[Samba] rfc2307 deprecated in Windows 2012 R2?

Rowland Penny rowlandpenny at googlemail.com
Fri Jan 30 10:33:51 MST 2015

On 30/01/15 17:29, Hans-Kristian Bakke wrote:
> On one of your DCs? As in you run Samba for your DCs?
> This thread was using Server 2012 R2 as DCs, and that was what my
> response was aimed at. I am also using Server 2012 R2 for DCs. In this
> case the Administrator is "just a user" seen from the linux boxes.
> That Administrator is assigned a root-role in a Samba DC is not a
> surprise for me as it then becomes more than external windows user,
> but rather has to somewhat resemble the "full access" special internal
> role an Administrator has on Windows Domain.
> With this misunderstanding out of the way I can see your arguments. I
> find it rather confusing that you use arguments for the Samba DC in a
> thread for a Server 2012 R2 use case but that might just be me.
> --
> Regards,
> Hans-Kristian
> On 30 January 2015 at 18:12, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>> On 30/01/15 16:55, Hans-Kristian Bakke wrote:
>>> I still do not follow you. An additional reason for including
>>> administrator in the first place, not including that I actually want
>>> it to work against the linux boxes like every other domain user, was
>>> because winbind returns the exact same mapping when using idmap
>>> backend RID with range 300000-499999 (i.e not rfc2307 attributes)
>>>> wbinfo -i administrator
>>> administrator:*:300500:300513:Administrator:/home/example.com/administrator:/bin/bash
>> On one of my DC's:
>> wbinfo -i administrator
>> EXAMPLE\Administrator:*:0:10000::/home/EXAMPLE/Administrator:/bin/bash
>> and from idmap.ldb (created by the provision):
>> dn: CN=S-1-5-21-2025076216-3455336656-3842161122-500
>> cn: S-1-5-21-2025076216-3455336656-3842161122-500
>> objectClass: sidMap
>> objectSid: S-1-5-21-2025076216-3455336656-3842161122-500
>> type: ID_TYPE_UID
>> xidNumber: 0
>> distinguishedName: CN=S-1-5-21-2025076216-3455336656-3842161122-500
>> Oh look it is mapped to '0' i.e. 'root'
>>> So the winbind devs obviously also thinks that Administrator should be
>>> mapped like every other domain user.
>> Do you want to retract that last statement ?
>>> The nice thing about this is that RFC2307 enabled winbind hosts,
>>> sssd-ad hosts and winbind hosts still using RID can all coexist
>>> peacefully and with the same UID/GID mapping (a need I had, thus
>>> creating the need for the migration script).
>>> But as I can see this is strictly a personal thing for you, it is of
>>> course okay to not give administrator a UID. You can just exclude the
>>> user in the script, so the functionality can still be used as a base,
>>> or you can throw it in the garbage if you want to :) I was worried
>>> that there were any technical consequences that I somewhat had missed
>>> for years.
>>> Regards,
>>> Hans-Kristian
>> Yes, you seem to be missing the fact that 'Administrator' is a special
>> windows user and shouldn't be turned into a normal Unix user.
>> Rowland
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

The thread sort of degenerated away from the original topic and as such 
I can understand why we disagree, but only up to a point.

I think we should stop here before it starts getting silly :-)


More information about the samba mailing list