[Samba] Setting uidNumber for machine accounts
Jonathon Reinhart
jonathon.reinhart at gmail.com
Mon Feb 17 01:08:54 UTC 2020
Hi Marco,
On Fri, Feb 14, 2020 at 3:26 AM Marco Gaiarin via samba
<samba at lists.samba.org> wrote:
>
> Mandi! Jonathon Reinhart via samba
> In chel di` si favelave...
>
> > I understand the OP in this post [2] had the following use case: A
> > startup script uses the computer account to access a samba server.
>
> More specifically: if you need that ''services'' (or more generally:
> 'things that run on SYSTEM account') have access to your share, Windows
> client OS automatically do/try an access to the share with the machine
> credential.
>
> Eg, client 'translate' SYSTEM account to machine credential access.
Thanks a lot. I didn't realize that services running as the Local
System account effectively use the machine account.
This is confirmed on this Microsoft documentation page:
https://docs.microsoft.com/en-us/windows/win32/ad/the-localsystem-account
which says:
"When a service runs under the LocalSystem account on a computer that
is a domain member, the service has whatever network access is granted
to the computer account, or to any groups of which the computer
account is a member. ...all LocalSystem services share the computer
account of their host server."
> > 1. Which groups should or should not be assigned gidNumber? The issue
> > [1] indicates that "Domain Computers" should indeed have gidNumber.
>
> I have uidNumber assigned to my PCs, and clearly gidNumber assigned to
> 'Domain Computers'.
>
>
> > 2. What other use cases are there for winbind needing to know about
> > computer accounts?
> > Is it just Samba file servers? If so, are there other cases where the
> > computer account is authenticating?
> > Or should a DC (with "idmap_ldb:use rfc2307 = yes") also need to see
> > computer accounts (e.g. in wbinfo -u)?
>
> AFAIK no; i use also machine account for wireless authentication via
> radius, but clearly this have nothing to do with filesystem, and so
> nothing to do with uid/gid assignment.
>
> So, also for me, this is needed for just 'Samba file server'.
That all makes sense. Thanks again for the feedback.
Jonathon
More information about the samba
mailing list