[Samba] Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication
rpenny at samba.org
Tue Jun 18 19:53:17 UTC 2019
On 18/06/2019 20:25, Edouard Guigné via samba wrote:
> And What about Domain Admins gid ? Should also be in the DOMAIN range ?
Any AD user or group that you want/need to be visible to the Unix OS
needs a uidNumber or gidNumber attribute and the attributes need to
contain numbers inside the DOMAIN range. Note that not all AD users &
groups need to be known to the Unix OS.
However, Domain Admins is a bit special, groups cannot own files on
Unix, but Domain Admins needs to own files in sysvol, so the group is
mapped inside idmap.ldb to 'ID_TYPE_BOTH' which allows it to own files.
If you give Domain Admins a gidNumber attribute it just returns to being
a group and groups cannot own files on Unix. I personally create a group
called 'Unix Admins' , give this group a gidNumber and make it a member
of Domain Admins, then use this group on Unix wherever you would
normally Domain Admins.
More information about the samba