Web lists-archives.com

Re: [Samba] samba 4 ad member - idmap = ad for machine accounts




Hi Kacper,

1) I have v. important windows application that is running as windows
service as "SYSTEM" account. It writes a lot of image-type files.
Because it's running as SYSTEM, machine account has to have "read/write"
to the share.

Ok. You might take a look if you can lower the account rights from SYSTEM to "Network Service" account. It still has access to the Kerberos machine account for network connection, but runs with lower privileges.

2)'m using some machine autostart scripts, for various tasks, which work
again as SYSTEM, so if they have to get anything from network share,
they need to have read/write permission. What I'm doing is, for example,
as autostart run a batch script, that would check
\\fileserver\public\test-file.txt if %COMPTURNAME% exists in this file.
if not - run some robocopy script, then >> %COMPUTERNAME% to the end of
the file.
or even something simple like this:
"if exist \\server\share\%computername%.txt (exit)
else robocopy some-files
echo . > \\server\share\%computername%.txt
exit"

I try to avoid using this kind of remote connection in scripts if possible because there are so many things that can go wrong with network on a workstation... I'd rather create a software package (you might check WAPT at wapt.fr for that) so that every needed pieces are on the computer when it has to run.

3) Some windows applications that I use also run as SYSTEM account and
they have built-in backup utilities, and if I want to backup straight to
network share - again - machine account needs direct write access to share.

If possible, you might try to have the backups done the other way around. Indeed, if the windows workstation get a ransomware, it will have the credentials to also cryptolock the backup share (even thought I guess malware writers currently don't bother to use machine Kerberos account).

I do know that machine accounts are "normal" accounts, and I tried
simply adding them to windows ACL, but it just tidn't work. I had to go
with "idmap = rid", and it did just fine, so the issue must be iwth
idmap backend - ad not supplying valid uid for winbind, right?

RID is just fine as an IDMAP. Actually, it is the best solution in the large majority of cases. If you use RID, all fileservers will have the same mapping. Yeah your DC won't have a consistent mapping, but you mostly don't care (and using the plain old TDB mapping on DC will prevent you from falling into the "domain admins" gidnumber vs xidnumber pitfall).

Cheers,

Denis



W dniu 2017-09-17 o 19:50, Rowland Penny via samba pisze:
On Sun, 17 Sep 2017 18:14:45 +0200
Kacper Wirski via samba <samba@xxxxxxxxxxxxxxx> wrote:

Hello,

I have samba 4.5.10 file server as AD member (AD is also samba
4.5.10).

I'm using unix extension for windows rsat to set UIDs for all users
and on samba AD member i'd prefer to use idmap = ad to have
consistent file permissions across multiple file servers.

My issue is with machine accounts. RSAT extension doesn't allow for
easy "uid" setting for machine accounts. I've been trying with ldap
editor to set  UID, primary group ID etc. ,but without success.

Why do I need this?
Short answer, you don't for machine accounts

When task on a PC is run as SYSTEM and should access network share,
windows will try to use it's machine account instead. I'm using some
backup tasks and other scripts that are supposed to store output in
network shares, for this to work I simply want to give read-write
permissions to machine accounts, and wit idmap = AD those accounts
have no UID.
Ah, I think you may be mistaking Kerberos machine accounts for machine
accounts. Let me guess, you come from a Samba 3 way of doing things ;-)


   With idmap = rid everything works obviously fine, but I'm not sure
how consistent permissions will be across servers.
You can get consistent IDs on Unix domain members with the 'rid'
backend, but you will have different IDs on a Samba DC

What I'm planning to do is setting idmap uid range something like
5000 - 99999, with 10,000 + for users (default setting), and use
5000+ for machines. This way I have large enough margin, so it won't
overlap with users, and it will not interfere with rsat
auto-increnemt by one.
You do not need uidNumbers for machines and I cannot recommend your
suggested ranges. You should be aware, as far as AD is concerned, a
computer is also a user.

Samba unix settings are minimal, all permissions are set using
windows GUI.
Or to put it another way, you are using Windows ACLs

My question comes down to this:

- which LDAP attributes of an AD joined windows PC should be edited,
so it will have access to samba 4 share with it's machine account,
when using idmap = AD in the same way, that domain users do, when
using NIS extension for RSAT?
I think this may be the wrong question, I think you may be better
asking how do I make my scripts work with Samba AD

Can I suggest you read this wikipage:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

I have updated it today, to try and make the range setting etc a bit
more understandable.

It will definitely help if you post the smb.conf you are using on your
Unix domain member (what you call a fileserver)

As you cannot attach files to posts to this list, can I suggest you
send me (offlist) one of the scripts you are having problems with and I
will try to advise just were you may be going wrong.

Rowland







--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba