[Samba] Computer accounts belonging to groups, using winbind on file server

Rowland Penny rpenny at samba.org
Sun Sep 11 19:02:25 UTC 2016 

On Sun, 11 Sep 2016 19:03:05 +0100
Jonathan Hunter via samba <samba at lists.samba.org> wrote:

> Hi All,
> 
> Some time ago I reluctantly moved DC functionality off my file server
> and onto a separate machine, due to the well-known challenges using
> the same machine as both a file server and a DC. This went mostly
> fine, with one exception - I have one piece of functionality that
> worked before, but I still don't have working now.
> 
> I use wpkg for software distribution, having all relevant computer
> accounts be a member of a group (lets' call it sw-dist) and setting
> the ownership of my /data/wpkg directory on the server appropriately
> so that all members of that group (i.e. all relevant computer
> accounts) can access the files - see below. I am using rfc2307
> attributes to specify UIDs and GIDs where I can.
> 
> This worked just fine when the file server was also a DC (I was using
> sssd at the time for user/group resolution on the machine) but I
> can't work out how to get it working now.
> 
> Normal user accounts work fine, but if I try to get information on a
> computer account, I can't:
> 
> [root at fileserver ~]# wbinfo -i "computer$"
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user computer$
> 
> This is probably explained by me not seeing the option to allocate a
> UNIX UID / GID to a computer account in ADUC, of course - it shows me
> different options instead and doesn't have the box to specify UID/GID
> etc.
> 
> Nothing shows up in 'net cache list' on the file server, either, for
> this computer:
> 
> [root at fileserver ~]# net cache list | grep -i computer
> 
> The group itself can be resolved just fine, even though the computer
> accounts can't - and it shows that the computer accounts are
> definitely members of the group in question:
> 
> [root at fileserver ~]# wbinfo --group-info sw-dist
> sw-dist:x:12345:computer$,computer2$,computer3$,computer4$
> 
> All of this inevitably leads to the key directories in question not
> being accessible by the computers who need them. When the computer
> account connects to the file server, its group memberships don't
> really seem to work. I suspect that sssd had different behaviour to
> winbind in this regard.
> 
> Has anybody else successfully served out files to a computer account
> belonging to a specific group, using samba and winbind? I don't
> really see how I can practically have computer accounts as a member
> of a group if I'm using winbind.
> 
> Cheers,
> 
> Jonathan
> 
> 
> [root at fileserver ~]# getfacl /data/wpkg
> getfacl: Removing leading '/' from absolute path names
> # file: data/wpkg
> # owner: root
> # group: sw-dist
> # flags: -s-
> user::rwx
> user:root:rwx
> group::rwx
> group:sw-dist:r-x
> group:domain\040admins:rwx
> group:3000075:rwx
> mask::rwx
> other::r-x
> default:user::rwx
> default:user:root:rwx
> default:group::rwx
> default:group:sw-dist:r-x
> default:group:domain\040admins:rwx
> default:group:3000075:rwx
> default:group:3000166:r-x
> default:mask::rwx
> default:other::rwx
> 
> 
> --
> "If we knew what it was we were doing, it would not be called
> research, would it?"
>       - Albert Einstein

OK, never used a computer as a user, so I tried your command:

rowland at devstation:~/programming/samba/sadms/saddm-2.0.15$ wbinfo -i devstation\$
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user devstation$

I then thought, a computers samaccountname is in uppercase, so I tried
that:

rowland at devstation:~/programming/samba/sadms/saddm-2.0.15$ wbinfo -i DEVSTATION\$
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user DEVSTATION$

So that didn't work, added a uidNumber to devstation's AD object, that
didn't work, so had a thought and then it came to, computers have a
different primary gid to normal users and if Domain Users doesn't have a
gidNumber, winbindd ignores the users. I added a gidNumber to Domain
Computers and:

rowland at devstation:~/programming/samba/sadms/saddm-2.0.15$ getent passwd DEVSTATION\$
devstation$:*:10009:10003:DEVSTATION:/home/SAMDOM/devstation_:/bin/false
rowland at devstation:~/programming/samba/sadms/saddm-2.0.15$ wbinfo -i DEVSTATION\$
devstation$:*:10009:10003:DEVSTATION:/home/SAMDOM/devstation_:/bin/false

Try it, I feel sure it will fix your problem.

Rowland

More information about the samba mailing list