[Samba] RFC2307: Recommendations for mapping Administrator account

Fred F frederik.vogelsang at gmail.com
Thu Feb 8 18:01:41 UTC 2018


thank you for your input guys.

2018-02-08 10:55 GMT+01:00 Denis Cardon <dcardon at tranquil.it>:
> unless you have really specific requirements, you should really stick with
> RID mapping, it will be easier on the long run.

I think that would actually be more pain in the long run, as this
pretty much rules out using Samba/AD with sssd/nss-ldap.

2018-02-08 11:25 GMT+01:00 Marco Gaiarin via samba <samba at lists.samba.org>:
>> Yes, but then you are stuck with using the same Unix home directory
>> paths and login shells for everybody.

Yeah, I definitely need different login shells. I only want a few
users to actually be able to log into Linux machines. The non-Linux
users should still be resolvable on my Samba file server though, as I
will be setting ACLs for them there (mostly group-based ACLs though,
but group membership should also be resolvable).

> I add: also, using AD (on domain members) you can control what users
> are windows-only (and LDAP) users, and what user are also UNIX/POSIX
> ones.

Well in my scenario I just want all of them to be just "users", but
some of them are not allowed to log in on Linux machines (such as
Administrator). When managing ACLs with POSIX ACLs I need to map all
Samba users and most groups to UIDs/GIDs, that's why I am using
RFC2307 attributes.

>From the discussion I've learned that there is no actual technical
necessity for the Administrator user to be present at all, so I could
either delete/disable it or map it to a regular UID just like any
other regular user. I am not adventurous enough to entirely delete the
account (what about sysvol permission then?), though.  For me the
consistency of UIDs/GIDs on POSIX ACLs is very important, as I will
also be sharing a few directories with both Samba and NFSv4. I guess
I'll go with the UID 10000 mapping then. Local mapping just does not
seem right, as I would run into problems on systems without winbind
(systems with only sssd for example).


More information about the samba mailing list