Bug 9837 - Administrator on AD DC shouldn't have uid 0
Summary: Administrator on AD DC shouldn't have uid 0
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.2.0
Hardware: All All
: P5 normal (vote)
Target Milestone: 4.3
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-04-30 08:00 UTC by Björn Jacke
Modified: 2020-04-24 00:26 UTC (History)
8 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Björn Jacke 2013-04-30 08:00:07 UTC
the Administrator user on a DC should not have the uid number 0.

if winbind is put in /etc/nsswitch.conf then there are two users with uid number 0: root and DOMAIN\Administrator. Programs will more or less randomly see that root oder user DOMAIN\Administrator is the one with uid 0. The order of files/winbind in nsswitch.conf isn't sufficient to work around this issue. The order which of the two if returned also depends on whether or not nscd is running or not on a Linux system. I trapped into the problem when I wanted to make a ssh login from one DC to another DC and it complained about the ssh config directory of root to be not existing - ssh thought root's ssh diretory would be /home/DOMAIN/Administrator/.ssh - autsch ...
Comment 1 Björn Jacke 2014-02-15 22:33:00 UTC
Andrew, I think this double use of uid 0 is really critical. I changed the Administrator uidNumber in all new setups I've done since I saw the above described issues. I really think we should *by default* assign a "free" and unused uidNumber to the Administrator user and not mess with root's account.
Comment 2 Michael Adam 2015-02-19 11:07:15 UTC
I strongly support this.
The admin should get a uid from the id mapping pool just like any other domain user.
I think using uid 0 (or any other existing UID) creates more problems than it solves.
Comment 3 Björn Jacke 2018-03-09 21:59:22 UTC
the patch to fix these default idmap values was posted here:

https://lists.samba.org/archive/samba-technical/2017-December/124417.html

most devs liked the change but it got a NACK from Andrew for now.
Comment 4 Phillip R. Jaenke 2020-01-25 15:45:58 UTC
Andrew needs to be overridden. He was wrong then, he is wrong now, and it is now worse. This behavior is dangerous, undesirable, and at this point, it now ignores any attempt to set UID and GID manually. Even with Björn's patch.

matterhorn:/# wbinfo --group-info="domain users"
CONTOSO\domain users:x:100:
matterhorn:/# wbinfo --user-info="administrator"
CONTOSO\administrator:*:0:100::/home/CONTOSO/administrator:/bin/bash

<set the GID to 10513 through RSAT>

matterhorn:/# wbinfo --group-info="domain users"
CONTOSO\domain users:x:100:

Samba 4.11.5 is now basically creating a vulnerability through this bug, and creating significant problems for any system intelligent to know that two UID 0's is at minimum an extreme security risk. This behavior is just plain wrong, period.
Comment 5 Louis 2020-01-28 12:27:03 UTC
(In reply to Phillip R. Jaenke from comment #4)

Im only wondering why your "Domain Users" are using the linux system group users, GID 100. 

Thats not normal really..
Comment 6 Timur Bakeyev 2020-04-24 00:26:48 UTC
(In reply to Phillip R. Jaenke from comment #4)

I guess you are right here, but keep in mind that historically at least FreeBSD for ages has:

# $FreeBSD: releng/12.1/etc/master.passwd 337882 2018-08-15 23:18:34Z brd $
#
root:*:0:0:Charlie &:/root:/usr/local/bin/bash
toor:*:0:0:Bourne-again Superuser:/root:/bin/csh

I.e. two users with UID 0 are coming OOTB with any installation. And it never been seen as a security risk.