[Samba] User management scripts in AD mode...
rpenny at samba.org
Mon Jul 10 15:30:36 UTC 2017
On Mon, 10 Jul 2017 16:58:41 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> I add another question, lurking the list in these weeks. It seems to
> me that some users/group does not to have UID/GID (i suppose
> generically rfc2307 data) assigned.
> Eg, looking also at your answer here, seems that Admnistrator it is
> better not to have UID and only 'domain users' and 'domain computers'
> need a UID.
> After the migration with 'classicupgrade' i've:
> root at lupus:~# getent passwd | grep -i administrator
> root at lupus:~# getent group | egrep ":5[0-9][0-9]:"
> domain computers:*:515:
The above group doesn't really need a gidNumber, it is only used by AD.
> domain admins:*:512:gaio,amaronese,lucaf
Ah here is possible problem, if you give 'Domain Admins' a gidNumber,
it just becomes a group as far as Unix is concerned, but 'Domain
Admins' needs to be a user as well to own dirs in sysvol, this is what
happens on a DC if 'Domain Admins doesn't have a gidNumber.
> domain guests:*:514:
This shouldn't have a gidNumber either, it is again mapped on a DC (and
a Unix domain member by winbind)
> domain users:*:513:amaronese,gaio
It is perfectly okay to give 'Domain Users' a gidNumber
The main problem with the above gidNumbers is that they are all in the
'500' range. Somebody, sometime in the past thought this was okay, Now,
with hindsight, it has proved to be a bad idea ;-)
Using such low numbers means that you cannot have ANY local Unix users.
More information about the samba