Bug #11854
closed
Domain Admins shouldn't always be Administrators
100%
Description
Description:
netr_isadmin() searches the user's list of GroupIDs for the Domain Admins group's well-known RID, and if it's discovered, it marks the user as a member of the Administrators group, giving it the privileges of that group. However, Domain Admins is not a member of the Administrators group in all deployments, and some customers prefer for a particular system's Administrators to be a different or smaller group. They should be able to do that by removing Domain Admins from the local Administrators group and adding their preferred group, but the check in netr_isadmin makes that ineffective; instead, they have to remove privileges from that local group, add a new local group with the same permissions, and add their preferred group to that one.
Steps to Reproduce:
Join an SMB server to a domain
remove "Domain Admins" from the local Administrators group (smbadm remove-member -m "Domain Admins@<domain>" Administrators)
connect to a share with a member of the Domain Admins group
Perform Administrative tasks on the share (i.e. taking ownership of files you do not own or have permissions on).
Expected Results:
Cannot perform Administrative tasks
Actual Results:
Can perform Administrative tasks
Updated by Gordon Ross over 3 years ago
Fix is out for review as part of this PR:
https://github.com/illumos/illumos-gate/pull/68
Updated by Electric Monk over 3 years ago
- % Done changed from 0 to 100
- Status changed from In Progress to Closed
git commit 48f31329f53c9b7554a923cb617ff7eecb6137e1
commit 48f31329f53c9b7554a923cb617ff7eecb6137e1
Author: Matt Barden <matt.barden@nexenta.com>
Date: 2019-11-14T14:23:07.000Z
11854 Domain Admins shouldn't always be Administrators
Reviewed by: Gordon Ross <gordon.ross@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
Reviewed by: Andrew Stormont <astormont@racktopsystems.com>
Approved by: Garrett D'Amore <garrett@damore.org>