[Samba] Setting uidNumber for machine accounts

Jonathon Reinhart jonathon.reinhart at gmail.com
Mon Feb 17 01:08:54 UTC 2020

Hi Marco,

On Fri, Feb 14, 2020 at 3:26 AM Marco Gaiarin via samba
<samba at lists.samba.org> wrote:
> Mandi! Jonathon Reinhart via samba
>   In chel di` si favelave...
> > I understand the OP in this post [2] had the following use case: A
> > startup script uses the computer account to access a samba server.
> More specifically: if you need that ''services'' (or more generally:
> 'things that run on SYSTEM account') have access to your share, Windows
> client OS automatically do/try an access to the share with the machine
> credential.
> Eg, client 'translate' SYSTEM account to machine credential access.

Thanks a lot. I didn't realize that services running as the Local
System account effectively use the machine account.

This is confirmed on this Microsoft documentation page:

which says:

"When a service runs under the LocalSystem account on a computer that
is a domain member, the service has whatever network access is granted
to the computer account, or to any groups of which the computer
account is a member. ...all LocalSystem services share the computer
account of their host server."

> > 1. Which groups should or should not be assigned gidNumber? The issue
> > [1] indicates that "Domain Computers" should indeed have gidNumber.
> I have uidNumber assigned to my PCs, and clearly gidNumber assigned to
> 'Domain Computers'.
> > 2.  What other use cases are there for winbind needing to know about
> > computer accounts?
> >  Is it just Samba file servers? If so, are there other cases where the
> > computer account is authenticating?
> >  Or should a DC (with "idmap_ldb:use rfc2307 = yes") also need to see
> > computer accounts (e.g. in wbinfo -u)?
> AFAIK no; i use also machine account for wireless authentication via
> radius, but clearly this have nothing to do with filesystem, and so
> nothing to do with uid/gid assignment.
> So, also for me, this is needed for just 'Samba file server'.

That all makes sense. Thanks again for the feedback.


More information about the samba mailing list