[Samba] samba 4 ad member - idmap = ad for machine accounts

Denis Cardon dcardon at tranquil.it
Mon Sep 18 12:55:04 UTC 2017

Hi Rowland,

>> File server config looks exactly like this, except more shares, all
>> with same simple config. I know that "use defualt domain" isn't
>> necessery, but it's not the issue for me right now.

> 'SYSTEM' is a Windows group and is meaningless to Unix, it should be
> mapped to a Unix ID only on a Samba AD DC and there it is an
> 'xidNumber' not a 'uidNumber or 'gidNumber'. Running 'wbinfo -S
> S-1-5-18' (the SID for 'SYSTEM' is S-1-5-8-18) on a UNIX domain member,
> returns:
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-18 to uid
> However "wbinfo -Y  S-1-5-18" returns:
> 2005 (note your ID may be different)
> As I said, you could use the kerberos machine account instead, but are
> these scripts being run on the fileserver, Samba DC or windows
> machines ? if the later, then you shouldn't need a Unix IDs.
>> 2)'m using some machine autostart scripts, for various tasks, which
>> work again as SYSTEM, so if they have to get anything from network
>> share, they need to have read/write permission. What I'm doing is,
>> for example, as autostart run a batch script, that would check
>> \\fileserver\public\test-file.txt if %COMPTURNAME% exists in this
>> file. if not - run some robocopy script, then >> %COMPUTERNAME% to
>> the end of the file.
>> or even something simple like this:
>> "if exist \\server\share\%computername%.txt (exit)
>> else robocopy some-files
>> echo . > \\server\share\%computername%.txt
>> exit"
> That looks like a Windows script (not that I am an expert on Windows
> script languages) so I presume that it is run a Windows machine and
> 'SYSTEM' should be available on it via its name or SID.
>> 3) Some windows applications that I use also run as SYSTEM account
>> and they have built-in backup utilities, and if I want to backup
>> straight to network share - again - machine account needs direct
>> write access to share.
> Hmm, I think I am beginning to understand your problem, you are
> confusing 'SYSTEM' with the computers account in AD.
> 'SYSTEM' does not exist in AD, so you cannot give it a uidNumber or
> gidNumber attribute.
> I think you need to find another way to do what you are doing now.

Kacper way of doing things is completly correct (at least from 
authentication point of view). SYSTEM account on Windows uses the 
machine account for authentication. So for example, using psexec [1], 
you can try (on an elevated command prompt):

  psexec -s -i cmd.exe

Check that you are local system


then you connect to a share (sysvol is a good choice here since "domain 
computers" has access)

  net use F: \\domain.lan\sysvol

Then on your DC you can check which account has been used for the connexion:


You'll see that SYSTEM account uses the Kerberos machine account for 



[1] https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

>> I do know that machine accounts are "normal" accounts, and I tried
>> simply adding them to windows ACL, but it just tidn't work. I had to
>> go with "idmap = rid", and it did just fine, so the issue must be
>> iwth idmap backend - ad not supplying valid uid for winbind, right?
> You should be able to add a uidNumber to a computer, but to make it
> work as a user on Unix, you will have to give the Domain Computers
> group a gidNumber.
> Rowland

Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0)

More information about the samba mailing list