Hi, Thanks for the quick reply. I read the links you suggested when I setup my domain member configuration. Followed the links a s closely as I could. Just read them again. Did you mean to point me at some part I missed in order to get the machine network accounts to be able to access the shares? Which part? I removed the 'winbind' lines and 'username map' lines. They are traces of my efforts to get things working. (still getting 'username xxxx invalid on this system' for the machine network accounts) About the SYSTEM account: My understanding is that it is not causing the 'access denied' on the domain member (FS1). I just put it in the properties->security tab because the answer I quoted suggested it. I saw no follow up on the answer I quoted. Should I expect it to work at all in my setup? regards, Tom -- Sent from: http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html
Rowland Penny
2017-Nov-20 18:57 UTC
[Samba] samba 4 ad member - idmap = ad for machine accounts
On Mon, 20 Nov 2017 10:43:58 -0700 (MST) tomict via samba <samba at lists.samba.org> wrote:> Hi, > > Thanks for the quick reply. > > I read the links you suggested when I setup my domain member > configuration. Followed the links a s closely as I could. Just read > them again. Did you mean to point me at some part I missed in order > to get the machine network accounts to be able to access the shares? > Which part? > > I removed the 'winbind' lines and 'username map' lines. They are > traces of my efforts to get things working. (still getting 'username > xxxx invalid on this system' for the machine network accounts) > > About the SYSTEM account: My understanding is that it is not causing > the 'access denied' on the domain member (FS1). I just put it in the > properties->security tab because the answer I quoted suggested it. I > saw no follow up on the answer I quoted. Should I expect it to work > at all in my setup? > > regards, > TomI think the problem here is that you are trying to use a machine account. On Unix there are users, groups and computers, whilst on Windows there are users, groups and special users that are also computers ;-) You posted that you have added uidNumber and gidNumber attributes to the users and groups, did this include 'Domain Computers' ? For the Unix OS to know about the users, it asks winbind (via NSS) and winbind (when using the 'ad' backend) will return data for users that have a uidNumber AND their primary group has a gidNumber. For the normal users this is Domain Users, but for computers, it is Domain Computers. If 'getent passwd PC050$' doesn't return anything, then you need to find out why. Rowland
Samba - General mailing list wrote> On Mon, 20 Nov 2017 10:43:58 -0700 (MST) > tomict via samba <> samba at .samba> > wrote: > On Unix there are users, groups and computers, whilst on > Windows there are users, groups and special users that are also > computers ;-) > > You posted that you have added uidNumber and gidNumber attributes to > the users and groups, did this include 'Domain Computers' ?Yes, "Domain Computers" and other groups as well, have a GID (Group ID, 10003 in my case) Samba - General mailing list wrote> For the Unix OS to know about the users, it asks winbind (via NSS) and > winbind (when using the 'ad' backend) will return data for users that > have a uidNumber AND their primary group has a gidNumber. For the > normal users this is Domain Users, but for computers, it is Domain > Computers. > > If 'getent passwd PC050$' doesn't return anything, then you need to > find out why.indeed, getent passwd PC050$ does not return anything. In the ADUC attribute editor it shows sAMAccountType : 805306369 = ( MACHINE_ACCOUNT) primaryGroupID : 515 = ( GROUP_RID_COMPUTERS ) gidNumber : not set I understand from your question that computer network accounts should be visible in the list of user accounts (getent passwd) and that computer accounts must have a GID in order to 'show up'. However, I have no computers showing up. Can I set that somewhere? I tried setting the attribures 'uid''gid'and 'gidNumber' with the ADUC attribute editor but that did not result in the computer showing up in 'getent passwd' 'getent group' does list all the groups that have a GID set, including "Domain Computers" Tom -- Sent from: http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html
Possibly Parallel Threads
- samba 4 ad member - idmap = ad for machine accounts
- samba 4 ad member - idmap = ad for machine accounts
- samba 4 ad member - idmap = ad for machine accounts [SOLVED]
- samba 4 ad member - idmap = ad for machine accounts [SOLVED]
- samba 4 ad member - idmap = ad for machine accounts