[Samba] Permissions issue on domain member server (samba as an appliance)
Rowland Penny
rpenny at samba.org
Sat Oct 28 07:09:01 UTC 2023
On Fri, 27 Oct 2023 16:14:52 -0400
Greg Dickie <greg at justaguy.ca> wrote:
> Hey Rowland,
>
> Hmmm. I may have misunderstood. I don't believe it explicitly said to
> do that but I took it as that. Should I create a local Administrator
> account instead?
>
The whole idea behind the user map on a Unix domain member is to map
the Domain Administrator account (RID 500) to the Unix user 'root'.
When you do something on Windows as 'Administrator' is done on Unix as
'root'.
I would never use 'Administrator' directly on Unix and here is why:
I use the 'rid' idmap backend and if I run 'getent passwd
administrator', I get:
administrator:*:10500:10513::/home/administrator:/bin/bash
As you can see 'Administrator' has the ID '10500', which makes it a
normal Unix user with no special powers. However, from Windows via
Samba, the 'Administrator' ID is set to '0' by the user map and I hope
you realise what other Unix user has the ID '0'.
If you haven't realised yet, no, do not create a local Administrator,
for one thing, you already have one :-)
Rowland
More information about the samba
mailing list