[Samba] winbind: How to map Administrator to "root" on AD member server

Rowland Penny rowlandpenny at googlemail.com
Sun Feb 16 06:58:59 MST 2014

On 16/02/14 13:32, Fred F wrote:
> Hi,
> 2014-02-15 23:42 GMT+01:00 Björn JACKE <bj at sernet.de>:
>> I would recommend to change the uidNumber of Administrator to a different
>> unused one. Otherwise you might run into other problems, too. See also
>> https://bugzilla.samba.org/show_bug.cgi?id=9837
> ok, I understand that this could be bad. I'd also appreciate if the
> default behavior could be changed by the Samba folks. But shouldn't I
> still be able to resolve the Administrator account to uid 0 using
> winbind in my setup? Or does winbind prevent mapping anything to
> uid/gid 0 nowadays?
> 2014-02-16 0:38 GMT+01:00 Rowland Penny <rowlandpenny at googlemail.com>:
>> Hmm, I can see two problems here:
>> 1) Samba maps the Administrator to 0
>> dn: CN=SID-500
>> name: Administrator
>> cn: SID-500
>> objectClass: sidMap
>> objectSid: SID-500
>> type: ID_TYPE_UID
>> xidNumber: 0
>> distinguishedName: CN=SID-500
> Exactly.
>> 2) where are you going to get the uidNumber from??? Samba 4 does not store
>> any uidNumber's until one is created i.e. there is no uidNumber to give to
>> the Administrator.
> Well, the uidNumber comes from the AD attribute "uidNumer", which I
> assigned manually to the user (can be easily done in the "UNIX"-tab of
> the AD object on Windows or through LDAP). I've set up a sync script
> which checks Samba's internal mapping between SIDs and uids/gids *on
> the DC* and syncs them to the AD. This works for all users & groups,
> except for Administrator (and the "Domain Admins" group), although I
> think I've set everything up correctly.
> So for me the actual question now is: is this a bug or a "feature"? :)
> - Fred
Hi, I was actually replying to Bjorn's post, but your reply just backs 
up what I was saying, a stock samba4 domain has nowhere to store any 
uidNumber's & gidNumber's (except in the user or group DN) until you 
create one through ADUC, AD then creates the attributes that I think 
should be there from the start, so I think it is a bug!

Only problem is, if the ' msSFU30MaxUidNumber' & 'msSFU30MaxGidNumber' 
were to be created and populated at provision, then samba-tool will have 
to be re-written to take advantage of these attributes.

If the above were to happen, this then opens another question, just 
where do you start these numbers? 10000 as windows does or somewhere else?

As for the Administrator account, I think that this may just be a 
windows 'feature', if you look at the Administrator account in ADUC, you 
will find that it is a built-in account and if you then open the 
Properties for this user and go to the 'Account' tab, you will find that 
the account has no 'User logon Name'.


More information about the samba mailing list