[Samba] D.C. and File Server on the same server...

Rowland Penny rpenny at samba.org
Fri Nov 11 08:46:13 UTC 2016

On Thu, 10 Nov 2016 14:41:48 -0800
Linda W <samba at tlinx.org> wrote:

> Rowland Penny via samba wrote:

> >   
> ----
>     But I can create unix id's that are not windows domain id's.
> Various software packages installed on the server want their own ID --
> and many of those have nothing to do with Windows.  If I create
> the Id from windows, it creates a unix ID as well -- so I think that's
> already being done, though not always automatically -- especially if
> I have an existing unix ID that I want to have available on windows.

If you are talking about 'system' accounts (postfix, dovecot, apache,
etc) then these do belong in /etc/passwd and /etc/group. As far as I am
aware, windows doesn't use Unix IDs, it uses SID-RIDs

> >>
> >>     on the server, so when I login to windows and bring up cygwin,
> >> I see my security label in my group listing.  I have several
> >> Win-builtin and well-known ID ranges mapped to unix-ID ranges and
> >> that works (at least for identification purposes -- you can't
> >> force a Mandatory-level your user id doesn't already have in
> >> windows, but it will show ones you do have if there is a label for
> >> them in "winbind".  I use winbind to provide a single-signon from
> >> linux or win with the file ownerships being the same for domain
> >> RID's on linux and on windows (win7).
> >>     
> >
> > Just create the groups in AD and you probably wont need cygwin.
> >   
> ----
>     I don't need cygwin.  It is handy for printing out all the ID's
> associated with a login -- including the mandatory labels.  All of
> that isn't in one place on windows -- I used cygwin as an example as
> it's an easy way to verify what groups are associated with my ID,
> which for Domain groups, you can't easily see in Windows (maybe you
> can w/AD, dunno).

OK, if you create a user or group in AD it gets a SID-RID, this is one
for Domain Users:


If I run 'getent group Domain\ Users' on a Unix domain member, I get


What! a windows group is usable on Unix, how is this possible ?

This is possible because you can add this to the groups object in AD:

gidNumber: 10000

> >   
> >>>   
> >>> If you use the DC as a fileserver, then there are a few minor
> >>> problems you need to work around, mostly to do with IDs
> >>>   
> >>>       
> >> ----
> >>     "Minor problems" -- enough so that it is recommended to run
> >> them on separate machines?
> >>     
> >
> > OK, the main visible problems are, A DC uses xidNumber's by default,
> > these are all in the '3000000' range and any Unix domain members
> > will get different IDs. You can work around this by giving Domain
> > users & groups a uidNumber or gidNumber, this way, they all get the
> > same ID everywhere in Unixland.
> > You cannot use the login shell & Unix home directory attributes
> > from AD on a DC, you have to use template lines in smb.conf.
> >   
> ---
>     Why not?  Can't I configure that range?... FWIW, though, right
> now my ID's all map to the same range (as don't rely on
> auto-allocation), like   "idmap config *:range = 0-999999999"  --
> just wanted to make it include all of my mapped ranges.

Firstly, you shouldn't be starting your range at '0', but that is your
decision. As I said, you do not map, you make your windows users &
groups be Unix users & groups, you are also at liberty to give your
users and groups whatever ID number you like.

>    I'm not adverse to solving things w/symlinks or mounts on
> unix.  For example, I have 'Athenae's (one of my win machines) disk
> mounted at '/Athenae' on my unix machine. When I use 'ls -l', on that
> dir, I see links on my win-machine that map to corresponding
> locations on my unix machine, like:
> l--------- 1            0 Sep 24 14:55 D -> /??/UNC/Bliss/Documents/
> l--------- 1            0 Jun 13 18:40 Documents
> -> /??/UNC/Bliss/Documents/
> I.e. the links work the same whether you are on the windows
> or the linux machine.  Only works for me at this point, but
> since I'm the only person who works on the unix machine, that's
> fine at this point.

Never tried to do this, but it should work on AD as well. Only thing
is, it is usually done the other way around, i.e. the data is stored
on a Unix machine and then mounted on the windows machine. 
> > You don't really need most of the BUILTIN users & groups to be
> > visible to Unix, winbind will silently map them for you with 'idmap
> > config *:backend = tdb'
> >   
> ---
>     I need them visible if I want them to display on the
> Win machines in security dialogs showing users or groups from
> the domain.  I.e. I generally see all of the available ID's
> on my server -- which is good, as I don't remember them all,
> and they aren't visible on my workstation.  So configuring
> the server to enumerate them when I ask for all ID's of a type,
> is very convenient if not essential (at least for me, as I don't
> use all of them often enough to remember them).

Go here and read:


They are the BUILTIN users and groups I was referring to, if these
aren't visible on your windows machines, then you have BIG problems.
If you are referring to Unix users and groups, then, as I said, create
them as windows users & groups and then give them a uidNumber or

> > No, you probably can't have it as easy as you have it now, with AD
> > you can have it easier ;-)
> >   
> ----
>     For those that already know all the ins and outs, it's "obvious",
> for those who don't -- it's magic... (akin to sufficiently advanced
> technology looking like magic... ;-)).

I would start reading up on using Samba as an AD domain, microsoft
doesn't want you to use NT4-style domains any more and seems to be
making it harder and harder to use them.

A good place to start is here:



More information about the samba mailing list