Kacper Wirski
2017-Sep-17 16:14 UTC
[Samba] samba 4 ad member - idmap = ad for machine accounts
Hello, I have samba 4.5.10 file server as AD member (AD is also samba 4.5.10). I'm using unix extension for windows rsat to set UIDs for all users and on samba AD member i'd prefer to use idmap = ad to have consistent file permissions across multiple file servers. My issue is with machine accounts. RSAT extension doesn't allow for easy "uid" setting for machine accounts. I've been trying with ldap editor to set UID, primary group ID etc. ,but without success. Why do I need this? When task on a PC is run as SYSTEM and should access network share, windows will try to use it's machine account instead. I'm using some backup tasks and other scripts that are supposed to store output in network shares, for this to work I simply want to give read-write permissions to machine accounts, and wit idmap = AD those accounts have no UID. With idmap = rid everything works obviously fine, but I'm not sure how consistent permissions will be across servers. What I'm planning to do is setting idmap uid range something like 5000 - 99999, with 10,000 + for users (default setting), and use 5000+ for machines. This way I have large enough margin, so it won't overlap with users, and it will not interfere with rsat auto-increnemt by one. Samba unix settings are minimal, all permissions are set using windows GUI. My question comes down to this: - which LDAP attributes of an AD joined windows PC should be edited, so it will have access to samba 4 share with it's machine account, when using idmap = AD in the same way, that domain users do, when using NIS extension for RSAT? Regards, Kacper
Rowland Penny
2017-Sep-17 17:50 UTC
[Samba] samba 4 ad member - idmap = ad for machine accounts
On Sun, 17 Sep 2017 18:14:45 +0200 Kacper Wirski via samba <samba at lists.samba.org> wrote:> Hello, > > I have samba 4.5.10 file server as AD member (AD is also samba > 4.5.10). > > I'm using unix extension for windows rsat to set UIDs for all users > and on samba AD member i'd prefer to use idmap = ad to have > consistent file permissions across multiple file servers. > > My issue is with machine accounts. RSAT extension doesn't allow for > easy "uid" setting for machine accounts. I've been trying with ldap > editor to set UID, primary group ID etc. ,but without success. > > Why do I need this?Short answer, you don't for machine accounts> > When task on a PC is run as SYSTEM and should access network share, > windows will try to use it's machine account instead. I'm using some > backup tasks and other scripts that are supposed to store output in > network shares, for this to work I simply want to give read-write > permissions to machine accounts, and wit idmap = AD those accounts > have no UID.Ah, I think you may be mistaking Kerberos machine accounts for machine accounts. Let me guess, you come from a Samba 3 way of doing things ;-)> > > With idmap = rid everything works obviously fine, but I'm not sure > how consistent permissions will be across servers.You can get consistent IDs on Unix domain members with the 'rid' backend, but you will have different IDs on a Samba DC> > What I'm planning to do is setting idmap uid range something like > 5000 - 99999, with 10,000 + for users (default setting), and use > 5000+ for machines. This way I have large enough margin, so it won't > overlap with users, and it will not interfere with rsat > auto-increnemt by one.You do not need uidNumbers for machines and I cannot recommend your suggested ranges. You should be aware, as far as AD is concerned, a computer is also a user.> > Samba unix settings are minimal, all permissions are set using > windows GUI.Or to put it another way, you are using Windows ACLs> > My question comes down to this: > > - which LDAP attributes of an AD joined windows PC should be edited, > so it will have access to samba 4 share with it's machine account, > when using idmap = AD in the same way, that domain users do, when > using NIS extension for RSAT?I think this may be the wrong question, I think you may be better asking how do I make my scripts work with Samba AD Can I suggest you read this wikipage: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member I have updated it today, to try and make the range setting etc a bit more understandable. It will definitely help if you post the smb.conf you are using on your Unix domain member (what you call a fileserver) As you cannot attach files to posts to this list, can I suggest you send me (offlist) one of the scripts you are having problems with and I will try to advise just were you may be going wrong. Rowland
Kacper Wirski
2017-Sep-17 19:37 UTC
[Samba] samba 4 ad member - idmap = ad for machine accounts
Hello, Thanks for quick reply. File server config looks exactly like this, except more shares, all with same simple config. I know that "use defualt domain" isn't necessery, but it's not the issue for me right now. [global] netbios name = VS-FILES security = ADS workgroup = MYDOMAIN realm = MYDOMAIN.COM log file = /var/log/samba/%m.log log level = 1 idmap config *:backend = tdb idmap config *:range = 100-2000 idmap config MYDOMAIN:backend = ad idmap config MYDOMAIN:schema_mode = rfc2307 idmap config MYDOMAIN:range = 4000-99999 winbind enum users = yes winbind enum groups = yes winbind nested groups = yes winbind expand groups = 5 winbind use default domain = yes winbind nss info = rfc2307 vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes [SOME_SHARE] path = /home/shares/SOME_SHARE/ read only = no Some uses I have for machine accounts: 1) I have v. important windows application that is running as windows service as "SYSTEM" account. It writes a lot of image-type files. Because it's running as SYSTEM, machine account has to have "read/write" to the share. 2)'m using some machine autostart scripts, for various tasks, which work again as SYSTEM, so if they have to get anything from network share, they need to have read/write permission. What I'm doing is, for example, as autostart run a batch script, that would check \\fileserver\public\test-file.txt if %COMPTURNAME% exists in this file. if not - run some robocopy script, then >> %COMPUTERNAME% to the end of the file. or even something simple like this: "if exist \\server\share\%computername%.txt (exit) else robocopy some-files echo . > \\server\share\%computername%.txt exit" 3) Some windows applications that I use also run as SYSTEM account and they have built-in backup utilities, and if I want to backup straight to network share - again - machine account needs direct write access to share. I do know that machine accounts are "normal" accounts, and I tried simply adding them to windows ACL, but it just tidn't work. I had to go with "idmap = rid", and it did just fine, so the issue must be iwth idmap backend - ad not supplying valid uid for winbind, right? W dniu 2017-09-17 o 19:50, Rowland Penny via samba pisze:> On Sun, 17 Sep 2017 18:14:45 +0200 > Kacper Wirski via samba <samba at lists.samba.org> wrote: > >> Hello, >> >> I have samba 4.5.10 file server as AD member (AD is also samba >> 4.5.10). >> >> I'm using unix extension for windows rsat to set UIDs for all users >> and on samba AD member i'd prefer to use idmap = ad to have >> consistent file permissions across multiple file servers. >> >> My issue is with machine accounts. RSAT extension doesn't allow for >> easy "uid" setting for machine accounts. I've been trying with ldap >> editor to set UID, primary group ID etc. ,but without success. >> >> Why do I need this? > Short answer, you don't for machine accounts > >> When task on a PC is run as SYSTEM and should access network share, >> windows will try to use it's machine account instead. I'm using some >> backup tasks and other scripts that are supposed to store output in >> network shares, for this to work I simply want to give read-write >> permissions to machine accounts, and wit idmap = AD those accounts >> have no UID. > Ah, I think you may be mistaking Kerberos machine accounts for machine > accounts. Let me guess, you come from a Samba 3 way of doing things ;-) > >> >> With idmap = rid everything works obviously fine, but I'm not sure >> how consistent permissions will be across servers. > You can get consistent IDs on Unix domain members with the 'rid' > backend, but you will have different IDs on a Samba DC > >> What I'm planning to do is setting idmap uid range something like >> 5000 - 99999, with 10,000 + for users (default setting), and use >> 5000+ for machines. This way I have large enough margin, so it won't >> overlap with users, and it will not interfere with rsat >> auto-increnemt by one. > You do not need uidNumbers for machines and I cannot recommend your > suggested ranges. You should be aware, as far as AD is concerned, a > computer is also a user. > >> Samba unix settings are minimal, all permissions are set using >> windows GUI. > Or to put it another way, you are using Windows ACLs > >> My question comes down to this: >> >> - which LDAP attributes of an AD joined windows PC should be edited, >> so it will have access to samba 4 share with it's machine account, >> when using idmap = AD in the same way, that domain users do, when >> using NIS extension for RSAT? > I think this may be the wrong question, I think you may be better > asking how do I make my scripts work with Samba AD > > Can I suggest you read this wikipage: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > I have updated it today, to try and make the range setting etc a bit > more understandable. > > It will definitely help if you post the smb.conf you are using on your > Unix domain member (what you call a fileserver) > > As you cannot attach files to posts to this list, can I suggest you > send me (offlist) one of the scripts you are having problems with and I > will try to advise just were you may be going wrong. > > Rowland > >
Maybe Matching Threads
- samba 4 ad member - idmap = ad for machine accounts
- samba 4 ad member - idmap = ad for machine accounts
- samba 4 ad member - idmap = ad for machine accounts
- samba 4 ad member - idmap = ad for machine accounts
- samba 4 ad member - idmap = ad for machine accounts