[Samba] Computer accounts belonging to groups, using winbind on file server

Jonathan Hunter jmhunter1 at gmail.com
Sun Sep 11 18:03:05 UTC 2016 

Hi All,

Some time ago I reluctantly moved DC functionality off my file server and
onto a separate machine, due to the well-known challenges using the same
machine as both a file server and a DC. This went mostly fine, with one
exception - I have one piece of functionality that worked before, but I
still don't have working now.

I use wpkg for software distribution, having all relevant computer accounts
be a member of a group (lets' call it sw-dist) and setting the ownership of
my /data/wpkg directory on the server appropriately so that all members of
that group (i.e. all relevant computer accounts) can access the files - see
below. I am using rfc2307 attributes to specify UIDs and GIDs where I can.

This worked just fine when the file server was also a DC (I was using sssd
at the time for user/group resolution on the machine) but I can't work out
how to get it working now.

Normal user accounts work fine, but if I try to get information on a
computer account, I can't:

[root at fileserver ~]# wbinfo -i "computer$"
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user computer$

This is probably explained by me not seeing the option to allocate a UNIX
UID / GID to a computer account in ADUC, of course - it shows me different
options instead and doesn't have the box to specify UID/GID etc.

Nothing shows up in 'net cache list' on the file server, either, for this
computer:

[root at fileserver ~]# net cache list | grep -i computer

The group itself can be resolved just fine, even though the computer
accounts can't - and it shows that the computer accounts are definitely
members of the group in question:

[root at fileserver ~]# wbinfo --group-info sw-dist
sw-dist:x:12345:computer$,computer2$,computer3$,computer4$

All of this inevitably leads to the key directories in question not being
accessible by the computers who need them. When the computer account
connects to the file server, its group memberships don't really seem to
work. I suspect that sssd had different behaviour to winbind in this regard.

Has anybody else successfully served out files to a computer account
belonging to a specific group, using samba and winbind? I don't really see
how I can practically have computer accounts as a member of a group if I'm
using winbind.

Cheers,

Jonathan


[root at fileserver ~]# getfacl /data/wpkg
getfacl: Removing leading '/' from absolute path names
# file: data/wpkg
# owner: root
# group: sw-dist
# flags: -s-
user::rwx
user:root:rwx
group::rwx
group:sw-dist:r-x
group:domain\040admins:rwx
group:3000075:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:root:rwx
default:group::rwx
default:group:sw-dist:r-x
default:group:domain\040admins:rwx
default:group:3000075:rwx
default:group:3000166:r-x
default:mask::rwx
default:other::rwx


--
"If we knew what it was we were doing, it would not be called research,
would it?"
      - Albert Einstein

More information about the samba mailing list