Web lists-archives.com

Re: [Samba] samba 4 ad member - idmap = ad for machine accounts




Hai Marco, 


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> Marco Gaiarin via samba
> Verzonden: dinsdag 19 september 2017 12:40
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] samba 4 ad member - idmap = ad for 
> machine accounts
> 
> Mandi! L.P.H. van Belle via samba
>   In chel di` si favelave...
> 
> > I did loose a bit what the exact problem was here but i can 
> to explain a bit here.
> 
> Probably i'm making some confusion here, but just stated by 
> other before, we are not speaking about SYSTEM user.
> 
> In microsoft windows client OS, if you try to connect to a 
> share with the local SYSTEM user, the client try first with 
> the machine account user and password, then try anonymously 
> (then fail ;).
> 
> 
> So, trying to restate the question more precisely: machine 
> accounts are ID_BOTH ''users'', so cannot have UID/GID 
> assigned, or i can assign to machine account a UID (and 
> assign to 'Domain Computers' a GID)?
UID for computer is not needed imo, GID can help. 

> 
> 
> I think that if we add UID to machine account (and GID to 
> Domain Computers group), machine account access to share will 
> work exactly as for RID backend...
I dont know, but worth a try. 

> 
> 
> Better now? Thanks.
> 
Yes, thanks. 

What maybe an options is. 
Make use if idmap.conf with something like this.

[General]
Verbosity = 1

Pipefs-Directory = /run/rpc_pipefs

# set your own domain here, if id differs from FQDN minus hostname
# Domain = localdomain
Domain = internal.dnsdomain.tld
Local-Realm = REALM

[Mapping]

Nobody-User = nobody
Nobody-Group = nogroup

[Translation]

Method = static,nsswitch
GSS-Methods = static,nsswitch

[Static]

SERVERHOSTNAME1$@REALM = root



Greetz,  

Louis



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba