[Samba] Unable to set SeDiskOperatorPrivilege (again)

Rowland Penny rpenny at samba.org
Wed May 24 22:17:30 UTC 2017

On Thu, 25 May 2017 07:40:50 +1000
John Gardeniers via samba <samba at lists.samba.org> wrote:

> Hi Rowland,
> Those low numbers you refer to are in fact the standard numbers
> assigned to those groups, so I fail to see the problem. 

Yes, they are standard numbers, they are standard RIDs and as such have
no place on Unix

> As for
> mapping Administrator to root, I believe that's entirely optional,
> rather than required. Under normal circumstances we don't use the
> domain Administrator account at all. We have a root account we use
> instead.

Yes, it is optional, but if you want to do things from windows, it
easier to use Administrator on windows that is mapped to root on the
Unix DC. The problems start when you give Administrator a uidNumber
that isn't '0'

> In regard to winbind, we have never used it and there's a concern
> here that it may clash with our use of sssd, which is working great
> for all normal purposes. Using multiple authentication mechanisms
> against the same source can't be a good idea and, as you can see from
> my question, we have no trouble resolving users or groups normally.

Anything sssd can do, winbind can do, winbind is supported by Samba,
sssd isn't, if you want sssd support, try the sssd-users mailing list

> Here's smb.conf from the test machine:
> [global]
>      security = ADS
>      workgroup = MYDOMAIN
>      realm = MYDOMAIN.COM.AU
>      log file = /var/log/samba/%m.log
>      log level = 1
>      # Default ID mapping configuration for local BUILTIN accounts
>      # and groups on a domain member. The default (*) domain:
>      # - must not overlap with any domain ID mapping configuration!
>      # - must use an read-write-enabled back end, such as tdb.
>      idmap config * : backend = tdb
>      idmap config * : range = 10000-19999

Please don't use those numbers, '10000' is the default domain start
number on ADUC and there are nowhere near 9999 well know SIDS, plus if
you are not using winbind, you do not need those lines


More information about the samba mailing list