[Samba] Should the group "Domain Admins" have a gidNumber or not?

Viktor Trojanovic viktor at troja.ch
Sat Jan 19 19:10:47 UTC 2019


I'd like to verify some information on the wiki as I am under the
impression that information provided on this list contradicts it. I might
be wrong, of course.

On the page "Setting up a share using Windows ACL's", a new folder is
created and then an example is given how the permissions could be changed
by issuing the following command:

chown root:"Domain Admins" /srv/samba/demo

My member server uses the ad ID mapping backend. So, if I understand
correctly, for any linux command to recognize an AD group, the group needs
to have the attributes "gidNumber" and "msSFUNisDomain" set.

However, if I remember information provided on this list correctly, it is
not recommended to set uidNumber for Administrator, nor gidNumber for the
Domain Admins group.

But if it's not set the chown command fails. Running chown root:"domain
users" works because "domain users" has a gidNumber. Running chown
root:"domain admins" fails, however.

So, how should I best proceed?

Thanks,
Viktor


More information about the samba mailing list