[Samba] samba 4 ad member - idmap = ad for machine accounts

[Rowland Penny]

On Mon, 20 Nov 2017 10:43:58 -0700 (MST)
tomict via samba <samba at lists.samba.org> wrote:

> Hi,
> 
> Thanks for the quick reply. 
> 
> I read the links you suggested when I setup my domain member
> configuration. Followed the links a s closely as I could. Just read
> them again. Did you mean to point me at some part I missed in order
> to get the machine network accounts to be able to access the shares?
> Which part?
> 
> I removed the 'winbind' lines and 'username map' lines. They are
> traces of my efforts to get things working. (still getting 'username
> xxxx invalid on this system' for the machine network accounts)
> 
> About the SYSTEM account: My understanding is that it is not causing
> the 'access denied' on the domain member (FS1). I just put it in the
> properties->security tab because the answer I quoted suggested it. I
> saw no follow up on the answer I quoted. Should I expect it to work
> at all in my setup?
> 
> regards,
> Tom

I think the problem here is that you are trying to use a machine
account. On Unix there are users, groups and computers, whilst on
Windows there are users, groups and special users that are also
computers ;-)

You posted that you have added uidNumber and gidNumber attributes to
the users and groups, did this include 'Domain Computers' ?

For the Unix OS to know about the users, it asks winbind (via NSS) and
winbind (when using the 'ad' backend) will return data for users that
have a uidNumber AND their primary group has a gidNumber. For the
normal users this is Domain Users, but for computers, it is Domain
Computers.

If 'getent passwd PC050$' doesn't return anything, then you need to
find out why.

Rowland