[Samba] samba 4 ad member - idmap = ad for machine accounts

L.P.H. van Belle belle at bazuin.nl
Tue Sep 19 14:00:19 UTC 2017

Hai Marco, 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marco Gaiarin via samba
> Verzonden: dinsdag 19 september 2017 12:40
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] samba 4 ad member - idmap = ad for 
> machine accounts
> Mandi! L.P.H. van Belle via samba
>   In chel di` si favelave...
> > I did loose a bit what the exact problem was here but i can 
> to explain a bit here.
> Probably i'm making some confusion here, but just stated by 
> other before, we are not speaking about SYSTEM user.
> In microsoft windows client OS, if you try to connect to a 
> share with the local SYSTEM user, the client try first with 
> the machine account user and password, then try anonymously 
> (then fail ;).
> So, trying to restate the question more precisely: machine 
> accounts are ID_BOTH ''users'', so cannot have UID/GID 
> assigned, or i can assign to machine account a UID (and 
> assign to 'Domain Computers' a GID)?
UID for computer is not needed imo, GID can help. 

> I think that if we add UID to machine account (and GID to 
> Domain Computers group), machine account access to share will 
> work exactly as for RID backend...
I dont know, but worth a try. 

> Better now? Thanks.
Yes, thanks. 

What maybe an options is. 
Make use if idmap.conf with something like this.

Verbosity = 1

Pipefs-Directory = /run/rpc_pipefs

# set your own domain here, if id differs from FQDN minus hostname
# Domain = localdomain
Domain = internal.dnsdomain.tld
Local-Realm = REALM


Nobody-User = nobody
Nobody-Group = nogroup


Method = static,nsswitch
GSS-Methods = static,nsswitch





More information about the samba mailing list