[Samba] samba 4 ad member - idmap = ad for machine accounts
k.wirski at babkamedica.pl
Sun Sep 17 16:14:45 UTC 2017
I have samba 4.5.10 file server as AD member (AD is also samba 4.5.10).
I'm using unix extension for windows rsat to set UIDs for all users and
on samba AD member i'd prefer to use idmap = ad to have consistent file
permissions across multiple file servers.
My issue is with machine accounts. RSAT extension doesn't allow for easy
"uid" setting for machine accounts. I've been trying with ldap editor to
set UID, primary group ID etc. ,but without success.
Why do I need this?
When task on a PC is run as SYSTEM and should access network share,
windows will try to use it's machine account instead. I'm using some
backup tasks and other scripts that are supposed to store output in
network shares, for this to work I simply want to give read-write
permissions to machine accounts, and wit idmap = AD those accounts have
With idmap = rid everything works obviously fine, but I'm not sure how
consistent permissions will be across servers.
What I'm planning to do is setting idmap uid range something like 5000 -
99999, with 10,000 + for users (default setting), and use 5000+ for
machines. This way I have large enough margin, so it won't overlap with
users, and it will not interfere with rsat auto-increnemt by one.
Samba unix settings are minimal, all permissions are set using windows GUI.
My question comes down to this:
- which LDAP attributes of an AD joined windows PC should be edited, so
it will have access to samba 4 share with it's machine account, when
using idmap = AD in the same way, that domain users do, when using NIS
extension for RSAT?
More information about the samba