[Samba] Automatically assigning uidNumber / gidNumber attributes

Rowland penny rpenny at samba.org
Fri Jun 7 15:48:38 UTC 2019

On 07/06/2019 16:37, Łukasz Michalski via samba wrote:
> On 05.06.2019 22:40, Rowland penny via samba wrote:
>>> https://lists.samba.org/archive/samba/2019-June/223478.html
>>> In this post, Rowland said "Oh good, 'Domain Admins' doesn't have a
>>> gidNumber attribute."
>> Domain Admins is a group that must own files in Sysvol. Samba runs on 
>> Unix and groups cannot own files on Unix, so Domain Admins is mapped 
>> as ID_TYPE_BOTH in idmap.ldb on the DC, this makes Domain Admins a 
>> group and a user. If you give Domain Admins a gidNumber attribute, it 
>> becomes just a group and cannot own files.
> Now I am confused. Reading "Adding a share" on domain member here:
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Adding_a_Share 
> If with idmap-ad I do not set gidNumber to Domain Admins I will not be 
> able to chown to that group?
> Is it better to create other administrative group for managing file 
> permissions?
> Regards,
> Łukasz
OK, I will add something to that page :)

Domain Admins needs to own files in Sysvol, Domain Admins is a group and 
groups cannot own files on Unix. To counter this, Domain Admins is 
mapped to 'ID_TYPE_BOTH' in idmap.ldb, this make it a group and a user. 
If you give  Domain Admins a gidNumber, it breaks this mapping and it 
just becomes a group and, as I said, groups cannot own files on Unix ;-)

I personally create a group called 'Unix Admins', give this group a 
gidNumber and make it a member of the 'Administrators' group.

If you use the 'rid' backend, then you do not need to do anything.


More information about the samba mailing list