[Samba] Automatically assigning uidNumber / gidNumber attributes

Christian chanlists at googlemail.com
Tue Jun 11 08:41:53 UTC 2019


Am 07.06.2019 um 17:48 schrieb Rowland penny via samba:
> On 07/06/2019 16:37, Łukasz Michalski via samba wrote:
>> On 05.06.2019 22:40, Rowland penny via samba wrote:
>>>>
>>>> https://lists.samba.org/archive/samba/2019-June/223478.html
>>>> In this post, Rowland said "Oh good, 'Domain Admins' doesn't have a
>>>> gidNumber attribute."
>>> Domain Admins is a group that must own files in Sysvol. Samba runs
>>> on Unix and groups cannot own files on Unix, so Domain Admins is
>>> mapped as ID_TYPE_BOTH in idmap.ldb on the DC, this makes Domain
>>> Admins a group and a user. If you give Domain Admins a gidNumber
>>> attribute, it becomes just a group and cannot own files.
>>>>
>>
>> Now I am confused. Reading "Adding a share" on domain member here:
>>
>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Adding_a_Share
>>
>>
>> If with idmap-ad I do not set gidNumber to Domain Admins I will not
>> be able to chown to that group?
>>
>> Is it better to create other administrative group for managing file
>> permissions?
>>
>> Regards,
>> Łukasz
>>
>>
> OK, I will add something to that page :)
>
> Domain Admins needs to own files in Sysvol, Domain Admins is a group
> and groups cannot own files on Unix. To counter this, Domain Admins is
> mapped to 'ID_TYPE_BOTH' in idmap.ldb, this make it a group and a
> user. If you give  Domain Admins a gidNumber, it breaks this mapping
> and it just becomes a group and, as I said, groups cannot own files on
> Unix ;-)
>
> I personally create a group called 'Unix Admins', give this group a
> gidNumber and make it a member of the 'Administrators' group.
>
> If you use the 'rid' backend, then you do not need to do anything.

Rowland,

this discussion was very useful to me and not obvious at all from the
existing documentation. Having recently assigned a uidNumber to
Administrator and a gidNumber to Domain Admins, how would I undo this?
ldbmodify and just remove the entries? Anything I need to change on the
two dcs? The permissions on the shares of the member servers are still
easily fixed at this point. Not sure about our print server with driver
download, though... Thanks,

Christian




More information about the samba mailing list