[Samba] Setting uidNumber for machine accounts

[Rowland penny]

On 14/02/2020 02:54, Jonathon Reinhart via samba wrote:
> Hello,
>
> A user of my "adman" utility recently opened this issue [1]: "Add
> support for setting uidNumber for machine account"
>
> I was aware that computer accounts were also users in AD, but I hadn't
> considered assigning a uidNumber to them. It makes sense that winbind
> (in idmap="ad" mode) would not "see" the accounts with a uidNumber.
> Naturally, groups of which the computer accounts are members would
> need gidNumber assigned as well.
>
> I understand the OP in this post [2] had the following use case: A
> startup script uses the computer account to access a samba server.
In most cases on Unix, computers do not need an ID, but there are always 
corner cases ;-)
>
> Questions:
>
> 1. Which groups should or should not be assigned gidNumber? The issue
> [1] indicates that "Domain Computers" should indeed have gidNumber.
> However my assignment logic [3] specifically excludes "Domain
> Computers" based on the original recommendation from this post [4]
> which says "Which groups should be excluded? Just about all the groups
> that a provision provides, with the exception of Domain Users".
Well, yes, but as I said, there are always corner cases and in this case 
'Domain Computers' must have a gidNumber because a computers 
PrimaryGroupID is the RID for 'Domain Computers'
>
> 2.  What other use cases are there for winbind needing to know about
> computer accounts?
No idea, but there are probably some.
>   Is it just Samba file servers? If so, are there other cases where the
> computer account is authenticating?
If something goes directly to ldap, then no, but if it relies on 
winbind, then yes.
>   Or should a DC (with "idmap_ldb:use rfc2307 = yes") also need to see
> computer accounts (e.g. in wbinfo -u)?

Now this is interesting, 'wbinfo -u' on a DC will not show computers, 
but 'getent passwd computername$' will.

Rowland