[Samba] Provisioning new AD Domain Controller

Rowland Penny rpenny at samba.org
Fri Jan 19 19:39:30 UTC 2024


On Fri, 19 Jan 2024 14:27:28 -0500
Mark Foley via samba <samba at lists.samba.org> wrote:

> I'm trying to figure out the user.group of my domain administrator
> account. getent gives me:
> 
> # getent passwd Administrator
> HPRS\administrator:*:0:100::/home/HPRS/administrator:/bin/false

Totally as expected.

> 
> If I chown a file:
> 
> chown HPRS\\administrator.100 thisfile
> 
> I get:
> 
> # ls -l thisfile
> -rwxrwx---+  1 root users      68973 2022-08-08 09:12 thisfile

Again as expected.

'root' has the numeric ID '0' and 'users' is '100', they are mapped in
idmap.ldb

> 
> If I do the same for normal domain users:
> 
> # chown HPRS\\mark.100 anotherfile
> # ls - aontherfile
> rwxr-xr-x+  1 HPRS\mark users     164 2019-01-20 01:43 anotherfile
> 
> The latter shows the actual "HPRS\mark" as the user, but doing so for
> Administrator shows root as the user.

Again, this is to be expected.

> 
> Are HPRS\administrator and root synonyms? 

No, but Administrator is mapped to root in idmap.ldb on a Samba AD DC.

> 
> On the other hand, the prvisioning step created /var/lib/samba/sysvol
> as:
> 
> # ls -ld /var/lib/samba/sysvol
> drwxrwx---+ 3 root BUILTIN\administrators 4096 2024-01-18 21:51
> /var/lib/samba/sysvol/
> 
> Why does getent for administrator give group 100 (users) but sysvol's
> group is BUILTIN\administrators (gid 3000000)?

Because it has to be that way, Windows expects it.

> 
> Should I change the group for "thisfile" to 3000000?

Absolutely not.

> 
> Is this all OK?

Yes 

Rowland





More information about the samba mailing list