Bug 9837 - Administrator on AD DC shouldn't have uid 0
Summary: Administrator on AD DC shouldn't have uid 0
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.2.0
Hardware: All All
: P5 normal (vote)
Target Milestone: 4.3
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-04-30 08:00 UTC by Björn Jacke
Modified: 2021-02-16 13:40 UTC (History)
8 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Björn Jacke 2013-04-30 08:00:07 UTC
the Administrator user on a DC should not have the uid number 0.

if winbind is put in /etc/nsswitch.conf then there are two users with uid number 0: root and DOMAIN\Administrator. Programs will more or less randomly see that root oder user DOMAIN\Administrator is the one with uid 0. The order of files/winbind in nsswitch.conf isn't sufficient to work around this issue. The order which of the two if returned also depends on whether or not nscd is running or not on a Linux system. I trapped into the problem when I wanted to make a ssh login from one DC to another DC and it complained about the ssh config directory of root to be not existing - ssh thought root's ssh diretory would be /home/DOMAIN/Administrator/.ssh - autsch ...
Comment 1 Björn Jacke 2014-02-15 22:33:00 UTC
Andrew, I think this double use of uid 0 is really critical. I changed the Administrator uidNumber in all new setups I've done since I saw the above described issues. I really think we should *by default* assign a "free" and unused uidNumber to the Administrator user and not mess with root's account.
Comment 2 Michael Adam 2015-02-19 11:07:15 UTC
I strongly support this.
The admin should get a uid from the id mapping pool just like any other domain user.
I think using uid 0 (or any other existing UID) creates more problems than it solves.
Comment 3 Björn Jacke 2018-03-09 21:59:22 UTC
the patch to fix these default idmap values was posted here:

https://lists.samba.org/archive/samba-technical/2017-December/124417.html

most devs liked the change but it got a NACK from Andrew for now.
Comment 4 Phillip R. Jaenke 2020-01-25 15:45:58 UTC
Andrew needs to be overridden. He was wrong then, he is wrong now, and it is now worse. This behavior is dangerous, undesirable, and at this point, it now ignores any attempt to set UID and GID manually. Even with Björn's patch.

matterhorn:/# wbinfo --group-info="domain users"
CONTOSO\domain users:x:100:
matterhorn:/# wbinfo --user-info="administrator"
CONTOSO\administrator:*:0:100::/home/CONTOSO/administrator:/bin/bash

<set the GID to 10513 through RSAT>

matterhorn:/# wbinfo --group-info="domain users"
CONTOSO\domain users:x:100:

Samba 4.11.5 is now basically creating a vulnerability through this bug, and creating significant problems for any system intelligent to know that two UID 0's is at minimum an extreme security risk. This behavior is just plain wrong, period.
Comment 5 Louis 2020-01-28 12:27:03 UTC
(In reply to Phillip R. Jaenke from comment #4)

Im only wondering why your "Domain Users" are using the linux system group users, GID 100. 

Thats not normal really..
Comment 6 Timur Bakeyev 2020-04-24 00:26:48 UTC
(In reply to Phillip R. Jaenke from comment #4)

I guess you are right here, but keep in mind that historically at least FreeBSD for ages has:

# $FreeBSD: releng/12.1/etc/master.passwd 337882 2018-08-15 23:18:34Z brd $
#
root:*:0:0:Charlie &:/root:/usr/local/bin/bash
toor:*:0:0:Bourne-again Superuser:/root:/bin/csh

I.e. two users with UID 0 are coming OOTB with any installation. And it never been seen as a security risk.
Comment 7 Louis 2021-02-16 13:40:23 UTC
I think we should not confuse settings with these 2 users.. 

ADDOM\Administrator !=  BUILTIN\Administrator  

2 complete different users with different passwords 
(normaly in my case then if i would setup a windows AD Domain )

And outputs off my 4.13.4 servers. 

On the AD DC.
id Administrator
uid=0(root) gid=0(root) groups=0(root)

id "BUILTIN\Administrator"
id: ‘BUILTIN\\Administrator’: no such user

id "ADDOM\Administrator"
uid=0(root) gid=0(root) groups=0(root)

I would preffer to have "BUILTIN\Administrator" to have linked to root 
And for the members BUILTIN\Administrator mapped to root 

And, now you can assign a GID to "ADDOM\Domain Admins"
which results as followed. 

On my Member server: 
getent group "ADDOM\Domain Admins"
domain admins:x:10001:administrator,admin

getent group "BAZRTD\Domain Users"
domain users:x:10000:(long list with users)

On my AD-DC server
getent group "ADDOM\Domain Admins"
ADDOM\domain admins:x:10001:

getent group "ADDOM\Domain Users"
BAZRTD\domain users:x:10000:


A dedicated admin on a DC and its output. 
id admin
uid=10000(ADDOM\admin) gid=10000(ADDOM\domain users) groups=10000(ADDOM\domain users),10001(ADDOM\domain admins),3000004(ADDOM\group policy creator owners),3000204(ADDOM\dnsupdateproxy),3000314(ADDOM\XXX-YYYY-admins),3000005(ADDOM\denied rodc password replication group),3000009(BUILTIN\users),3000000(BUILTIN\administrators)


and on a Member: 
id admin
uid=10000(admin) gid=10000(domain users) groups=10000(domain users),10001(domain admins),2001(BUILTIN\users),2000(BUILTIN\administrators)

"ADDOM\Domain Admins" is already mapped to BUILTIN\Administrators 
"ADDOM\Domain Users" is already mapped to BUILTIN\Users
 
and 
BUILTIN\Administrators can be GID (root)
BUILTIN\Users can be GID (users)



And a guest user.. on AD-DC 
id guest
uid=3000011(ADDOM\guest) gid=10000(ADDOM\domain users) groups=10000(ADDOM\domain users),3000011(ADDOM\guest),10002(ADDOM\domain guests),3000015(BUILTIN\guests),3000009(BUILTIN\users)

on a member : 
id guest
id: ‘guest’: no such user

Just sharing my thoughts on this, but i always wondered why samba isn't using BUILTIN\ to it max. 
I also think it make thing more simple, so why not use it..
I dont know the code, above is how my servers are setup and are running. 

For last 5-6 years now.