[Samba] User management scripts in AD mode...

Rowland Penny rpenny at samba.org
Mon Jul 10 15:30:36 UTC 2017

On Mon, 10 Jul 2017 16:58:41 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:

> I add another question, lurking the list in these weeks. It seems to
> me that some users/group does not to have UID/GID (i suppose
> generically rfc2307 data) assigned.
> Eg, looking also at your answer here, seems that Admnistrator it is
> better not to have UID and only 'domain users' and 'domain computers'
> need a UID.
> After the migration with 'classicupgrade' i've:
>  root at lupus:~# getent passwd | grep -i administrator
>  root at lupus:~# getent group | egrep ":5[0-9][0-9]:"
>  domain computers:*:515:

The above group doesn't really need a gidNumber, it is only used by AD.

>  domain admins:*:512:gaio,amaronese,lucaf

Ah here is possible problem, if you give 'Domain Admins' a gidNumber,
it just becomes a group as far as Unix is concerned, but 'Domain
Admins' needs to be a user as well to own dirs in sysvol, this is what
happens on a DC if 'Domain Admins doesn't have a gidNumber.

>  domain guests:*:514:

This shouldn't have a gidNumber either, it is again mapped on a DC (and
a Unix domain member by winbind)

>  domain users:*:513:amaronese,gaio

It is perfectly okay to give 'Domain Users' a gidNumber

The main problem with the above gidNumbers is that they are all in the
'500' range. Somebody, sometime in the past thought this was okay, Now,
with hindsight, it has proved to be a bad idea ;-)

Using such low numbers means that you cannot have ANY local Unix users. 


More information about the samba mailing list