[Samba] Should the group "Domain Admins" have a gidNumber or not?

Rowland Penny rpenny at samba.org
Sat Jan 19 19:31:11 UTC 2019


On Sat, 19 Jan 2019 20:10:47 +0100
Viktor Trojanovic via samba <samba at lists.samba.org> wrote:

> I'd like to verify some information on the wiki as I am under the
> impression that information provided on this list contradicts it. I
> might be wrong, of course.
> 
> On the page "Setting up a share using Windows ACL's", a new folder is
> created and then an example is given how the permissions could be
> changed by issuing the following command:
> 
> chown root:"Domain Admins" /srv/samba/demo

Yes, that's what it shows.

> 
> My member server uses the ad ID mapping backend. So, if I understand
> correctly, for any linux command to recognize an AD group, the group
> needs to have the attributes "gidNumber" and "msSFUNisDomain" set.

It really only needs the 'gidNumber' attribute.

> 
> However, if I remember information provided on this list correctly,
> it is not recommended to set uidNumber for Administrator, nor
> gidNumber for the Domain Admins group.

No, you shouldn't give Administrator a uidNumber, it turns it into a
normal Unix user, you should map Administrator to the Unix user 'root'

The problem with giving 'Domain Admins' a gidNumber, is that it turns
it into a group. You might think that sounds strange, surely 'Domain
Admins' is a group, so what does it matter ? It doesn't, EXCEPT on a
Samba AD DC, where 'Domain Admins' is both a user and group. It is like
this so that it can 'own' folders & files in sysvol and it cannot do
this if it is just a group.

My suggestion is to create a new group (I use 'Unix Admins') and add
this group to 'Administrators', then use this group instead of 'Domain
Admins'.

Rowland




More information about the samba mailing list