[Samba] Provisioning new AD Domain Controller
Rowland Penny
rpenny at samba.org
Fri Jan 19 19:39:30 UTC 2024
On Fri, 19 Jan 2024 14:27:28 -0500
Mark Foley via samba <samba at lists.samba.org> wrote:
> I'm trying to figure out the user.group of my domain administrator
> account. getent gives me:
>
> # getent passwd Administrator
> HPRS\administrator:*:0:100::/home/HPRS/administrator:/bin/false
Totally as expected.
>
> If I chown a file:
>
> chown HPRS\\administrator.100 thisfile
>
> I get:
>
> # ls -l thisfile
> -rwxrwx---+ 1 root users 68973 2022-08-08 09:12 thisfile
Again as expected.
'root' has the numeric ID '0' and 'users' is '100', they are mapped in
idmap.ldb
>
> If I do the same for normal domain users:
>
> # chown HPRS\\mark.100 anotherfile
> # ls - aontherfile
> rwxr-xr-x+ 1 HPRS\mark users 164 2019-01-20 01:43 anotherfile
>
> The latter shows the actual "HPRS\mark" as the user, but doing so for
> Administrator shows root as the user.
Again, this is to be expected.
>
> Are HPRS\administrator and root synonyms?
No, but Administrator is mapped to root in idmap.ldb on a Samba AD DC.
>
> On the other hand, the prvisioning step created /var/lib/samba/sysvol
> as:
>
> # ls -ld /var/lib/samba/sysvol
> drwxrwx---+ 3 root BUILTIN\administrators 4096 2024-01-18 21:51
> /var/lib/samba/sysvol/
>
> Why does getent for administrator give group 100 (users) but sysvol's
> group is BUILTIN\administrators (gid 3000000)?
Because it has to be that way, Windows expects it.
>
> Should I change the group for "thisfile" to 3000000?
Absolutely not.
>
> Is this all OK?
Yes
Rowland
More information about the samba
mailing list