[Samba] Setting uidNumber for machine accounts

Kris Lou klou at themusiclink.net
Fri Feb 14 17:42:46 UTC 2020


>
> I was aware that computer accounts were also users in AD, but I hadn't
> considered assigning a uidNumber to them. It makes sense that winbind
> (in idmap="ad" mode) would not "see" the accounts with a uidNumber.
> Naturally, groups of which the computer accounts are members would
> need gidNumber assigned as well.


This is interesting.  I also have a similar use case in that my computer
accounts (as SYSTEM) access a share for deployment purposes (via WPKG).
However, I use "idmap=rid", so avoid this pitfall.  (And a good thing,
too.  I don't know if I would've made the connection about a missing
uidNumber.)

But to maintain consistency with other idmap options (and to reduce the,
well, "oh, I missed that"), I think it would be helpful to add to your
utility.

Note to self: read more carefully.
https://wiki.samba.org/index.php/Idmap_config_ad#Prerequisites

Kris Lou
klou at themusiclink.net


On Fri, Feb 14, 2020 at 12:28 AM Rowland penny via samba <
samba at lists.samba.org> wrote:

> On 14/02/2020 02:54, Jonathon Reinhart via samba wrote:
> > Hello,
> >
> > A user of my "adman" utility recently opened this issue [1]: "Add
> > support for setting uidNumber for machine account"
> >
> > I was aware that computer accounts were also users in AD, but I hadn't
> > considered assigning a uidNumber to them. It makes sense that winbind
> > (in idmap="ad" mode) would not "see" the accounts with a uidNumber.
> > Naturally, groups of which the computer accounts are members would
> > need gidNumber assigned as well.
> >
> > I understand the OP in this post [2] had the following use case: A
> > startup script uses the computer account to access a samba server.
> In most cases on Unix, computers do not need an ID, but there are always
> corner cases ;-)
> >
> > Questions:
> >
> > 1. Which groups should or should not be assigned gidNumber? The issue
> > [1] indicates that "Domain Computers" should indeed have gidNumber.
> > However my assignment logic [3] specifically excludes "Domain
> > Computers" based on the original recommendation from this post [4]
> > which says "Which groups should be excluded? Just about all the groups
> > that a provision provides, with the exception of Domain Users".
> Well, yes, but as I said, there are always corner cases and in this case
> 'Domain Computers' must have a gidNumber because a computers
> PrimaryGroupID is the RID for 'Domain Computers'
> >
> > 2.  What other use cases are there for winbind needing to know about
> > computer accounts?
> No idea, but there are probably some.
> >   Is it just Samba file servers? If so, are there other cases where the
> > computer account is authenticating?
> If something goes directly to ldap, then no, but if it relies on
> winbind, then yes.
> >   Or should a DC (with "idmap_ldb:use rfc2307 = yes") also need to see
> > computer accounts (e.g. in wbinfo -u)?
>
> Now this is interesting, 'wbinfo -u' on a DC will not show computers,
> but 'getent passwd computername$' will.
>
> Rowland
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list