[Samba] samba 4 ad member - idmap = ad for machine accounts
L.P.H. van Belle
belle at bazuin.nl
Tue Sep 19 14:00:19 UTC 2017
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Marco Gaiarin via samba
> Verzonden: dinsdag 19 september 2017 12:40
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] samba 4 ad member - idmap = ad for
> machine accounts
> Mandi! L.P.H. van Belle via samba
> In chel di` si favelave...
> > I did loose a bit what the exact problem was here but i can
> to explain a bit here.
> Probably i'm making some confusion here, but just stated by
> other before, we are not speaking about SYSTEM user.
> In microsoft windows client OS, if you try to connect to a
> share with the local SYSTEM user, the client try first with
> the machine account user and password, then try anonymously
> (then fail ;).
> So, trying to restate the question more precisely: machine
> accounts are ID_BOTH ''users'', so cannot have UID/GID
> assigned, or i can assign to machine account a UID (and
> assign to 'Domain Computers' a GID)?
UID for computer is not needed imo, GID can help.
> I think that if we add UID to machine account (and GID to
> Domain Computers group), machine account access to share will
> work exactly as for RID backend...
I dont know, but worth a try.
> Better now? Thanks.
What maybe an options is.
Make use if idmap.conf with something like this.
Verbosity = 1
Pipefs-Directory = /run/rpc_pipefs
# set your own domain here, if id differs from FQDN minus hostname
# Domain = localdomain
Domain = internal.dnsdomain.tld
Local-Realm = REALM
Nobody-User = nobody
Nobody-Group = nogroup
Method = static,nsswitch
GSS-Methods = static,nsswitch
SERVERHOSTNAME1$@REALM = root
More information about the samba