[Samba] Computer accounts belonging to groups, using winbind on file server
rpenny at samba.org
Sun Sep 11 20:31:59 UTC 2016
On Sun, 11 Sep 2016 20:18:28 +0100
Jonathan Hunter <jmhunter1 at gmail.com> wrote:
> Thank you Rowland, I like your thinking - made sense to me.
> I had already allocated a GID to Domain Computers:
> [root at fileserver ~]# getent group Domain\ Computers
> domain computers:x:12345:
> however I just now tried adding a uidNumber attribute to one of my
> computer objects using ADSIEdit and hey presto, that computer now
> appears in 'getent passwd'!
> I wonder if there is some fix that could be made on the samba side - I
> don't know exactly how if I'm honest.. but for every domain computer
> I will now have to:
> - manually add a uidNumber attribute
> - manually reset the AD attribute containing the max uidNumber
> allocated, so that ADUC doesn't duplicate UIDs
It is possible, probably just a case of adding a switch to samba-tool
user nisadd ( but then that will require my 'nisadd' patch to be
accepted) to add NIS attributes to a computer account.
The only only problem is updating the mssfu30max* attributes, the rest
of the Samba team don't seem to want this to be done with Samba tools.
I can see and understand their reasons why.
> That'll work - and I'm happy to do that in my case as it will work
> around the issue (thank you!!) but it doesn't seem to be the best
> replacement for the MS behaviour of just adding a computer object to
> a group, and that's it :) But at the moment I can't think of what we
> might be able to do better?
The problem is you need to do both, except for groups like 'Domain
Users' & 'Domain Computers'. If you check both of these groups in AD,
you will find that neither appears to have any members, but every user
is a member of 'Domain Users' and every computer is a member of 'Domain
So from windows, you can see them, but to make them visible to Unix, you
need to add uidNumber & gidNumber attributes to them.
More information about the samba