[Samba] idmap problems

Rowland Penny rpenny at samba.org
Fri Jan 4 12:28:33 UTC 2019

On Fri, 4 Jan 2019 11:48:56 +0000
Rob Mason <rob at acasta.co.uk> wrote:

> > >The current GPO's are not critical (fortunately).
> > > Should I remove the Domain Admin gid and chgrp the ownership of
> > > the original directories back to 3000008 (original Domain Admin)?
> >
> > Removing the gidNumber attribute should be enough, but as you say,
> > there is always chgrp.
> >
> > > suspect the alternative is not a simple as chgrp'ing sysvol to the
> > > new Domain Admin gid? Or is the damage done....
> >
> > samba-tool ntacl sysvolreset
> Thanks.  Is the reset based on the mapped gid or the original 3000008
> (original Domain Admin)? I assume it's the latter.

The latter.

> Is there a reason why I shouldn't map Domain Admins to a gid of
> 3000008 to match its current un-mapped default value on the ADC? I
> understand I would need to add 'idmap config SAMDOM:range =
> 30000-3000999' to my member server smb.conf.   Presumably this
> wouldn't impact sysvol, and, it would allow me to use the DA account
> on the member server(s).

There is a big difference between Unix and Windows, on Unix only users
can 'own' files & folders, but on Windows, groups can 'own' files &
folders. If you examine idmap.ldb on a DC, you will find that Domain
Admins has the 'type' ID_TYPE_BOTH. This means to Unix, the group is
also a user and as such, can own files & folders. If you give Domain
Admins a gidNumber, it will override idmap.ldb and the AD group will
become a Unix group and Unix groups cannot own files & folders.

> >
> > > 
> > > Given the original age of this domain, and relatively small size,
> > > I am considering starting afresh. I was originally trying to avoid
> > > having to re-register the workstation community. This now feels
> > > like the better option.
> >
> > Setting up a new AD domain is, in my opinion, a better idea, you can
> > start without the old ways of doing things e.g. not starting the
> > ID's from '500'.
> I'm not sure I understand what you mean by starting from 500? I
> couldn't find the current recommended starting point in the wiki,
> other than if using the old ADUC ("...By default, ADUC starts
> assigning UID and GID numbers at 10000...". Would this be a good
> starting point for a new domain?

Did you miss these Samba wiki pages:



It is all explained there.


More information about the samba mailing list