tomict
2017-Nov-20 23:12 UTC
[Samba] samba 4 ad member - idmap = ad for machine accounts [SOLVED]
Well! That does the trick. Thank you VERY much Rowland! Samba - General mailing list wrote> The way you have set smb.conf, PC050$ doesn't need a gidNumber, but it > does need a uidNumber, so check for one, run this on the Samba DC: > > ldbsearch -H /usr/local/samba/private/sam.ldb -b > 'DC=samdom,DC=example,DC=com' -s sub > '(&(objectclass=computer)(samaccountname=pc050$))' uidNumber | > grep 'uidNumber:' | awk '{print $NF}' > > Replace '/usr/local/samba/private/sam.ldb' with the path to your > 'sam.ldb' > > Replace 'DC=samdom,DC=example,DC=com' with your suffix > > It should produce a number > > Check if Domain Computers has a gidNumber: > > ldbsearch -H /usr/local/samba/private/sam.ldb -b > 'DC=samdom,DC=example,DC=com' -s sub > '(&(objectclass=group)(samaccountname=domain computers))' gidNumber | grep > 'gidNumber:' | awk '{print $NF}' > > This again should return a number > > If both return a number, try running 'net cache flush' on the Unix > domain member.Editing with the cli or with the ADUC attribute editor, all that is needed is a uidNumber value for the machine account. With a uidNumber, the error 'invalid on this system' is gone. Adding the group "domain computers" to the permissions makes the shares accessible to the machine accounts getent passwd PC050$ or wbinfo -i PC050$ shows details for the machine account getent passwd (without a name) does NOT show the machine account in the listing. Pitty that the ADUC Unix tab does not add uidNumbers for computers. Now all I have to do is somehow add a uidNumber to new machines when they are joined to the domain. thanks again! Tom -- Sent from: http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html
Allen Chen
2017-Nov-21 16:38 UTC
[Samba] samba 4 ad member - idmap = ad for machine accounts [SOLVED]
Hi there, I am looking for the same solution in my environment. I have a question: Do you need to manually set up a password for the machine account PC050$ ? Thanks - Allen On 11/20/2017 6:12 PM, tomict via samba wrote:> Well! That does the trick. Thank you VERY much Rowland! > > > Samba - General mailing list wrote >> The way you have set smb.conf, PC050$ doesn't need a gidNumber, but it >> does need a uidNumber, so check for one, run this on the Samba DC: >> >> ldbsearch -H /usr/local/samba/private/sam.ldb -b >> 'DC=samdom,DC=example,DC=com' -s sub >> '(&(objectclass=computer)(samaccountname=pc050$))' uidNumber | >> grep 'uidNumber:' | awk '{print $NF}' >> >> Replace '/usr/local/samba/private/sam.ldb' with the path to your >> 'sam.ldb' >> >> Replace 'DC=samdom,DC=example,DC=com' with your suffix >> >> It should produce a number >> >> Check if Domain Computers has a gidNumber: >> >> ldbsearch -H /usr/local/samba/private/sam.ldb -b >> 'DC=samdom,DC=example,DC=com' -s sub >> '(&(objectclass=group)(samaccountname=domain computers))' gidNumber | grep >> 'gidNumber:' | awk '{print $NF}' >> >> This again should return a number >> >> If both return a number, try running 'net cache flush' on the Unix >> domain member. > Editing with the cli or with the ADUC attribute editor, all that is needed > is a uidNumber value for the machine account. > > With a uidNumber, the error 'invalid on this system' is gone. Adding the > group "domain computers" to the permissions makes the shares accessible to > the machine accounts > > getent passwd PC050$ or wbinfo -i PC050$ shows details for the > machine account > getent passwd (without a name) does NOT show the machine account in the > listing. > > Pitty that the ADUC Unix tab does not add uidNumbers for computers. > Now all I have to do is somehow add a uidNumber to new machines when they > are joined to the domain. > > thanks again! > > Tom > >
tomict
2017-Nov-21 18:42 UTC
[Samba] samba 4 ad member - idmap = ad for machine accounts [SOLVED]
Samba - General mailing list wrote> Do you need to manually set up a password for the machine account PC050$ ?Manually is relative :-) I scripted the bunch of PC's by first finding out at which uidNumber I could start counting and then put everything (PC and uid Numbers) in a loop. You could use ldbmodify, but since it was a small edit and not much PC's I used ldbedit like this: ldbedit starts your editor and lets you edit a temporary ldif file which is fed back into the database when you are done editing. Instead of an interactive editor, here I use the streaming editor (sed) to insert a line at position 10 (arbitrary, the ldif is much longer in this search) with the contents "uidNumber: <number>". This is an ugly hack. Be careful/very sure that the computers do not have a uidNumber before you do this. I don't know where you can hook in to the samba computer account creation process to automatically insert a uidNumber. Tom -- Sent from: http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html
tomict
2017-Nov-21 18:48 UTC
[Samba] samba 4 ad member - idmap = ad for machine accounts [SOLVED]
Oh, excuse me, my brain had an outage. You asked about passwords. I'm still preoccupied with uidNumbers...... No need to set up passwords manually. Tom -- Sent from: http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html
Possibly Parallel Threads
- samba 4 ad member - idmap = ad for machine accounts [SOLVED]
- samba 4 ad member - idmap = ad for machine accounts
- samba 4 ad member - idmap = ad for machine accounts
- samba 4 ad member - idmap = ad for machine accounts [SOLVED]
- samba 4 ad member - idmap = ad for machine accounts