[Samba] Setting uidNumber for machine accounts

Jonathon Reinhart jonathon.reinhart at gmail.com
Fri Feb 14 02:54:32 UTC 2020


Hello,

A user of my "adman" utility recently opened this issue [1]: "Add
support for setting uidNumber for machine account"

I was aware that computer accounts were also users in AD, but I hadn't
considered assigning a uidNumber to them. It makes sense that winbind
(in idmap="ad" mode) would not "see" the accounts with a uidNumber.
Naturally, groups of which the computer accounts are members would
need gidNumber assigned as well.

I understand the OP in this post [2] had the following use case: A
startup script uses the computer account to access a samba server.

Questions:

1. Which groups should or should not be assigned gidNumber? The issue
[1] indicates that "Domain Computers" should indeed have gidNumber.
However my assignment logic [3] specifically excludes "Domain
Computers" based on the original recommendation from this post [4]
which says "Which groups should be excluded? Just about all the groups
that a provision provides, with the exception of Domain Users".

2.  What other use cases are there for winbind needing to know about
computer accounts?
 Is it just Samba file servers? If so, are there other cases where the
computer account is authenticating?
 Or should a DC (with "idmap_ldb:use rfc2307 = yes") also need to see
computer accounts (e.g. in wbinfo -u)?

Thanks in advance for reviewing this again, and providing any insight.

Jonathon Reinhart


[1] https://gitlab.com/JonathonReinhart/adman/issues/13
[2] https://lists.samba.org/archive/samba/2017-November/212259.html
[3]: https://gitlab.com/JonathonReinhart/adman/-/blob/v0.2.3/adman/assign.py#L15-66
[4]: https://lists.samba.org/archive/samba/2019-June/223499.html



More information about the samba mailing list