[Samba] winbind: How to map Administrator to "root" on AD member server

Fred F frederik.vogelsang at gmail.com
Fri Feb 14 16:53:23 MST 2014


I am running a pure Samba 4.1+ AD environment (on the server side). There
is one AD DC running Samba 4.1 and two member servers (running Samba 4.1 as

I have provisioned the domain with support for the rfc2307 AD schema. On
the DC the UIDs are assigned automatically to AD users by Samba, which is
great. I am also storing the assigned UIDs in the Active Directory as
uidNumber (gidNumber for groups).

On the member servers I am using the AD idmap backend with rfc2307 support:

> idmap config *:backend = tdb
> idmap config *:range = 3500000 - 3600000
> idmap config MYDOMAIN:backend = ad
> idmap config MYDOMAIN:schema_mode = rfc2307
> idmap config MYDOMAIN:range = 0 - 3500000
> winbind nss info = rfc2307

This is working great for normal users and groups, but I am struggling with
some special accounts, such as "Administrator". On the DC Samba
automatically assigned the uid/gid "0" to the account, which is fine for
me. Now I also need this mapping on the member servers, as storage may be
shared across the servers, so the UIDs need to stay the same.

So I assigned the uidNumber "0" to the "Administrator" account in the AD,
but unfortunately the member server cannot resolve the account's SID to a
uid (on the AD DC this is working!). What am I doing wrong?

Thanks in advance,

More information about the samba mailing list