[Samba] samba 4 ad member - idmap = ad for machine accounts

Rowland Penny rpenny at samba.org
Sun Sep 17 17:50:33 UTC 2017 

On Sun, 17 Sep 2017 18:14:45 +0200
Kacper Wirski via samba <samba at lists.samba.org> wrote:

> Hello,
> 
> I have samba 4.5.10 file server as AD member (AD is also samba
> 4.5.10).
> 
> I'm using unix extension for windows rsat to set UIDs for all users
> and on samba AD member i'd prefer to use idmap = ad to have
> consistent file permissions across multiple file servers.
> 
> My issue is with machine accounts. RSAT extension doesn't allow for
> easy "uid" setting for machine accounts. I've been trying with ldap
> editor to set  UID, primary group ID etc. ,but without success.
> 
> Why do I need this?

Short answer, you don't for machine accounts

> 
> When task on a PC is run as SYSTEM and should access network share, 
> windows will try to use it's machine account instead. I'm using some 
> backup tasks and other scripts that are supposed to store output in 
> network shares, for this to work I simply want to give read-write 
> permissions to machine accounts, and wit idmap = AD those accounts
> have no UID.

Ah, I think you may be mistaking Kerberos machine accounts for machine
accounts. Let me guess, you come from a Samba 3 way of doing things ;-)

> 
> 
>   With idmap = rid everything works obviously fine, but I'm not sure
> how consistent permissions will be across servers.

You can get consistent IDs on Unix domain members with the 'rid'
backend, but you will have different IDs on a Samba DC

> 
> What I'm planning to do is setting idmap uid range something like
> 5000 - 99999, with 10,000 + for users (default setting), and use
> 5000+ for machines. This way I have large enough margin, so it won't
> overlap with users, and it will not interfere with rsat
> auto-increnemt by one.

You do not need uidNumbers for machines and I cannot recommend your
suggested ranges. You should be aware, as far as AD is concerned, a
computer is also a user.

> 
> Samba unix settings are minimal, all permissions are set using
> windows GUI.

Or to put it another way, you are using Windows ACLs

> 
> My question comes down to this:
> 
> - which LDAP attributes of an AD joined windows PC should be edited,
> so it will have access to samba 4 share with it's machine account,
> when using idmap = AD in the same way, that domain users do, when
> using NIS extension for RSAT?

I think this may be the wrong question, I think you may be better
asking how do I make my scripts work with Samba AD

Can I suggest you read this wikipage:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

I have updated it today, to try and make the range setting etc a bit
more understandable.

It will definitely help if you post the smb.conf you are using on your
Unix domain member (what you call a fileserver)

As you cannot attach files to posts to this list, can I suggest you
send me (offlist) one of the scripts you are having problems with and I
will try to advise just were you may be going wrong.

Rowland

More information about the samba mailing list