[Samba] Automatically assigning uidNumber / gidNumber attributes
Rowland penny
rpenny at samba.org
Fri Jun 7 15:48:38 UTC 2019
On 07/06/2019 16:37, Łukasz Michalski via samba wrote:
> On 05.06.2019 22:40, Rowland penny via samba wrote:
>>>
>>> https://lists.samba.org/archive/samba/2019-June/223478.html
>>> In this post, Rowland said "Oh good, 'Domain Admins' doesn't have a
>>> gidNumber attribute."
>> Domain Admins is a group that must own files in Sysvol. Samba runs on
>> Unix and groups cannot own files on Unix, so Domain Admins is mapped
>> as ID_TYPE_BOTH in idmap.ldb on the DC, this makes Domain Admins a
>> group and a user. If you give Domain Admins a gidNumber attribute, it
>> becomes just a group and cannot own files.
>>>
>
> Now I am confused. Reading "Adding a share" on domain member here:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Adding_a_Share
>
>
> If with idmap-ad I do not set gidNumber to Domain Admins I will not be
> able to chown to that group?
>
> Is it better to create other administrative group for managing file
> permissions?
>
> Regards,
> Łukasz
>
>
OK, I will add something to that page :)
Domain Admins needs to own files in Sysvol, Domain Admins is a group and
groups cannot own files on Unix. To counter this, Domain Admins is
mapped to 'ID_TYPE_BOTH' in idmap.ldb, this make it a group and a user.
If you give Domain Admins a gidNumber, it breaks this mapping and it
just becomes a group and, as I said, groups cannot own files on Unix ;-)
I personally create a group called 'Unix Admins', give this group a
gidNumber and make it a member of the 'Administrators' group.
If you use the 'rid' backend, then you do not need to do anything.
Rowland
More information about the samba
mailing list