[Samba] (properly formatted) Re: adman howto ? and is it safe to apply

Rowland penny rpenny at samba.org
Thu Jan 23 08:52:12 UTC 2020

On 23/01/2020 04:05, Jonathon Reinhart via samba wrote:
>>   security = ads, backend = ad is working !!!
>> but I don't have the bultin Administrator, can I add the Administrator
>> ?
> Per Rowland's advice, Administrator should *not* be assigned a uidNumber. I
> don't claim to fully understand why.
OK, Administrator is the main administrator (hence the name) on Windows. 
If you give Administrator a uidNumber it becomes visible to Unix, but 
only as a normal user and can only do what a normal Unix user can. 
However, Administrator needs to do things on Unix that a normal user 
cannot, so this is why you need (on a Unix domain member) to map 
Administrator to the Unix user root in a user.map. This allows 
Administrator from Windows to do things on Unix as root, the mapping on 
a Samba DC is automatic.
>> other thing all user have the same  gidNumber, even user from OU=Admins
>> ... , is this supposed to be like this ?

Yes and no ;-)

Users do not actually need a gidNumber. Using the 'ad' backend, all 
users will get the gidNumber from Domain Users even if it isn't set in 
the users object in AD.

If you do set a gidNumber attribute in the users object, whilst it must 
be the GID of a group, they do not all have to have the same GID. All 
users will have the same primaryGroupID (513) and this will be used for 
the users primary group unless you are using Samba >= 4.6.0 and have 
'idmap config SAMDOM:unix_primary_group = yes' in smb.conf and have 
given your users a gidNumber attribute containing the GID of an existing 


More information about the samba mailing list