Re: [Samba] samba 4 ad member - idmap = ad for machine accounts
- Date: Tue, 19 Sep 2017 16:00:19 +0200
- From: "L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] samba 4 ad member - idmap = ad for machine accounts
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
> Marco Gaiarin via samba
> Verzonden: dinsdag 19 september 2017 12:40
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] samba 4 ad member - idmap = ad for
> machine accounts
> Mandi! L.P.H. van Belle via samba
> In chel di` si favelave...
> > I did loose a bit what the exact problem was here but i can
> to explain a bit here.
> Probably i'm making some confusion here, but just stated by
> other before, we are not speaking about SYSTEM user.
> In microsoft windows client OS, if you try to connect to a
> share with the local SYSTEM user, the client try first with
> the machine account user and password, then try anonymously
> (then fail ;).
> So, trying to restate the question more precisely: machine
> accounts are ID_BOTH ''users'', so cannot have UID/GID
> assigned, or i can assign to machine account a UID (and
> assign to 'Domain Computers' a GID)?
UID for computer is not needed imo, GID can help.
> I think that if we add UID to machine account (and GID to
> Domain Computers group), machine account access to share will
> work exactly as for RID backend...
I dont know, but worth a try.
> Better now? Thanks.
What maybe an options is.
Make use if idmap.conf with something like this.
Verbosity = 1
Pipefs-Directory = /run/rpc_pipefs
# set your own domain here, if id differs from FQDN minus hostname
# Domain = localdomain
Domain = internal.dnsdomain.tld
Local-Realm = REALM
Nobody-User = nobody
Nobody-Group = nogroup
Method = static,nsswitch
GSS-Methods = static,nsswitch
SERVERHOSTNAME1$@REALM = root
To unsubscribe from this list go to the following URL and read the