Web lists-archives.com

[Samba] samba 4 ad member - idmap = ad for machine accounts


I have samba 4.5.10 file server as AD member (AD is also samba 4.5.10).

I'm using unix extension for windows rsat to set UIDs for all users and on samba AD member i'd prefer to use idmap = ad to have consistent file permissions across multiple file servers.

My issue is with machine accounts. RSAT extension doesn't allow for easy "uid" setting for machine accounts. I've been trying with ldap editor to set  UID, primary group ID etc. ,but without success.

Why do I need this?

When task on a PC is run as SYSTEM and should access network share, windows will try to use it's machine account instead. I'm using some backup tasks and other scripts that are supposed to store output in network shares, for this to work I simply want to give read-write permissions to machine accounts, and wit idmap = AD those accounts have no UID.

 With idmap = rid everything works obviously fine, but I'm not sure how consistent permissions will be across servers.

What I'm planning to do is setting idmap uid range something like 5000 - 99999, with 10,000 + for users (default setting), and use 5000+ for machines. This way I have large enough margin, so it won't overlap with users, and it will not interfere with rsat auto-increnemt by one.

Samba unix settings are minimal, all permissions are set using windows GUI.

My question comes down to this:

- which LDAP attributes of an AD joined windows PC should be edited, so it will have access to samba 4 share with it's machine account, when using idmap = AD in the same way, that domain users do, when using NIS extension for RSAT?



To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba