[Samba] samba AD and Administrator UID

Rowland penny rpenny at samba.org
Fri Feb 12 15:35:01 UTC 2016

On 12/02/16 14:42, Alessandro Baggi wrote:
> Hi list,
> maybe you remember my last post about configuring samba4 as AD and 
> related problems.
> Today I've found another issue, this is not a problem but I need 
> clarification.
> After domain provisioning (samba-tool domain provision) I got my 
> domain created. During provisiong Administrator user (and other users) 
> and groups are created. During this procedure smbd is off and started 
> after provisionig.Running getent passwd and getent group I found that 
> Administrator User have uid 0 (like root) and Domain Users group have 
> gid 100 (like users group).
> This type of config is safe? There is not conflict with other user 
> with the same uid/gid? Administrator must have uid 0 or can have 
> another uid?
> If Administrator can have another uid, how I can specify a different uid?
> Thanks in advance.

There are two schools of thought here, you can give administrator a 
uidNumber, but this would turn Administrator into just another Unix user 
and as such wouldn't be able to do anything that is required. You can 
work around this by using members of Domain Admins and giving the group 
the required permissions on Unix machines.

The other way is the way that Samba does it, the AD user 'Administrator' 
is mapped to the Unix user 'root' this allows 'Administrator' to change 
Unix settings from windows. You do not actually have to use 'root' to 
change anything on a Unix machine, you can change the settings from a 
windows machine as 'Administrator', this is the way I would suggest 
doing things.

The same goes for 'Domain Users', on a DC, this group is mapped to the 
Unix group 'users'


More information about the samba mailing list