Björn JACKE
2018-Jan-12 16:42 UTC
[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers
On 2018-01-12 at 16:24 +0000 Rowland Penny via samba sent off:> > Clearly, also 'Domain Computers' group have to get assigned an GID, > > right? > > Yes. > > The question is, do you need to do this ? Will a computer own anything > on a Unix machine ?it's not the question if he owns anything. It's enough that the machine uses the machine account during the tree connect to make it fail without a corresponding posix account. Björn -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kontakt at sernet.de
Rowland Penny
2018-Jan-12 16:56 UTC
[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers
On Fri, 12 Jan 2018 17:42:44 +0100 Björn JACKE via samba <samba at lists.samba.org> wrote:> On 2018-01-12 at 16:24 +0000 Rowland Penny via samba sent off: > > > Clearly, also 'Domain Computers' group have to get assigned an > > > GID, right? > > > > Yes. > > > > The question is, do you need to do this ? Will a computer own > > anything on a Unix machine ? > > it's not the question if he owns anything. It's enough that the > machine uses the machine account during the tree connect > to make it fail without a corresponding posix account. > > BjörnSurely the authentication of choice would be kerberos and this wouldn't require a posix account. Rowland
Björn JACKE
2018-Jan-12 17:14 UTC
[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers
On 2018-01-12 at 16:56 +0000 Rowland Penny sent off:> Surely the authentication of choice would be kerberos and this wouldn't > require a posix account.Rowland, you sound very confident, but still that doesn't make it right. The posix account needs to exist for smbd to be able to switch to the context of the connecting (computer) user. This is not a matter of the authentication mechanism. Björn -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kontakt at sernet.de