samba - Nov 2017 - samba 4 ad member - idmap = ad for machine accounts

Samba - General mailing list wrote
> On Mon, 20 Nov 2017 10:43:58 -0700 (MST)
> tomict via samba <
> samba at .samba
> > wrote:
> On Unix there are users, groups and computers, whilst on
> Windows there are users, groups and special users that are also
> computers ;-)
> 
> You posted that you have added uidNumber and gidNumber attributes to
> the users and groups, did this include 'Domain Computers' ?
Yes, "Domain Computers" and other groups as well, have a GID (Group
ID,
10003 in my case)


Samba - General mailing list wrote
> For the Unix OS to know about the users, it asks winbind (via NSS) and
> winbind (when using the 'ad' backend) will return data for users
that
> have a uidNumber AND their primary group has a gidNumber. For the
> normal users this is Domain Users, but for computers, it is Domain
> Computers.
> 
> If 'getent passwd PC050$' doesn't return anything, then you
need to
> find out why.
indeed, getent passwd PC050$ does not return anything. 
In the ADUC attribute editor it shows
sAMAccountType :  805306369 = ( MACHINE_ACCOUNT)
primaryGroupID :  515 = ( GROUP_RID_COMPUTERS )
gidNumber : not set
I understand from your question that computer network accounts should be
visible in the list of user accounts (getent passwd) and that computer
accounts must have a GID in order to 'show up'. However, I have no
computers
showing up. Can I set that somewhere? I tried setting the attribures
'uid''gid'and 'gidNumber' with the ADUC attribute editor
but that did not
result in the computer showing up in 'getent passwd'

'getent group' does list all the groups that have a GID set, including
"Domain Computers"

Tom









--
Sent from: http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html

On Mon, 20 Nov 2017 13:27:18 -0700 (MST)
tomict via samba <samba at lists.samba.org> wrote:
> Samba - General mailing list wrote
> > On Mon, 20 Nov 2017 10:43:58 -0700 (MST)
> > tomict via samba &lt;
> 
> > samba at .samba
> 
> > &gt; wrote:
> > On Unix there are users, groups and computers, whilst on
> > Windows there are users, groups and special users that are also
> > computers ;-)
> > 
> > You posted that you have added uidNumber and gidNumber attributes to
> > the users and groups, did this include 'Domain Computers' ?
> 
> Yes, "Domain Computers" and other groups as well, have a GID
(Group
> ID, 10003 in my case)
> 
> 
> Samba - General mailing list wrote
> > For the Unix OS to know about the users, it asks winbind (via NSS)
> > and winbind (when using the 'ad' backend) will return data for
> > users that have a uidNumber AND their primary group has a
> > gidNumber. For the normal users this is Domain Users, but for
> > computers, it is Domain Computers.
> > 
> > If 'getent passwd PC050$' doesn't return anything, then
you need to
> > find out why.
> 
> indeed, getent passwd PC050$ does not return anything. 
> In the ADUC attribute editor it shows
> sAMAccountType :  805306369 = ( MACHINE_ACCOUNT)
> primaryGroupID :  515 = ( GROUP_RID_COMPUTERS )
> gidNumber : not set
> I understand from your question that computer network accounts should
> be visible in the list of user accounts (getent passwd) and that
> computer accounts must have a GID in order to 'show up'. However, I
> have no computers showing up. Can I set that somewhere? I tried
> setting the attribures 'uid''gid'and 'gidNumber'
with the ADUC
> attribute editor but that did not result in the computer showing up
> in 'getent passwd'
> 
> 'getent group' does list all the groups that have a GID set,
including
> "Domain Computers"
> 
> Tom
The way you have set smb.conf, PC050$ doesn't need a gidNumber, but it
does need a uidNumber, so check for one, run this on the Samba DC:

ldbsearch -H /usr/local/samba/private/sam.ldb -b
'DC=samdom,DC=example,DC=com' -s sub
'(&(objectclass=computer)(samaccountname=pc050$))' uidNumber |
grep 'uidNumber:' | awk '{print $NF}'

Replace '/usr/local/samba/private/sam.ldb' with the path to your
'sam.ldb'

Replace 'DC=samdom,DC=example,DC=com' with your suffix

It should produce a number

Check if Domain Computers has a gidNumber:

ldbsearch -H /usr/local/samba/private/sam.ldb -b
'DC=samdom,DC=example,DC=com' -s sub
'(&(objectclass=group)(samaccountname=domain computers))' gidNumber
| grep 'gidNumber:' | awk '{print $NF}'

This again should return a number

If both return a number, try running 'net cache flush' on the Unix
domain member.

Rowland

Well! That does the trick. Thank you VERY much Rowland!


Samba - General mailing list wrote
> The way you have set smb.conf, PC050$ doesn't need a gidNumber, but it
> does need a uidNumber, so check for one, run this on the Samba DC:
> 
> ldbsearch -H /usr/local/samba/private/sam.ldb -b
> 'DC=samdom,DC=example,DC=com' -s sub
> '(&(objectclass=computer)(samaccountname=pc050$))' uidNumber |
> grep 'uidNumber:' | awk '{print $NF}'
> 
> Replace '/usr/local/samba/private/sam.ldb' with the path to your
> 'sam.ldb'
> 
> Replace 'DC=samdom,DC=example,DC=com' with your suffix
> 
> It should produce a number
> 
> Check if Domain Computers has a gidNumber:
> 
> ldbsearch -H /usr/local/samba/private/sam.ldb -b
> 'DC=samdom,DC=example,DC=com' -s sub
> '(&(objectclass=group)(samaccountname=domain computers))'
gidNumber | grep
> 'gidNumber:' | awk '{print $NF}'
> 
> This again should return a number
> 
> If both return a number, try running 'net cache flush' on the Unix
> domain member.
Editing with the cli or with the ADUC attribute editor, all that is needed
is a uidNumber value for the machine account.

With a uidNumber, the error  'invalid on this system' is gone. Adding
the
group "domain computers" to the permissions makes the shares
accessible to
the machine accounts

getent passwd PC050$    or   wbinfo -i  PC050$  shows details for the
machine account
getent passwd (without a name) does NOT show the machine account in the
listing.

Pitty that the ADUC Unix tab does not add uidNumbers for computers. 
Now all I have to do is somehow add a uidNumber to new machines when they
are joined to the domain. 

thanks again!

Tom




--
Sent from: http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html