Hello, A user of my "adman" utility recently opened this issue [1]: "Add support for setting uidNumber for machine account" I was aware that computer accounts were also users in AD, but I hadn't considered assigning a uidNumber to them. It makes sense that winbind (in idmap="ad" mode) would not "see" the accounts with a uidNumber. Naturally, groups of which the computer accounts are members would need gidNumber assigned as well. I understand the OP in this post [2] had the following use case: A startup script uses the computer account to access a samba server. Questions: 1. Which groups should or should not be assigned gidNumber? The issue [1] indicates that "Domain Computers" should indeed have gidNumber. However my assignment logic [3] specifically excludes "Domain Computers" based on the original recommendation from this post [4] which says "Which groups should be excluded? Just about all the groups that a provision provides, with the exception of Domain Users". 2. What other use cases are there for winbind needing to know about computer accounts? Is it just Samba file servers? If so, are there other cases where the computer account is authenticating? Or should a DC (with "idmap_ldb:use rfc2307 = yes") also need to see computer accounts (e.g. in wbinfo -u)? Thanks in advance for reviewing this again, and providing any insight. Jonathon Reinhart [1] https://gitlab.com/JonathonReinhart/adman/issues/13 [2] https://lists.samba.org/archive/samba/2017-November/212259.html [3]: https://gitlab.com/JonathonReinhart/adman/-/blob/v0.2.3/adman/assign.py#L15-66 [4]: https://lists.samba.org/archive/samba/2019-June/223499.html
Mandi! Jonathon Reinhart via samba In chel di` si favelave...> I understand the OP in this post [2] had the following use case: A > startup script uses the computer account to access a samba server.More specifically: if you need that ''services'' (or more generally: 'things that run on SYSTEM account') have access to your share, Windows client OS automatically do/try an access to the share with the machine credential. Eg, client 'translate' SYSTEM account to machine credential access.> 1. Which groups should or should not be assigned gidNumber? The issue > [1] indicates that "Domain Computers" should indeed have gidNumber.I have uidNumber assigned to my PCs, and clearly gidNumber assigned to 'Domain Computers'.> 2. What other use cases are there for winbind needing to know about > computer accounts? > Is it just Samba file servers? If so, are there other cases where the > computer account is authenticating? > Or should a DC (with "idmap_ldb:use rfc2307 = yes") also need to see > computer accounts (e.g. in wbinfo -u)?AFAIK no; i use also machine account for wireless authentication via radius, but clearly this have nothing to do with filesystem, and so nothing to do with uid/gid assignment. So, also for me, this is needed for just 'Samba file server'. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On 14/02/2020 02:54, Jonathon Reinhart via samba wrote:> Hello, > > A user of my "adman" utility recently opened this issue [1]: "Add > support for setting uidNumber for machine account" > > I was aware that computer accounts were also users in AD, but I hadn't > considered assigning a uidNumber to them. It makes sense that winbind > (in idmap="ad" mode) would not "see" the accounts with a uidNumber. > Naturally, groups of which the computer accounts are members would > need gidNumber assigned as well. > > I understand the OP in this post [2] had the following use case: A > startup script uses the computer account to access a samba server.In most cases on Unix, computers do not need an ID, but there are always corner cases ;-)> > Questions: > > 1. Which groups should or should not be assigned gidNumber? The issue > [1] indicates that "Domain Computers" should indeed have gidNumber. > However my assignment logic [3] specifically excludes "Domain > Computers" based on the original recommendation from this post [4] > which says "Which groups should be excluded? Just about all the groups > that a provision provides, with the exception of Domain Users".Well, yes, but as I said, there are always corner cases and in this case 'Domain Computers' must have a gidNumber because a computers PrimaryGroupID is the RID for 'Domain Computers'> > 2. What other use cases are there for winbind needing to know about > computer accounts?No idea, but there are probably some.> Is it just Samba file servers? If so, are there other cases where the > computer account is authenticating?If something goes directly to ldap, then no, but if it relies on winbind, then yes.> Or should a DC (with "idmap_ldb:use rfc2307 = yes") also need to see > computer accounts (e.g. in wbinfo -u)?Now this is interesting, 'wbinfo -u' on a DC will not show computers, but 'getent passwd computername$' will. Rowland
> > I was aware that computer accounts were also users in AD, but I hadn't > considered assigning a uidNumber to them. It makes sense that winbind > (in idmap="ad" mode) would not "see" the accounts with a uidNumber. > Naturally, groups of which the computer accounts are members would > need gidNumber assigned as well.This is interesting. I also have a similar use case in that my computer accounts (as SYSTEM) access a share for deployment purposes (via WPKG). However, I use "idmap=rid", so avoid this pitfall. (And a good thing, too. I don't know if I would've made the connection about a missing uidNumber.) But to maintain consistency with other idmap options (and to reduce the, well, "oh, I missed that"), I think it would be helpful to add to your utility. Note to self: read more carefully. https://wiki.samba.org/index.php/Idmap_config_ad#Prerequisites Kris Lou klou at themusiclink.net On Fri, Feb 14, 2020 at 12:28 AM Rowland penny via samba < samba at lists.samba.org> wrote:> On 14/02/2020 02:54, Jonathon Reinhart via samba wrote: > > Hello, > > > > A user of my "adman" utility recently opened this issue [1]: "Add > > support for setting uidNumber for machine account" > > > > I was aware that computer accounts were also users in AD, but I hadn't > > considered assigning a uidNumber to them. It makes sense that winbind > > (in idmap="ad" mode) would not "see" the accounts with a uidNumber. > > Naturally, groups of which the computer accounts are members would > > need gidNumber assigned as well. > > > > I understand the OP in this post [2] had the following use case: A > > startup script uses the computer account to access a samba server. > In most cases on Unix, computers do not need an ID, but there are always > corner cases ;-) > > > > Questions: > > > > 1. Which groups should or should not be assigned gidNumber? The issue > > [1] indicates that "Domain Computers" should indeed have gidNumber. > > However my assignment logic [3] specifically excludes "Domain > > Computers" based on the original recommendation from this post [4] > > which says "Which groups should be excluded? Just about all the groups > > that a provision provides, with the exception of Domain Users". > Well, yes, but as I said, there are always corner cases and in this case > 'Domain Computers' must have a gidNumber because a computers > PrimaryGroupID is the RID for 'Domain Computers' > > > > 2. What other use cases are there for winbind needing to know about > > computer accounts? > No idea, but there are probably some. > > Is it just Samba file servers? If so, are there other cases where the > > computer account is authenticating? > If something goes directly to ldap, then no, but if it relies on > winbind, then yes. > > Or should a DC (with "idmap_ldb:use rfc2307 = yes") also need to see > > computer accounts (e.g. in wbinfo -u)? > > Now this is interesting, 'wbinfo -u' on a DC will not show computers, > but 'getent passwd computername$' will. > > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hi Marco, On Fri, Feb 14, 2020 at 3:26 AM Marco Gaiarin via samba <samba at lists.samba.org> wrote:> > Mandi! Jonathon Reinhart via samba > In chel di` si favelave... > > > I understand the OP in this post [2] had the following use case: A > > startup script uses the computer account to access a samba server. > > More specifically: if you need that ''services'' (or more generally: > 'things that run on SYSTEM account') have access to your share, Windows > client OS automatically do/try an access to the share with the machine > credential. > > Eg, client 'translate' SYSTEM account to machine credential access.Thanks a lot. I didn't realize that services running as the Local System account effectively use the machine account. This is confirmed on this Microsoft documentation page: https://docs.microsoft.com/en-us/windows/win32/ad/the-localsystem-account which says: "When a service runs under the LocalSystem account on a computer that is a domain member, the service has whatever network access is granted to the computer account, or to any groups of which the computer account is a member. ...all LocalSystem services share the computer account of their host server."> > 1. Which groups should or should not be assigned gidNumber? The issue > > [1] indicates that "Domain Computers" should indeed have gidNumber. > > I have uidNumber assigned to my PCs, and clearly gidNumber assigned to > 'Domain Computers'. > > > > 2. What other use cases are there for winbind needing to know about > > computer accounts? > > Is it just Samba file servers? If so, are there other cases where the > > computer account is authenticating? > > Or should a DC (with "idmap_ldb:use rfc2307 = yes") also need to see > > computer accounts (e.g. in wbinfo -u)? > > AFAIK no; i use also machine account for wireless authentication via > radius, but clearly this have nothing to do with filesystem, and so > nothing to do with uid/gid assignment. > > So, also for me, this is needed for just 'Samba file server'.That all makes sense. Thanks again for the feedback. Jonathon