the Administrator user on a DC should not have the uid number 0. if winbind is put in /etc/nsswitch.conf then there are two users with uid number 0: root and DOMAIN\Administrator. Programs will more or less randomly see that root oder user DOMAIN\Administrator is the one with uid 0. The order of files/winbind in nsswitch.conf isn't sufficient to work around this issue. The order which of the two if returned also depends on whether or not nscd is running or not on a Linux system. I trapped into the problem when I wanted to make a ssh login from one DC to another DC and it complained about the ssh config directory of root to be not existing - ssh thought root's ssh diretory would be /home/DOMAIN/Administrator/.ssh - autsch ...
Andrew, I think this double use of uid 0 is really critical. I changed the Administrator uidNumber in all new setups I've done since I saw the above described issues. I really think we should *by default* assign a "free" and unused uidNumber to the Administrator user and not mess with root's account.
I strongly support this. The admin should get a uid from the id mapping pool just like any other domain user. I think using uid 0 (or any other existing UID) creates more problems than it solves.
the patch to fix these default idmap values was posted here: https://lists.samba.org/archive/samba-technical/2017-December/124417.html most devs liked the change but it got a NACK from Andrew for now.
Andrew needs to be overridden. He was wrong then, he is wrong now, and it is now worse. This behavior is dangerous, undesirable, and at this point, it now ignores any attempt to set UID and GID manually. Even with Björn's patch. matterhorn:/# wbinfo --group-info="domain users" CONTOSO\domain users:x:100: matterhorn:/# wbinfo --user-info="administrator" CONTOSO\administrator:*:0:100::/home/CONTOSO/administrator:/bin/bash <set the GID to 10513 through RSAT> matterhorn:/# wbinfo --group-info="domain users" CONTOSO\domain users:x:100: Samba 4.11.5 is now basically creating a vulnerability through this bug, and creating significant problems for any system intelligent to know that two UID 0's is at minimum an extreme security risk. This behavior is just plain wrong, period.
(In reply to Phillip R. Jaenke from comment #4) Im only wondering why your "Domain Users" are using the linux system group users, GID 100. Thats not normal really..
(In reply to Phillip R. Jaenke from comment #4) I guess you are right here, but keep in mind that historically at least FreeBSD for ages has: # $FreeBSD: releng/12.1/etc/master.passwd 337882 2018-08-15 23:18:34Z brd $ # root:*:0:0:Charlie &:/root:/usr/local/bin/bash toor:*:0:0:Bourne-again Superuser:/root:/bin/csh I.e. two users with UID 0 are coming OOTB with any installation. And it never been seen as a security risk.
I think we should not confuse settings with these 2 users.. ADDOM\Administrator != BUILTIN\Administrator 2 complete different users with different passwords (normaly in my case then if i would setup a windows AD Domain ) And outputs off my 4.13.4 servers. On the AD DC. id Administrator uid=0(root) gid=0(root) groups=0(root) id "BUILTIN\Administrator" id: ‘BUILTIN\\Administrator’: no such user id "ADDOM\Administrator" uid=0(root) gid=0(root) groups=0(root) I would preffer to have "BUILTIN\Administrator" to have linked to root And for the members BUILTIN\Administrator mapped to root And, now you can assign a GID to "ADDOM\Domain Admins" which results as followed. On my Member server: getent group "ADDOM\Domain Admins" domain admins:x:10001:administrator,admin getent group "BAZRTD\Domain Users" domain users:x:10000:(long list with users) On my AD-DC server getent group "ADDOM\Domain Admins" ADDOM\domain admins:x:10001: getent group "ADDOM\Domain Users" BAZRTD\domain users:x:10000: A dedicated admin on a DC and its output. id admin uid=10000(ADDOM\admin) gid=10000(ADDOM\domain users) groups=10000(ADDOM\domain users),10001(ADDOM\domain admins),3000004(ADDOM\group policy creator owners),3000204(ADDOM\dnsupdateproxy),3000314(ADDOM\XXX-YYYY-admins),3000005(ADDOM\denied rodc password replication group),3000009(BUILTIN\users),3000000(BUILTIN\administrators) and on a Member: id admin uid=10000(admin) gid=10000(domain users) groups=10000(domain users),10001(domain admins),2001(BUILTIN\users),2000(BUILTIN\administrators) "ADDOM\Domain Admins" is already mapped to BUILTIN\Administrators "ADDOM\Domain Users" is already mapped to BUILTIN\Users and BUILTIN\Administrators can be GID (root) BUILTIN\Users can be GID (users) And a guest user.. on AD-DC id guest uid=3000011(ADDOM\guest) gid=10000(ADDOM\domain users) groups=10000(ADDOM\domain users),3000011(ADDOM\guest),10002(ADDOM\domain guests),3000015(BUILTIN\guests),3000009(BUILTIN\users) on a member : id guest id: ‘guest’: no such user Just sharing my thoughts on this, but i always wondered why samba isn't using BUILTIN\ to it max. I also think it make thing more simple, so why not use it.. I dont know the code, above is how my servers are setup and are running. For last 5-6 years now.