[Samba] member domain idmap config ad/rid

Rowland Penny rpenny at samba.org
Tue May 30 16:13:21 UTC 2017

On Tue, 30 May 2017 12:33:26 -0300
Elias Pereira <empbilly at gmail.com> wrote:

> *confs fileserver*
> *smb.conf*
> winbind nss info = rfc2307

If you are using Samba 4.6.0 or greater, then you do not use the above

> idmap config ADDC:unix_nss_info = yes
> idmap config ADDC:unix_primary_group = yes

You only use the above two lines on Samba 4.6.0 or greater

> [storage]
> path = /mnt/dados
> read only = no
> admin users = "ADDC\Domain Admins" ADDC\administrator

You should set the ACLs from windows, so you not are not recommended
to have the last line above.
> *user.map*
> !root = ADDC\Administrator ADDC\administrator

I use:

!root = SAMDOM\Administrator SAMDOM\administrator Administrator

Not sure if it makes any difference ;-)

If you are logging in to the windows machine to use ADUC as a member of
Domain Admins, then you need to set the group on the share on the Unix
domain member to Domain Admins i.e. 
chown root:Domain\ Admins /mnt/dados

You will also need to give Domain Admins the rights to make changes on
the Unix domain member (aka fileserver), see here:


If you are logging in as Administrator, it should just work, this is
because Administrator is mapped to root.


More information about the samba mailing list