[Samba] machine accounts question

[mourik jan c heupink]

Hi,

On our sernet-samba 4.2.4 AD-style we see that for some (newer) machine 
accounts, they do not have a gidNumber and uidNumber.

Users logging on to those machines experience no problems, but in those 
systems eventlog we see during boot::

This computer was not able to set up a secure session with a domain 
controller in domain OURDOMAIN due to the following:
There are currently no logon servers available to service the logon request.

Also: we see that using the machine account to access our fileservers 
does not work (our GPO shutdown scripts do this). Can be visualised like 
this:

- psexec -i -s cmd.exe
(this will open a new cmd window, supposedly running under the system's 
machine account, in which we type:)
- net use f: \\files.samba.domain.com\ninite

On regular systems, that drive mapping will work, without asking for 
credentials, because it will use the machine account credentials. On 
not-working machines (without gidNumber and uidNumber) we get a 
username/password request: Enter the user name for 'files'

The machines were added to our AD, using the regular windows 
workstation, system properties, computer name, add to domain. The join 
succeeds, and users can logon, drives are mapped, etc, etc.

So, the questions are:
- Do you experts agree with our reasoning above?
- Do machine accounts need a gidNumber / uidNumber?
And of course:
- Why do our latest batch of machines suddenly not have a gidNumber / 
uidNumber anymore?

In ADUC there is a unix attributes tab for User accounts where I can set 
a uid. But computer accounts have a different kind of Unix tab, where I 
can not set a uid.

What to do?

Thanks in advance,
MJ