[Samba] winbind: How to map Administrator to "root" on AD member server

steve steve at steve-ss.com
Sun Feb 16 07:13:56 MST 2014

On Sun, 2014-02-16 at 13:58 +0000, Rowland Penny wrote:
> On 16/02/14 13:32, Fred F wrote:
> > Hi,
> >
> > 2014-02-15 23:42 GMT+01:00 Björn JACKE <bj at sernet.de>:
> >> I would recommend to change the uidNumber of Administrator to a different
> >> unused one. Otherwise you might run into other problems, too. See also
> >> https://bugzilla.samba.org/show_bug.cgi?id=9837
> > ok, I understand that this could be bad. I'd also appreciate if the
> > default behavior could be changed by the Samba folks. But shouldn't I
> > still be able to resolve the Administrator account to uid 0 using
> > winbind in my setup? Or does winbind prevent mapping anything to
> > uid/gid 0 nowadays?
> >
> > 2014-02-16 0:38 GMT+01:00 Rowland Penny <rowlandpenny at googlemail.com>:
> >> Hmm, I can see two problems here:
> >>
> >> 1) Samba maps the Administrator to 0
> >>
> >> dn: CN=SID-500
> >> name: Administrator
> >> cn: SID-500
> >> objectClass: sidMap
> >> objectSid: SID-500
> >> type: ID_TYPE_UID
> >> xidNumber: 0
> >> distinguishedName: CN=SID-500
> > Exactly.
> >
> >> 2) where are you going to get the uidNumber from??? Samba 4 does not store
> >> any uidNumber's until one is created i.e. there is no uidNumber to give to
> >> the Administrator.
> > Well, the uidNumber comes from the AD attribute "uidNumer", which I
> > assigned manually to the user (can be easily done in the "UNIX"-tab of
> > the AD object on Windows or through LDAP). I've set up a sync script
> > which checks Samba's internal mapping between SIDs and uids/gids *on
> > the DC* and syncs them to the AD. This works for all users & groups,
> > except for Administrator (and the "Domain Admins" group), although I
> > think I've set everything up correctly.
> >
> > So for me the actual question now is: is this a bug or a "feature"? :)
> >
> > - Fred
> Hi, I was actually replying to Bjorn's post, but your reply just backs 
> up what I was saying, a stock samba4 domain has nowhere to store any 
> uidNumber's & gidNumber's (except in the user or group DN) until you 
> create one through ADUC, AD then creates the attributes that I think 
> should be there from the start, so I think it is a bug!
> Only problem is, if the ' msSFU30MaxUidNumber' & 'msSFU30MaxGidNumber' 
> were to be created and populated at provision, then samba-tool will have 
> to be re-written to take advantage of these attributes.
> If the above were to happen, this then opens another question, just 
> where do you start these numbers? 10000 as windows does or somewhere else?
> As for the Administrator account, I think that this may just be a 
> windows 'feature', if you look at the Administrator account in ADUC, you 
> will find that it is a built-in account and if you then open the 
> Properties for this user and go to the 'Account' tab, you will find that 
> the account has no 'User logon Name'.
> Rowland

The only way we know to do this is to map Administrator to root or
someone else. winbind won't do it, as the OP has found out. The solution
has been already been posted in this thread:

Our vote for where does the uid start, we'd vote to do it as windows
does it. Always do as windows does, even though we may not like it. This
extends to storing uidNumber and gidNumber. As windows does: in AD.

More information about the samba mailing list