[Samba] Samba DC, Winbind, and Administrator Account

Rowland penny rpenny at samba.org
Sat Feb 6 09:32:37 UTC 2016

On 06/02/16 00:47, Nick Couchman wrote:
> I'm currently trying to get a Samba 4.3.4 DC added to an existing AD domain with one Server 2008 and one 2008R2 controller.  I'm having an issue here that seems to be related the fact that, in the default Winbind mapping, Administrator gets UID 0.  I am not currently using any POSIX extensions inside the AD LDAP, I'm just having Winbind use LDB/TDB to map the UIDs.  For whatever reason, administrator gets UID 0.  With this configuration I seem to be able to hit the "sysvol" share on this DC as any user except administrator, but with the domain\administrator account I get an error in Windows that "the parameter is incorrect."
> So, my two questions are:
> - How do I map the domain\administrator account to a UID other than 0.

You don't really want to change this, it maps 'Administrator' to the 
Unix 'root' user and this allows the changing of ACLs etc.

> - If this isn't possible in this config, is there a way around "the parameter is incorrect" error?

What filesystem are you using ? and do you have the 'attr' package 
installed ?


> I'm running Samba 4.3.4 (compiled myself from sources) on CentOS 7.  I've disabled SELinux at this point.  I tried using the "samba-tool ntacl sysvolreset" utility to fix permissions on the sysvol tree, and that has added some ACL entries, but has not resolved the above error.

More information about the samba mailing list