[Samba] Setting uidNumber for machine accounts
rpenny at samba.org
Fri Feb 14 08:27:48 UTC 2020
On 14/02/2020 02:54, Jonathon Reinhart via samba wrote:
> A user of my "adman" utility recently opened this issue : "Add
> support for setting uidNumber for machine account"
> I was aware that computer accounts were also users in AD, but I hadn't
> considered assigning a uidNumber to them. It makes sense that winbind
> (in idmap="ad" mode) would not "see" the accounts with a uidNumber.
> Naturally, groups of which the computer accounts are members would
> need gidNumber assigned as well.
> I understand the OP in this post  had the following use case: A
> startup script uses the computer account to access a samba server.
In most cases on Unix, computers do not need an ID, but there are always
corner cases ;-)
> 1. Which groups should or should not be assigned gidNumber? The issue
>  indicates that "Domain Computers" should indeed have gidNumber.
> However my assignment logic  specifically excludes "Domain
> Computers" based on the original recommendation from this post 
> which says "Which groups should be excluded? Just about all the groups
> that a provision provides, with the exception of Domain Users".
Well, yes, but as I said, there are always corner cases and in this case
'Domain Computers' must have a gidNumber because a computers
PrimaryGroupID is the RID for 'Domain Computers'
> 2. What other use cases are there for winbind needing to know about
> computer accounts?
No idea, but there are probably some.
> Is it just Samba file servers? If so, are there other cases where the
> computer account is authenticating?
If something goes directly to ldap, then no, but if it relies on
winbind, then yes.
> Or should a DC (with "idmap_ldb:use rfc2307 = yes") also need to see
> computer accounts (e.g. in wbinfo -u)?
Now this is interesting, 'wbinfo -u' on a DC will not show computers,
but 'getent passwd computername$' will.
More information about the samba