[Samba] Can one set the owner of a folder to BUILTIN\Administrators?

Rowland penny rpenny at samba.org
Wed Feb 17 13:34:13 UTC 2016

On 17/02/16 13:14, L.P.H. van Belle wrote:
> Rowland,
> If this is a DC.. and like me with config :
>       idmap config * : range = 2000-9999
> getent group BUILTIN\\Administrators
> BUILTIN\Administrators:*:3000000:
> Looks like about the same problem.
> Greetz
> Louis

That is what I get on a DC, but what you have to understand is, idmap on 
a DC works differently from a domain member.

A domain member asks winbind for 'BUILTIN\Administrators' ID, this is 
obtained from AD, assigned a local ID and stored in a .tdb file, the 
number that is assigned is based on the low range in 'idmap config *:'

A DC is slightly different, IDs are stored in idmap.ldb and are based on 
a range that starts at 3000000.

As far as I am aware, the idmap lines that you use on DC have no affect, 
I know that 'windbind use default domain' did work on a 4.2.x DC, but I 
think this was the only one of your lines that did. I will have to check 
my test DC to find out.


More information about the samba mailing list