Project

General

Profile

Actions

Bug #11854

closed

Domain Admins shouldn't always be Administrators

Added by Gordon Ross over 2 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

Description:
netr_isadmin() searches the user's list of GroupIDs for the Domain Admins group's well-known RID, and if it's discovered, it marks the user as a member of the Administrators group, giving it the privileges of that group. However, Domain Admins is not a member of the Administrators group in all deployments, and some customers prefer for a particular system's Administrators to be a different or smaller group. They should be able to do that by removing Domain Admins from the local Administrators group and adding their preferred group, but the check in netr_isadmin makes that ineffective; instead, they have to remove privileges from that local group, add a new local group with the same permissions, and add their preferred group to that one.

Steps to Reproduce:
Join an SMB server to a domain
remove "Domain Admins" from the local Administrators group (smbadm remove-member -m "Domain Admins@<domain>" Administrators)
connect to a share with a member of the Domain Admins group
Perform Administrative tasks on the share (i.e. taking ownership of files you do not own or have permissions on).

Expected Results:
Cannot perform Administrative tasks

Actual Results:
Can perform Administrative tasks

Actions #1

Updated by Gordon Ross over 2 years ago

Fix is out for review as part of this PR:
https://github.com/illumos/illumos-gate/pull/68

Actions #2

Updated by Electric Monk over 2 years ago

  • % Done changed from 0 to 100
  • Status changed from In Progress to Closed

git commit 48f31329f53c9b7554a923cb617ff7eecb6137e1

commit  48f31329f53c9b7554a923cb617ff7eecb6137e1
Author: Matt Barden <matt.barden@nexenta.com>
Date:   2019-11-14T14:23:07.000Z

    11854 Domain Admins shouldn't always be Administrators
    Reviewed by: Gordon Ross <gordon.ross@nexenta.com>
    Reviewed by: Evan Layton <evan.layton@nexenta.com>
    Reviewed by: Andrew Stormont <astormont@racktopsystems.com>
    Approved by: Garrett D'Amore <garrett@damore.org>

Actions

Also available in: Atom PDF