[Samba] samba 4 ad member - idmap = ad for machine accounts [SOLVED]
tomict
samba at iucn.nl
Mon Nov 20 23:12:32 UTC 2017
Well! That does the trick. Thank you VERY much Rowland!
Samba - General mailing list wrote
> The way you have set smb.conf, PC050$ doesn't need a gidNumber, but it
> does need a uidNumber, so check for one, run this on the Samba DC:
>
> ldbsearch -H /usr/local/samba/private/sam.ldb -b
> 'DC=samdom,DC=example,DC=com' -s sub
> '(&(objectclass=computer)(samaccountname=pc050$))' uidNumber |
> grep 'uidNumber:' | awk '{print $NF}'
>
> Replace '/usr/local/samba/private/sam.ldb' with the path to your
> 'sam.ldb'
>
> Replace 'DC=samdom,DC=example,DC=com' with your suffix
>
> It should produce a number
>
> Check if Domain Computers has a gidNumber:
>
> ldbsearch -H /usr/local/samba/private/sam.ldb -b
> 'DC=samdom,DC=example,DC=com' -s sub
> '(&(objectclass=group)(samaccountname=domain computers))' gidNumber | grep
> 'gidNumber:' | awk '{print $NF}'
>
> This again should return a number
>
> If both return a number, try running 'net cache flush' on the Unix
> domain member.
Editing with the cli or with the ADUC attribute editor, all that is needed
is a uidNumber value for the machine account.
With a uidNumber, the error 'invalid on this system' is gone. Adding the
group "domain computers" to the permissions makes the shares accessible to
the machine accounts
getent passwd PC050$ or wbinfo -i PC050$ shows details for the
machine account
getent passwd (without a name) does NOT show the machine account in the
listing.
Pitty that the ADUC Unix tab does not add uidNumbers for computers.
Now all I have to do is somehow add a uidNumber to new machines when they
are joined to the domain.
thanks again!
Tom
--
Sent from: http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html
More information about the samba
mailing list