[Samba] No Admin-Rights in SMB-PDC-Domain

Volker Lendecke Volker.Lendecke at SerNet.DE
Wed Sep 23 04:48:57 MDT 2009

On Wed, Sep 23, 2009 at 12:45:22PM +0200, Daniel Spannbauer wrote:
> Volker Lendecke schrieb:
>> On Wed, Sep 23, 2009 at 12:33:24PM +0200, Daniel Spannbauer wrote:
>>> Hmmm, when I log in on the Workstation as Administrator (which is 
>>> mapped  to User root) then I get a Groupsid which ends to 513, so I 
>>> get as  Administrator the Rights of the normals Domain USer. But in 
>>> LDAP the  PrimaryGroupSid for root is set to 512 (DomainAdmins).
>>> In the Group-Entry for the Group of the DomainAdmins root is also in  
>>> MemberUID.
>>> Can anybody tell me why the PrimaryGropSid isn't used by samba?
>> Samba uses the gidNumber of the account and maps it via the
>> group mapping entries to a SID. We only have the
>> primaryGroupSid still in our schema because removing it
>> would have made upgrades almost impossible.
> Hello Volker,
> that means if the user Root has an Entry "primaryGroupSID" with the sid  
> 512 then the User should have Admin-Rights because hes in the  
> Domain-Admin-Group?

No. It means that if the user xxx has the gidNumber 123 or
is otherwise member of 123 and gidNumber 123 is mapped via a
sambaGroupMapping entry to -512, then xxx should have local

Samba IGNORES the sambaPrimaryGroupSid entry.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20090923/9be05c8c/attachment.pgp>

More information about the samba mailing list