[Samba] RFC2307: Recommendations for mapping Administrator account

Rowland Penny rpenny at samba.org
Thu Feb 8 08:42:58 UTC 2018

On Wed, 7 Feb 2018 21:37:06 +0100
Fred F via samba <samba at lists.samba.org> wrote:

> Hi,
> I provisioned a new domain with "--use-rfc2307" as I want to use the
> "ad" idmap backend on my domain members.
> I am thinking of mapping the "Administrator" account to UID 10000
> (this is where my UID range for the domain will be starting), as the
> account must be known to the domain members (otherwise I got funny
> behavior).It seems a lot of people are mapping that account to root
> (UID 0) though. Even the Samba Wiki mentions that. Is that such a good
> idea?
> I know that mapping the account to uidNumber=0 using RFC2307 AD attrs
> will not work globally, as this is out of the idmap range. I could map
> the account on each member locally using a custom username map, but I
> was wondering if this is even desirable.
> Does it have any implications on the Samba AD DC, if the Administrator
> account has such a custom mapping? From what I understand the UID on
> the DC will still be 0.

If you map Administrator to '10000' then it will become '10000'
everywhere and Administrator will become just another Unix user.

Administrator is mapped to '0' on a DC in idmap.ldb, you can also map
Administrator to '0' on a Unix domain member by creating a user.map and
adding the relevant line to smb.conf

The short answer to your question is, do not map Administrator to


More information about the samba mailing list