[Samba] samba 4 ad member - idmap = ad for machine accounts

L.P.H. van Belle belle at bazuin.nl
Wed Sep 20 07:04:17 UTC 2017 

Hai Marco, 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marco Gaiarin via samba
> Verzonden: dinsdag 19 september 2017 17:23
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] samba 4 ad member - idmap = ad for 
> machine accounts
> 
> Mandi! L.P.H. van Belle via samba
>   In chel di` si favelave...
> 
> > > So, trying to restate the question more precisely: 
> machine accounts 
> > > are ID_BOTH ''users'', so cannot have UID/GID assigned, or i can 
> > > assign to machine account a UID (and assign to 'Domain 
> Computers' a 
> > > GID)?
> > UID for computer is not needed imo, GID can help. 
> 
> ?! But if the local workstation have to access a file on a 
> share (supposing of course the worst case of a POSIX ACL 
> share), how can do that without a UID?
That way i showed with the idmap.conf, a easy way to map a computername to a linux name. 

As far i know, TGT tickets are used to authenticate, and im not saying it wont work, 
i just say it should not be needed and to me this indicates to and error in the setup. 
Now, that does not have to be a real error but a combination of settings what wont work together. 
Due to bugs, windows/samba things.. 
Sorry, setting up samba can be done in so many different ways these days. 

Thats why im posting my howto's, a try to get things more inline and explained why. 
That would really help lots of people. 
I still dont know everything..  :-( 

> 
> 
> > > I think that if we add UID to machine account (and GID to Domain 
> > > Computers group), machine account access to share will 
> work exactly 
> > > as for RID backend...
> > I dont know, but worth a try. 
> 
> When ready, i'll try. ;-)
> 
> 
> > Make use if idmap.conf with something like this.
> 
> I've not used kerberos map, but still seems to me that you ''suppose''
> that the local workstation SYSTEM user have to access a share 
> in some ''privileged'' form.
> No, i (we?) simply need to access to the share in non-anonymous form.
Its very simple imo. 
Give the share security, Everyone with full controll. 
Or, try these combined,
Verified users, FULL
Domain Admins, FULL
SYSTEM, FULL.

Setup the folder security and use Verified users ( which contains also a computer account. ) 

Lots of people say, Everyone on share with FULL controll is insecure, will i dont think its that insecure. 
As long as you done use Everyone on the folder security. 
But thats a choise. 

The advantage if everyone is that also a "guest" can access the share. 

> 
> This can be useful in some ways, think about some 
> initialization script
> (GPO?!) that save a semaphore or status file somewhare.

P.s. the idmap.conf example, i used these for my nfsv4 (kerberized) mounts for my homedir. 
And is only used on a member server, so if you use it on a DC, becarefull and do test good before you put it in production. 

I hope this helps a bit more for you. 


Greetz, 

Louis


> 
> -- 
> dott. Marco Gaiarin				        GNUPG 
> Key ID: 240A3D66
>   Associazione ``La Nostra Famiglia''          
> http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al 
> Tagliamento (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   
> f +39-0434-842797
> 
> 		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> 	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list