[Samba] Automatically assigning uidNumber / gidNumber attributes

Rowland penny rpenny at samba.org
Tue Jun 11 08:58:19 UTC 2019

On 11/06/2019 09:41, Christian via samba wrote:
> Am 07.06.2019 um 17:48 schrieb Rowland penny via samba:
>> On 07/06/2019 16:37, Łukasz Michalski via samba wrote:
>>> On 05.06.2019 22:40, Rowland penny via samba wrote:
>>>>> https://lists.samba.org/archive/samba/2019-June/223478.html
>>>>> In this post, Rowland said "Oh good, 'Domain Admins' doesn't have a
>>>>> gidNumber attribute."
>>>> Domain Admins is a group that must own files in Sysvol. Samba runs
>>>> on Unix and groups cannot own files on Unix, so Domain Admins is
>>>> mapped as ID_TYPE_BOTH in idmap.ldb on the DC, this makes Domain
>>>> Admins a group and a user. If you give Domain Admins a gidNumber
>>>> attribute, it becomes just a group and cannot own files.
>>> Now I am confused. Reading "Adding a share" on domain member here:
>>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Adding_a_Share
>>> If with idmap-ad I do not set gidNumber to Domain Admins I will not
>>> be able to chown to that group?
>>> Is it better to create other administrative group for managing file
>>> permissions?
>>> Regards,
>>> Łukasz
>> OK, I will add something to that page :)
>> Domain Admins needs to own files in Sysvol, Domain Admins is a group
>> and groups cannot own files on Unix. To counter this, Domain Admins is
>> mapped to 'ID_TYPE_BOTH' in idmap.ldb, this make it a group and a
>> user. If you give  Domain Admins a gidNumber, it breaks this mapping
>> and it just becomes a group and, as I said, groups cannot own files on
>> Unix ;-)
>> I personally create a group called 'Unix Admins', give this group a
>> gidNumber and make it a member of the 'Administrators' group.
>> If you use the 'rid' backend, then you do not need to do anything.
> Rowland,
> this discussion was very useful to me and not obvious at all from the
> existing documentation. Having recently assigned a uidNumber to
> Administrator and a gidNumber to Domain Admins, how would I undo this?
> ldbmodify and just remove the entries? Anything I need to change on the
> two dcs? The permissions on the shares of the member servers are still
> easily fixed at this point. Not sure about our print server with driver
> download, though... Thanks,
> Christian
Yes, the easiest way would be to use ldbmodify to delete the u/gidNumber 
attributes and provided you haven't deleted anything from idmap.ldb, 
they should go back to their original 'xidNumbers', though you will 
probably have to run 'net cache flush' on all Unix domain members.


More information about the samba mailing list