[Samba] samba 4 ad member - idmap = ad for machine accounts

Kacper Wirski k.wirski at babkamedica.pl
Sun Sep 17 16:14:45 UTC 2017


I have samba 4.5.10 file server as AD member (AD is also samba 4.5.10).

I'm using unix extension for windows rsat to set UIDs for all users and 
on samba AD member i'd prefer to use idmap = ad to have consistent file 
permissions across multiple file servers.

My issue is with machine accounts. RSAT extension doesn't allow for easy 
"uid" setting for machine accounts. I've been trying with ldap editor to 
set  UID, primary group ID etc. ,but without success.

Why do I need this?

When task on a PC is run as SYSTEM and should access network share, 
windows will try to use it's machine account instead. I'm using some 
backup tasks and other scripts that are supposed to store output in 
network shares, for this to work I simply want to give read-write 
permissions to machine accounts, and wit idmap = AD those accounts have 
no UID.

  With idmap = rid everything works obviously fine, but I'm not sure how 
consistent permissions will be across servers.

What I'm planning to do is setting idmap uid range something like 5000 - 
99999, with 10,000 + for users (default setting), and use 5000+ for 
machines. This way I have large enough margin, so it won't overlap with 
users, and it will not interfere with rsat auto-increnemt by one.

Samba unix settings are minimal, all permissions are set using windows GUI.

My question comes down to this:

- which LDAP attributes of an AD joined windows PC should be edited, so 
it will have access to samba 4 share with it's machine account, when 
using idmap = AD in the same way, that domain users do, when using NIS 
extension for RSAT?



More information about the samba mailing list