[Samba] samba 4 ad member - idmap = ad for machine accounts [SOLVED]

[Allen Chen]

Hi there,

I am looking for the same solution in my environment. I have a question:
Do you need to manually set up a password for the machine account PC050$ ?

Thanks - Allen

On 11/20/2017 6:12 PM, tomict via samba wrote:
> Well! That does the trick. Thank you VERY much Rowland!
>
>
> Samba - General mailing list wrote
>> The way you have set smb.conf, PC050$ doesn't need a gidNumber, but it
>> does need a uidNumber, so check for one, run this on the Samba DC:
>>
>> ldbsearch -H /usr/local/samba/private/sam.ldb -b
>> 'DC=samdom,DC=example,DC=com' -s sub
>> '(&(objectclass=computer)(samaccountname=pc050$))' uidNumber |
>> grep 'uidNumber:' | awk '{print $NF}'
>>
>> Replace '/usr/local/samba/private/sam.ldb' with the path to your
>> 'sam.ldb'
>>
>> Replace 'DC=samdom,DC=example,DC=com' with your suffix
>>
>> It should produce a number
>>
>> Check if Domain Computers has a gidNumber:
>>
>> ldbsearch -H /usr/local/samba/private/sam.ldb -b
>> 'DC=samdom,DC=example,DC=com' -s sub
>> '(&(objectclass=group)(samaccountname=domain computers))' gidNumber | grep
>> 'gidNumber:' | awk '{print $NF}'
>>
>> This again should return a number
>>
>> If both return a number, try running 'net cache flush' on the Unix
>> domain member.
> Editing with the cli or with the ADUC attribute editor, all that is needed
> is a uidNumber value for the machine account.
>
> With a uidNumber, the error  'invalid on this system' is gone. Adding the
> group "domain computers" to the permissions makes the shares accessible to
> the machine accounts
>
> getent passwd PC050$    or   wbinfo -i  PC050$  shows details for the
> machine account
> getent passwd (without a name) does NOT show the machine account in the
> listing.
>
> Pitty that the ADUC Unix tab does not add uidNumbers for computers.
> Now all I have to do is somehow add a uidNumber to new machines when they
> are joined to the domain.
>
> thanks again!
>
> Tom
>
>