[Samba] samba 4 ad member - idmap = ad for machine accounts

Marco Gaiarin gaio at sv.lnf.it
Tue Sep 19 15:23:24 UTC 2017


Mandi! L.P.H. van Belle via samba
  In chel di` si favelave...

> > So, trying to restate the question more precisely: machine 
> > accounts are ID_BOTH ''users'', so cannot have UID/GID 
> > assigned, or i can assign to machine account a UID (and 
> > assign to 'Domain Computers' a GID)?
> UID for computer is not needed imo, GID can help. 

?! But if the local workstation have to access a file on a share
(supposing of course the worst case of a POSIX ACL share), how can do
that without a UID?


> > I think that if we add UID to machine account (and GID to 
> > Domain Computers group), machine account access to share will 
> > work exactly as for RID backend...
> I dont know, but worth a try. 

When ready, i'll try. ;-)


> Make use if idmap.conf with something like this.

I've not used kerberos map, but still seems to me that you ''suppose''
that the local workstation SYSTEM user have to access a share in some
''privileged'' form.
No, i (we?) simply need to access to the share in non-anonymous form.

This can be useful in some ways, think about some initialization script
(GPO?!) that save a semaphore or status file somewhare.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)



More information about the samba mailing list