Web lists-archives.com

Re: [Samba] RFC2307: Recommendations for mapping Administrator account




Hi Rowland,

I provisioned a new domain with "--use-rfc2307" as I want to use the
"ad" idmap backend on my domain members.

unless you have really specific requirements, you should really stick
with RID mapping, it will be easier on the long run.

Yes, but then you are stuck with using the same Unix home directory
paths and login shells for everybody.

Life is a series of trade-offs...

I am thinking of mapping the "Administrator" account to UID 10000
(this is where my UID range for the domain will be starting), as the
account must be known to the domain members (otherwise I got funny
behavior).It seems a lot of people are mapping that account to root
(UID 0) though. Even the Samba Wiki mentions that. Is that such a
good idea?

root on linux would be the equivalent of "Local System" on Windows.
Windows Administrator account is definitly not "Local System", so in
order to follow privileges separation of Windows, I would say it is
better not to map Administrator to root.

'root' is not the equivalent 'SYSTEM'

could you please elaborate? An account that has all privileges on the local system, well, how would you call that?

> and the Samba DC maps 'Administrator' to 'root' by default.

better privilege separation is something that is being looked at.

Cheers,

Denis

Moreover, in more security conscious context, Administrator account
should not be used alltogether, since it does not map to a physical
named person.

If you follow this thinking, then quite a few AD accounts should be
removed.


The best thing is to disable that account altogether, and have named
accounts like dcardon-adm part of "domain admins" for specific tasks
needing "domain admins" rights. But even in this case, except for
joining a new DC (and a few non frequent other things like changing
the schema), you shouldn't need "domain admins" level privileges. You
should just use Delegated rights on the OU you are managing.


By all means create new groups, I use 'Unix Admins' instead of 'Domain
Admins'. This is all down to how the sysadmin wants to work, I
personally wouldn't disable 'Administrator', rename it yes.

Rowland


--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil.it

Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba