locally using a custom username map, but I
was wondering if this is even desirable.

Does it have any implications on the Samba AD DC, if the Administrator
account has such a custom mapping? From what I understand the UID on
the DC will still be 0.


Thanks,
Frederik


--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil.it

Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba