Re: [Samba] Should the group "Domain Admins" have a gidNumber or not?
- Date: Sat, 19 Jan 2019 19:31:11 +0000
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Should the group "Domain Admins" have a gidNumber or not?
On Sat, 19 Jan 2019 20:10:47 +0100
Viktor Trojanovic via samba <samba@xxxxxxxxxxxxxxx> wrote:
> I'd like to verify some information on the wiki as I am under the
> impression that information provided on this list contradicts it. I
> might be wrong, of course.
> On the page "Setting up a share using Windows ACL's", a new folder is
> created and then an example is given how the permissions could be
> changed by issuing the following command:
> chown root:"Domain Admins" /srv/samba/demo
Yes, that's what it shows.
> My member server uses the ad ID mapping backend. So, if I understand
> correctly, for any linux command to recognize an AD group, the group
> needs to have the attributes "gidNumber" and "msSFUNisDomain" set.
It really only needs the 'gidNumber' attribute.
> However, if I remember information provided on this list correctly,
> it is not recommended to set uidNumber for Administrator, nor
> gidNumber for the Domain Admins group.
No, you shouldn't give Administrator a uidNumber, it turns it into a
normal Unix user, you should map Administrator to the Unix user 'root'
The problem with giving 'Domain Admins' a gidNumber, is that it turns
it into a group. You might think that sounds strange, surely 'Domain
Admins' is a group, so what does it matter ? It doesn't, EXCEPT on a
Samba AD DC, where 'Domain Admins' is both a user and group. It is like
this so that it can 'own' folders & files in sysvol and it cannot do
this if it is just a group.
My suggestion is to create a new group (I use 'Unix Admins') and add
this group to 'Administrators', then use this group instead of 'Domain
To unsubscribe from this list go to the following URL and read the