[Samba] machine accounts question
mourik jan c heupink
heupink at merit.unu.edu
Mon Oct 12 17:40:15 UTC 2015
Hi,
On our sernet-samba 4.2.4 AD-style we see that for some (newer) machine
accounts, they do not have a gidNumber and uidNumber.
Users logging on to those machines experience no problems, but in those
systems eventlog we see during boot::
This computer was not able to set up a secure session with a domain
controller in domain OURDOMAIN due to the following:
There are currently no logon servers available to service the logon request.
Also: we see that using the machine account to access our fileservers
does not work (our GPO shutdown scripts do this). Can be visualised like
this:
- psexec -i -s cmd.exe
(this will open a new cmd window, supposedly running under the system's
machine account, in which we type:)
- net use f: \\files.samba.domain.com\ninite
On regular systems, that drive mapping will work, without asking for
credentials, because it will use the machine account credentials. On
not-working machines (without gidNumber and uidNumber) we get a
username/password request: Enter the user name for 'files'
The machines were added to our AD, using the regular windows
workstation, system properties, computer name, add to domain. The join
succeeds, and users can logon, drives are mapped, etc, etc.
So, the questions are:
- Do you experts agree with our reasoning above?
- Do machine accounts need a gidNumber / uidNumber?
And of course:
- Why do our latest batch of machines suddenly not have a gidNumber /
uidNumber anymore?
In ADUC there is a unix attributes tab for User accounts where I can set
a uid. But computer accounts have a different kind of Unix tab, where I
can not set a uid.
What to do?
Thanks in advance,
MJ
More information about the samba
mailing list