[Samba] (properly formatted) Re: adman howto ? and is it safe to apply
Rowland penny
rpenny at samba.org
Thu Jan 23 08:52:12 UTC 2020
On 23/01/2020 04:05, Jonathon Reinhart via samba wrote:
>> security = ads, backend = ad is working !!!
>>
>> but I don't have the bultin Administrator, can I add the Administrator
>> ?
>>
> Per Rowland's advice, Administrator should *not* be assigned a uidNumber. I
> don't claim to fully understand why.
OK, Administrator is the main administrator (hence the name) on Windows.
If you give Administrator a uidNumber it becomes visible to Unix, but
only as a normal user and can only do what a normal Unix user can.
However, Administrator needs to do things on Unix that a normal user
cannot, so this is why you need (on a Unix domain member) to map
Administrator to the Unix user root in a user.map. This allows
Administrator from Windows to do things on Unix as root, the mapping on
a Samba DC is automatic.
>
>
>> other thing all user have the same gidNumber, even user from OU=Admins
>> ... , is this supposed to be like this ?
Yes and no ;-)
Users do not actually need a gidNumber. Using the 'ad' backend, all
users will get the gidNumber from Domain Users even if it isn't set in
the users object in AD.
If you do set a gidNumber attribute in the users object, whilst it must
be the GID of a group, they do not all have to have the same GID. All
users will have the same primaryGroupID (513) and this will be used for
the users primary group unless you are using Samba >= 4.6.0 and have
'idmap config SAMDOM:unix_primary_group = yes' in smb.conf and have
given your users a gidNumber attribute containing the GID of an existing
group.
Rowland
More information about the samba
mailing list