[Samba] Why is Samba4 not recommended as a file server?

Mark Foley mfoley at ohprs.org
Wed Aug 10 02:48:58 UTC 2016

On Thu, 28 Jul 2016 13:15:43 +0100 Rowland penny <rpenny at samba.org> wrote:
> On 28/07/16 11:53, mathias dufresne wrote:
> >
> >
> > 2016-07-28 12:27 GMT+02:00 Rowland penny <rpenny at samba.org 
> > <mailto:rpenny at samba.org>>:
> >
> >     On 28/07/16 10:32, mathias dufresne wrote:
> >
> >         Can you explain why it would be an issue giving GID to "Domain
> >         Admins" group?
> >
> >
> >     This is because Domain Admins has to own group policies in sysvol,
> >     not as a group but as a user. If you give Domain Admins a
> >     gidNumber, it becomes purely a group, so it cannot own the group
> >     policies as a user.
> >
> > This need sounds very strange to me... Why a group would need to be 
> > considered as a user?
> >
> > I noticed earlier that groups are considered as users when it comes to 
> > sysvol's ACLs. I thought it was because Samba was treating with XID 
> > rather than UID and GID, and that use of XID is not precise enough to 
> > make difference between users and groups, so to be sure Samba was 
> > putting ACL on both sides (user ACL and group ACL). All that tought 
> > because Samba relies on idmap and in idmap.ldb there is no UID/GID but 
> > only XID.
> >
> > I don't think Windows clients are expecting to find groups in users' 
> > ACLs so I'm really wondering why that would be an issue...
> >
> Yes it does sound strange, but, on windows, groups can and do own 
> directories & files. An xidNumber is just that, a number, it is the 
> context in how that number is used that is important. If you give Domain 
> Admins a gidNumber attribute, then Domain Admins becomes just a group, 
> but if you examine Domain Admins object in idmap.ldb, you will find that 
> it is type 'ID_TYPE_BOTH'. This means that as far as Unix is concerned, 
> Domain Admins is both a user and a group, so it can own dirs & files.
> Rowland

To add my two-cents worth, I did have a problem adding users to the 'Administrators' group (if
that is what this subject relates to).  Doing this caused any file created by such users to be
created with the Administrator's UID of 3000000, not with their own UID.  Rowland Penny figured
this out for me.  See my final email on this in this list dated August 25, 2015 00:13 EDT, and,
generally, the thread subject "Samba4 DC/AD documents created in redirected folders with bogus
UID", in this maillist. 

According to Rowland, van Belle and other contributors to that thread, this is normal Microsoft
behavoir and, as such, is probably appropriate for Samba4 if it has a goal of aping Microsoft's
AD, even if Microsoft's reasons for doing so are obscure. See this link provided by Rowland:



More information about the samba mailing list