[Samba] samba 4 ad member - idmap = ad for machine accounts
rpenny at samba.org
Sun Sep 17 17:50:33 UTC 2017
On Sun, 17 Sep 2017 18:14:45 +0200
Kacper Wirski via samba <samba at lists.samba.org> wrote:
> I have samba 4.5.10 file server as AD member (AD is also samba
> I'm using unix extension for windows rsat to set UIDs for all users
> and on samba AD member i'd prefer to use idmap = ad to have
> consistent file permissions across multiple file servers.
> My issue is with machine accounts. RSAT extension doesn't allow for
> easy "uid" setting for machine accounts. I've been trying with ldap
> editor to set UID, primary group ID etc. ,but without success.
> Why do I need this?
Short answer, you don't for machine accounts
> When task on a PC is run as SYSTEM and should access network share,
> windows will try to use it's machine account instead. I'm using some
> backup tasks and other scripts that are supposed to store output in
> network shares, for this to work I simply want to give read-write
> permissions to machine accounts, and wit idmap = AD those accounts
> have no UID.
Ah, I think you may be mistaking Kerberos machine accounts for machine
accounts. Let me guess, you come from a Samba 3 way of doing things ;-)
> With idmap = rid everything works obviously fine, but I'm not sure
> how consistent permissions will be across servers.
You can get consistent IDs on Unix domain members with the 'rid'
backend, but you will have different IDs on a Samba DC
> What I'm planning to do is setting idmap uid range something like
> 5000 - 99999, with 10,000 + for users (default setting), and use
> 5000+ for machines. This way I have large enough margin, so it won't
> overlap with users, and it will not interfere with rsat
> auto-increnemt by one.
You do not need uidNumbers for machines and I cannot recommend your
suggested ranges. You should be aware, as far as AD is concerned, a
computer is also a user.
> Samba unix settings are minimal, all permissions are set using
> windows GUI.
Or to put it another way, you are using Windows ACLs
> My question comes down to this:
> - which LDAP attributes of an AD joined windows PC should be edited,
> so it will have access to samba 4 share with it's machine account,
> when using idmap = AD in the same way, that domain users do, when
> using NIS extension for RSAT?
I think this may be the wrong question, I think you may be better
asking how do I make my scripts work with Samba AD
Can I suggest you read this wikipage:
I have updated it today, to try and make the range setting etc a bit
It will definitely help if you post the smb.conf you are using on your
Unix domain member (what you call a fileserver)
As you cannot attach files to posts to this list, can I suggest you
send me (offlist) one of the scripts you are having problems with and I
will try to advise just were you may be going wrong.
More information about the samba