[Samba] samba 4 ad member - idmap = ad for machine accounts

Rowland Penny rpenny at samba.org
Mon Nov 20 20:55:51 UTC 2017 

On Mon, 20 Nov 2017 13:27:18 -0700 (MST)
tomict via samba <samba at lists.samba.org> wrote:

> Samba - General mailing list wrote
> > On Mon, 20 Nov 2017 10:43:58 -0700 (MST)
> > tomict via samba <
> 
> > samba at .samba
> 
> > > wrote:
> > On Unix there are users, groups and computers, whilst on
> > Windows there are users, groups and special users that are also
> > computers ;-)
> > 
> > You posted that you have added uidNumber and gidNumber attributes to
> > the users and groups, did this include 'Domain Computers' ?
> 
> Yes, "Domain Computers" and other groups as well, have a GID (Group
> ID, 10003 in my case)
> 
> 
> Samba - General mailing list wrote
> > For the Unix OS to know about the users, it asks winbind (via NSS)
> > and winbind (when using the 'ad' backend) will return data for
> > users that have a uidNumber AND their primary group has a
> > gidNumber. For the normal users this is Domain Users, but for
> > computers, it is Domain Computers.
> > 
> > If 'getent passwd PC050$' doesn't return anything, then you need to
> > find out why.
> 
> indeed, getent passwd PC050$ does not return anything. 
> In the ADUC attribute editor it shows
> sAMAccountType :  805306369 = ( MACHINE_ACCOUNT)
> primaryGroupID :  515 = ( GROUP_RID_COMPUTERS )
> gidNumber : not set
> I understand from your question that computer network accounts should
> be visible in the list of user accounts (getent passwd) and that
> computer accounts must have a GID in order to 'show up'. However, I
> have no computers showing up. Can I set that somewhere? I tried
> setting the attribures 'uid''gid'and 'gidNumber' with the ADUC
> attribute editor but that did not result in the computer showing up
> in 'getent passwd'
> 
> 'getent group' does list all the groups that have a GID set, including
> "Domain Computers"
> 
> Tom

The way you have set smb.conf, PC050$ doesn't need a gidNumber, but it
does need a uidNumber, so check for one, run this on the Samba DC:

ldbsearch -H /usr/local/samba/private/sam.ldb -b
'DC=samdom,DC=example,DC=com' -s sub
'(&(objectclass=computer)(samaccountname=pc050$))' uidNumber |
grep 'uidNumber:' | awk '{print $NF}'

Replace '/usr/local/samba/private/sam.ldb' with the path to your
'sam.ldb'

Replace 'DC=samdom,DC=example,DC=com' with your suffix

It should produce a number

Check if Domain Computers has a gidNumber:

ldbsearch -H /usr/local/samba/private/sam.ldb -b 'DC=samdom,DC=example,DC=com' -s sub '(&(objectclass=group)(samaccountname=domain computers))' gidNumber | grep 'gidNumber:' | awk '{print $NF}'

This again should return a number

If both return a number, try running 'net cache flush' on the Unix
domain member.

Rowland

More information about the samba mailing list