[Samba] winbind: How to map Administrator to "root" on AD member server

Fred F frederik.vogelsang at gmail.com
Sun Feb 16 06:32:41 MST 2014


2014-02-15 23:42 GMT+01:00 Björn JACKE <bj at sernet.de>:
> I would recommend to change the uidNumber of Administrator to a different
> unused one. Otherwise you might run into other problems, too. See also
> https://bugzilla.samba.org/show_bug.cgi?id=9837
ok, I understand that this could be bad. I'd also appreciate if the
default behavior could be changed by the Samba folks. But shouldn't I
still be able to resolve the Administrator account to uid 0 using
winbind in my setup? Or does winbind prevent mapping anything to
uid/gid 0 nowadays?

2014-02-16 0:38 GMT+01:00 Rowland Penny <rowlandpenny at googlemail.com>:
> Hmm, I can see two problems here:
> 1) Samba maps the Administrator to 0
> dn: CN=SID-500
> name: Administrator
> cn: SID-500
> objectClass: sidMap
> objectSid: SID-500
> type: ID_TYPE_UID
> xidNumber: 0
> distinguishedName: CN=SID-500

> 2) where are you going to get the uidNumber from??? Samba 4 does not store
> any uidNumber's until one is created i.e. there is no uidNumber to give to
> the Administrator.
Well, the uidNumber comes from the AD attribute "uidNumer", which I
assigned manually to the user (can be easily done in the "UNIX"-tab of
the AD object on Windows or through LDAP). I've set up a sync script
which checks Samba's internal mapping between SIDs and uids/gids *on
the DC* and syncs them to the AD. This works for all users & groups,
except for Administrator (and the "Domain Admins" group), although I
think I've set everything up correctly.

So for me the actual question now is: is this a bug or a "feature"? :)

- Fred

More information about the samba mailing list