[Samba] rfc2307 deprecated in Windows 2012 R2?

Rowland Penny rowlandpenny at googlemail.com
Fri Jan 30 10:12:58 MST 2015

On 30/01/15 16:55, Hans-Kristian Bakke wrote:
> I still do not follow you. An additional reason for including
> administrator in the first place, not including that I actually want
> it to work against the linux boxes like every other domain user, was
> because winbind returns the exact same mapping when using idmap
> backend RID with range 300000-499999 (i.e not rfc2307 attributes)
>> wbinfo -i administrator
> administrator:*:300500:300513:Administrator:/home/example.com/administrator:/bin/bash

On one of my DC's:

wbinfo -i administrator

and from idmap.ldb (created by the provision):

dn: CN=S-1-5-21-2025076216-3455336656-3842161122-500
cn: S-1-5-21-2025076216-3455336656-3842161122-500
objectClass: sidMap
objectSid: S-1-5-21-2025076216-3455336656-3842161122-500
xidNumber: 0
distinguishedName: CN=S-1-5-21-2025076216-3455336656-3842161122-500

Oh look it is mapped to '0' i.e. 'root'

> So the winbind devs obviously also thinks that Administrator should be
> mapped like every other domain user.

Do you want to retract that last statement ?

> The nice thing about this is that RFC2307 enabled winbind hosts,
> sssd-ad hosts and winbind hosts still using RID can all coexist
> peacefully and with the same UID/GID mapping (a need I had, thus
> creating the need for the migration script).
> But as I can see this is strictly a personal thing for you, it is of
> course okay to not give administrator a UID. You can just exclude the
> user in the script, so the functionality can still be used as a base,
> or you can throw it in the garbage if you want to :) I was worried
> that there were any technical consequences that I somewhat had missed
> for years.
> Regards,
> Hans-Kristian

Yes, you seem to be missing the fact that 'Administrator' is a special 
windows user and shouldn't be turned into a normal Unix user.


More information about the samba mailing list