Viktor Trojanovic
2019-Jan-19 19:10 UTC
[Samba] Should the group "Domain Admins" have a gidNumber or not?
I'd like to verify some information on the wiki as I am under the impression that information provided on this list contradicts it. I might be wrong, of course. On the page "Setting up a share using Windows ACL's", a new folder is created and then an example is given how the permissions could be changed by issuing the following command: chown root:"Domain Admins" /srv/samba/demo My member server uses the ad ID mapping backend. So, if I understand correctly, for any linux command to recognize an AD group, the group needs to have the attributes "gidNumber" and "msSFUNisDomain" set. However, if I remember information provided on this list correctly, it is not recommended to set uidNumber for Administrator, nor gidNumber for the Domain Admins group. But if it's not set the chown command fails. Running chown root:"domain users" works because "domain users" has a gidNumber. Running chown root:"domain admins" fails, however. So, how should I best proceed? Thanks, Viktor
Rowland Penny
2019-Jan-19 19:31 UTC
[Samba] Should the group "Domain Admins" have a gidNumber or not?
On Sat, 19 Jan 2019 20:10:47 +0100 Viktor Trojanovic via samba <samba at lists.samba.org> wrote:> I'd like to verify some information on the wiki as I am under the > impression that information provided on this list contradicts it. I > might be wrong, of course. > > On the page "Setting up a share using Windows ACL's", a new folder is > created and then an example is given how the permissions could be > changed by issuing the following command: > > chown root:"Domain Admins" /srv/samba/demoYes, that's what it shows.> > My member server uses the ad ID mapping backend. So, if I understand > correctly, for any linux command to recognize an AD group, the group > needs to have the attributes "gidNumber" and "msSFUNisDomain" set.It really only needs the 'gidNumber' attribute.> > However, if I remember information provided on this list correctly, > it is not recommended to set uidNumber for Administrator, nor > gidNumber for the Domain Admins group.No, you shouldn't give Administrator a uidNumber, it turns it into a normal Unix user, you should map Administrator to the Unix user 'root' The problem with giving 'Domain Admins' a gidNumber, is that it turns it into a group. You might think that sounds strange, surely 'Domain Admins' is a group, so what does it matter ? It doesn't, EXCEPT on a Samba AD DC, where 'Domain Admins' is both a user and group. It is like this so that it can 'own' folders & files in sysvol and it cannot do this if it is just a group. My suggestion is to create a new group (I use 'Unix Admins') and add this group to 'Administrators', then use this group instead of 'Domain Admins'. Rowland