[Samba] Computer accounts belonging to groups, using winbind on file server

[Rowland Penny]

On Sun, 11 Sep 2016 20:18:28 +0100
Jonathan Hunter <jmhunter1 at gmail.com> wrote:

> Thank you Rowland, I like your thinking - made sense to me.
> 
> I had already allocated a GID to Domain Computers:
> 
> [root at fileserver ~]# getent group Domain\ Computers
> domain computers:x:12345:
> 
> however I just now tried adding a uidNumber attribute to one of my
> computer objects using ADSIEdit and hey presto, that computer now
> appears in 'getent passwd'!
> 
> I wonder if there is some fix that could be made on the samba side - I
> don't know exactly how if I'm honest.. but for every domain computer
> I will now have to:
> - manually add a uidNumber attribute
> - manually reset the AD attribute containing the max uidNumber
> allocated, so that ADUC doesn't duplicate UIDs

It is possible, probably just a case of adding a switch to samba-tool
user nisadd ( but then that will require my 'nisadd' patch to be
accepted) to add NIS attributes to a computer account.
The only only problem is updating the mssfu30max* attributes, the rest
of the Samba team don't seem to want this to be done with Samba tools.
I can see and understand their reasons why.

> 
> That'll work - and I'm happy to do that in my case as it will work
> around the issue (thank you!!) but it doesn't seem to be the best
> replacement for the MS behaviour of just adding a computer object to
> a group, and that's it :) But at the moment I can't think of what we
> might be able to do better?

The problem is you need to do both, except for groups like 'Domain
Users' & 'Domain Computers'. If you check both of these groups in AD,
you will find that neither appears to have any members, but every user
is a member of 'Domain Users' and every computer is a member of 'Domain
Computers'.
So from windows, you can see them, but to make them visible to Unix, you
need to add uidNumber & gidNumber attributes to them.

Rowland