[Samba] File Server member DC ACL permissions

Rowland Penny rpenny at samba.org
Thu Aug 11 20:46:56 UTC 2016

On Thu, 11 Aug 2016 20:22:32 +0000 (UTC)
Ricardo Pardim Claus via samba <samba at lists.samba.org> wrote:

> > Hmm, the numbers seem extremely large, did you set this number in
> > the users 'uidnumber' attribute in AD ?
> How do I do this uidNumber configuration? 
> I'm running all services: smbd, nmbd and winbind 
> It's hard to run the file server as a domain member. When was a file
> server with DC was much more easy.

No, it is easy, once you understand it.

I take it you have windows clients, what version ?

Hopefully win7, if so, see here on how to install RSAT:


You can then use the 'UNIX Attributes' tab in ADUC to add the required

Basically, if you join a Unix computer to an AD domain, it becomes a
Unix domain member. If you then set up libnss_winbind and PAM it can
connect to AD and obtain the RFC2307 attributes for a user or group.
However, you have to add these, they are not created for you.
You can do this another way, which is similar to the way a Samba DC
works. This the winbind 'rid' backend and does not entail adding
anything to AD. To use this backend, replace 'idmap config DOMAIN:
backend = ad' with 'idmap config DOMAIN: backend = 'rid' and remove
this line 'idmap config DOMAIN: schema_mode = RFC2307'

Clear out the cache with 'net flush cache' and then restart the Samba


More information about the samba mailing list