Administrative accounts in Server Manager

robb · October 4, 2019, 4:33pm

OUCH OUCH OUCH
Can we PLEASE reconsider this? IMO it is absolutely NOT best practice to use root as account for admin tasks. Especially in an environment with multiple persons that do admin tasks.
IMO It should be possible to be able to track back WHO did WHAT update. With using root this is not possible.
If I remember correctly, when I worked for a large governmental institution, I had 2 accounts. 1 user account and 1 domain admin account.
For the domain admin account I also had a separate pc that had access to a special subnet (VLAN) that was allowed to do admin tasks. We were with 6 system engineers that had domain admin rights and absolutely NEVER used the DOMAIN\administrator account.

giacomo · October 7, 2019, 9:22am

I was speaking about the default user, root is a better choice than admin.

You can now do it also in the new Server Manager thanks to the work of @stephdl, @davidep, @edoardo_spadoni
Delegation is now a first class citizen in Cockpit: I can roughly estimate more than a month of man hours in this feature!

robb · October 7, 2019, 9:31am

Hi @giacomo
I am still not convinced that for the default user root is better than admin. When using NethServer in a production environment there always is an account manager. This accountmanager is managing global accounts. Therefor the accounts are valid through the whole domain.
If you use root, you are dealing with a local account. And root on 1 server is a different account than root on a 2nd server, even if they have the same password.
I think it is important to have a consistency in the use of accounts. And using root breaks the consistency when using it over multiple servers.

davidep · October 7, 2019, 9:39am

We have to distinct between root and the concept of “Domain Admins”. Both are valid, both are required to administrate a server. There’s no one better than the other, they have distinct functions. Some differences:

only the root account is available after ISO install and it always exists
Domain Admins is a group of users and what they can do depends also on the accounts provider installed by root
admin is a predefined member of Domain Admins, disabled by default. It is still there for compatibility with ns6 and because many applications have the concept of the “admin” user and some could be missing the idea of an administrative group

robb · October 7, 2019, 9:45am

I agree and fully understand the differences between root, domain admins group and the account admin (and account andministrator). Ofcourse there is a need for root to be able to do the first configuration of a server. But my concern is that root is propagated as the default account for using servermanager.
IMO this is NOT the case.
As soon you have activated an accountmanager, IMO you should not use root for day-to-day administration of the server and the domain. I think it should be best practice to create a user (or multiple users) for this task.