[Samba] samba 4 ad member - idmap = ad for machine accounts
Marco Gaiarin
gaio at sv.lnf.it
Tue Sep 19 15:23:24 UTC 2017
Mandi! L.P.H. van Belle via samba
In chel di` si favelave...
> > So, trying to restate the question more precisely: machine
> > accounts are ID_BOTH ''users'', so cannot have UID/GID
> > assigned, or i can assign to machine account a UID (and
> > assign to 'Domain Computers' a GID)?
> UID for computer is not needed imo, GID can help.
?! But if the local workstation have to access a file on a share
(supposing of course the worst case of a POSIX ACL share), how can do
that without a UID?
> > I think that if we add UID to machine account (and GID to
> > Domain Computers group), machine account access to share will
> > work exactly as for RID backend...
> I dont know, but worth a try.
When ready, i'll try. ;-)
> Make use if idmap.conf with something like this.
I've not used kerberos map, but still seems to me that you ''suppose''
that the local workstation SYSTEM user have to access a share in some
''privileged'' form.
No, i (we?) simply need to access to the share in non-anonymous form.
This can be useful in some ways, think about some initialization script
(GPO?!) that save a semaphore or status file somewhare.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
More information about the samba
mailing list