[Samba] Samba4: "­MYDO­M\Administrator" qui­te us­eless on a member

Rowland Penny rowlandpenny at googlemail.com
Mon Oct 27 15:29:01 MDT 2014

On 27/10/14 20:55, ?icro MEGAS wrote:
>> Comment from Rowland:
>> [...]an AD user without a uidNumber is merely a windows user
> Hi Rowland,
> just for my understanding, I have a question. If a domain user in my samba4 AD domain does not have been assigned with a "uid" on the [UNIX Attribute] tab of my ADUC tool, that user in general *cannot* access any of the shares of that particular member server? Is that correct? My [home] and [profile] share resides on my member server, thus I definitely *need* to assign to every domain user a uid so that he will be able to use that shares, right?

It is a bit more complicated than that, if you use a member server as 
you are doing, then yes, the underlying Unix machine has to know who 
your windows users are. You can use nlscd, sssd or winbind to do this, 
now if you use either of the last two, they can be set up in a way that 
they will be given a uidNumber automatically based on the users RID. If 
you give your users the required rfc2307 attributes, you can use any of 
the three and give your users individual home directory paths for 
instance, something that is not possible without using rfc2307. What I 
will say is, I think that it is better to use the rfc2307 attributes 
than not to.
> My other question still exists, it is the same as the topic of this thread :-) As you said one shouldn't assign a uid to the MYDOM\Administrator account (because he looses its special permissions and thus will be converted to a 'normal' UNIX user on the member server), I am still wondering myself:
> Is MYDOM\Administrator therefore *useless* on a memberserver? I cannot use that account for accessing shares on the member server, right? (assuming I didn't have assigned a UID to him, as you suggested).

This is a valid question and no the 'Administrator' is not useless on a 
memberserver, you need him (her ??) as a bridge to the root user from 
windows, this is what the smbmap is for, if you need to do something 
from windows on a Unix machine that only 'root' can do easily, then do 
it as 'root' via the smbmap. Just as you wouldn't really do much as the 
Administrator on windows (well you wouldn't login and run word all day 
long, for instance), you do not, as a rule, login as root on a Unix 
machine and carry out day to day operations.

> Thanks and greetings,
> Mirco

More information about the samba mailing list