[Samba] Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication

Rowland penny rpenny at samba.org
Tue Jun 18 19:53:17 UTC 2019

On 18/06/2019 20:25, Edouard Guigné via samba wrote:
> And What about Domain Admins gid ? Should also be in the DOMAIN range ?

Any AD user or group that you want/need to be visible to the Unix OS 
needs a uidNumber or gidNumber attribute and the attributes need to 
contain numbers inside the DOMAIN range. Note that not all AD users & 
groups need to be known to the Unix OS.

However, Domain Admins is a bit special, groups cannot own files on 
Unix, but Domain Admins needs to own files in sysvol, so the group is 
mapped inside idmap.ldb to 'ID_TYPE_BOTH' which allows it to own files. 
If you give Domain Admins a gidNumber attribute it just returns to being 
a group and groups cannot own files on Unix. I personally create a group 
called 'Unix Admins' , give this group a gidNumber and make it a member 
of Domain Admins, then use this group on Unix wherever you would 
normally Domain Admins.


More information about the samba mailing list