[Samba] rfc2307 deprecated in Windows 2012 R2?

Hans-Kristian Bakke hkbakke at gmail.com
Fri Jan 30 09:55:14 MST 2015

I still do not follow you. An additional reason for including
administrator in the first place, not including that I actually want
it to work against the linux boxes like every other domain user, was
because winbind returns the exact same mapping when using idmap
backend RID with range 300000-499999 (i.e not rfc2307 attributes)

> wbinfo -i administrator

So the winbind devs obviously also thinks that Administrator should be
mapped like every other domain user.
The nice thing about this is that RFC2307 enabled winbind hosts,
sssd-ad hosts and winbind hosts still using RID can all coexist
peacefully and with the same UID/GID mapping (a need I had, thus
creating the need for the migration script).

But as I can see this is strictly a personal thing for you, it is of
course okay to not give administrator a UID. You can just exclude the
user in the script, so the functionality can still be used as a base,
or you can throw it in the garbage if you want to :) I was worried
that there were any technical consequences that I somewhat had missed
for years.


On 30 January 2015 at 17:35, Rowland Penny <rowlandpenny at googlemail.com> wrote:
> On 30/01/15 16:20, Hans-Kristian Bakke wrote:
>> I do not understand the point about issues with administrator beeing
>> mapped to a "random" rfc2307 UID. You need to explain the details
>> surrounding that part to me as my experience is that this is OK and
>> even necessary.
>> The only reason for not giving Administrator a "random" UID/GID that I
>> can think of is perhaps if you are doing some mapping of Administrator
>> to root, something which I am personally strongly against as they are
>> _not_ the same users from any central authentication point of view. It
>> is just a hack for people that are doing the mistake of actually using
>> the administrator account for linux administration, when it shouldn't
>> really be used for anything at all, even on windows boxes, as you of
>> should be adding dedicated admin accounts for each admin.
>> The script only gives users and groups that are non-local (i.e domain
>> users that would actually be used for logins with non-zero SIDs)
>> uid/gids. Administrator is one of them and giving it an UID of
>> 300500/whatever is absolutely correct and necessary if administrator
>> is going to be able to login to the linux boxes like everybody else.
>>  From a linux box's view in a Windows DC domain administrator is no
>> different from other users. Add your admin group to sudoers and ssh
>> allowgroups and you are done. This works beatifully in several well
>> tested and abused production systems, also with ACLs with
>> administrator added.
> Well, there you go, you and I are at opposite ends of the spectrum. I am
> strongly against giving 'Administrator' a 'uidNumber' because you are
> turning a special windows user into an ordinary Unix user.
> I personally think that 'Administrator' should be mapped to the root user
> (user 0), if you want another windows user to do administration on a Unix
> machine, create one and give this user a 'uidNumber'. It may help if you go
> look in idmap.ldb and see what the devs have mapped 'Administrator' to.
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list