> > I was aware that computer accounts were also users in AD, but I hadn't > considered assigning a uidNumber to them. It makes sense that winbind > (in idmap="ad" mode) would not "see" the accounts with a uidNumber. > Naturally, groups of which the computer accounts are members would > need gidNumber assigned as well.This is interesting. I also have a similar use case in that my computer accounts (as SYSTEM) access a share for deployment purposes (via WPKG). However, I use "idmap=rid", so avoid this pitfall. (And a good thing, too. I don't know if I would've made the connection about a missing uidNumber.) But to maintain consistency with other idmap options (and to reduce the, well, "oh, I missed that"), I think it would be helpful to add to your utility. Note to self: read more carefully. https://wiki.samba.org/index.php/Idmap_config_ad#Prerequisites Kris Lou klou at themusiclink.net On Fri, Feb 14, 2020 at 12:28 AM Rowland penny via samba < samba at lists.samba.org> wrote:> On 14/02/2020 02:54, Jonathon Reinhart via samba wrote: > > Hello, > > > > A user of my "adman" utility recently opened this issue [1]: "Add > > support for setting uidNumber for machine account" > > > > I was aware that computer accounts were also users in AD, but I hadn't > > considered assigning a uidNumber to them. It makes sense that winbind > > (in idmap="ad" mode) would not "see" the accounts with a uidNumber. > > Naturally, groups of which the computer accounts are members would > > need gidNumber assigned as well. > > > > I understand the OP in this post [2] had the following use case: A > > startup script uses the computer account to access a samba server. > In most cases on Unix, computers do not need an ID, but there are always > corner cases ;-) > > > > Questions: > > > > 1. Which groups should or should not be assigned gidNumber? The issue > > [1] indicates that "Domain Computers" should indeed have gidNumber. > > However my assignment logic [3] specifically excludes "Domain > > Computers" based on the original recommendation from this post [4] > > which says "Which groups should be excluded? Just about all the groups > > that a provision provides, with the exception of Domain Users". > Well, yes, but as I said, there are always corner cases and in this case > 'Domain Computers' must have a gidNumber because a computers > PrimaryGroupID is the RID for 'Domain Computers' > > > > 2. What other use cases are there for winbind needing to know about > > computer accounts? > No idea, but there are probably some. > > Is it just Samba file servers? If so, are there other cases where the > > computer account is authenticating? > If something goes directly to ldap, then no, but if it relies on > winbind, then yes. > > Or should a DC (with "idmap_ldb:use rfc2307 = yes") also need to see > > computer accounts (e.g. in wbinfo -u)? > > Now this is interesting, 'wbinfo -u' on a DC will not show computers, > but 'getent passwd computername$' will. > > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 14/02/2020 17:42, Kris Lou via samba wrote:>> I was aware that computer accounts were also users in AD, but I hadn't >> considered assigning a uidNumber to them. It makes sense that winbind >> (in idmap="ad" mode) would not "see" the accounts with a uidNumber. >> Naturally, groups of which the computer accounts are members would >> need gidNumber assigned as well. > > This is interesting. I also have a similar use case in that my computer > accounts (as SYSTEM) access a share for deployment purposes (via WPKG). > However, I use "idmap=rid", so avoid this pitfall. (And a good thing, > too. I don't know if I would've made the connection about a missing > uidNumber.) > > But to maintain consistency with other idmap options (and to reduce the, > well, "oh, I missed that"), I think it would be helpful to add to your > utility. > > Note to self: read more carefully. > https://wiki.samba.org/index.php/Idmap_config_ad#Prerequisites >The thing that everyone misses, in AD a computer is just a user with an extra objectclass ;-) Rowland
> > The thing that everyone misses, in AD a computer is just a user with an > extra objectclass ;-) > >With that being said, I kinda like the current behavior of "wbinfo -u", but wouldn't mind an extra option to also list computer objects. But honestly, it's more of a "for completeness" as I don't know when I'd use it.
On Fri, Feb 14, 2020 at 12:44 PM Kris Lou via samba <samba at lists.samba.org> wrote:> > > > > I was aware that computer accounts were also users in AD, but I hadn't > > considered assigning a uidNumber to them. It makes sense that winbind > > (in idmap="ad" mode) would not "see" the accounts with a uidNumber. > > Naturally, groups of which the computer accounts are members would > > need gidNumber assigned as well. > > > This is interesting. I also have a similar use case in that my computer > accounts (as SYSTEM) access a share for deployment purposes (via WPKG). > However, I use "idmap=rid", so avoid this pitfall. (And a good thing, > too. I don't know if I would've made the connection about a missing > uidNumber.) > > But to maintain consistency with other idmap options (and to reduce the, > well, "oh, I missed that"), I think it would be helpful to add to your > utility. > > Note to self: read more carefully. > https://wiki.samba.org/index.php/Idmap_config_ad#Prerequisites > > Kris Lou > klou at themusiclink.net > > > On Fri, Feb 14, 2020 at 12:28 AM Rowland penny via samba < > samba at lists.samba.org> wrote: > > > On 14/02/2020 02:54, Jonathon Reinhart via samba wrote: > > > Hello, > > > > > > A user of my "adman" utility recently opened this issue [1]: "Add > > > support for setting uidNumber for machine account" > > > > > > I was aware that computer accounts were also users in AD, but I hadn't > > > considered assigning a uidNumber to them. It makes sense that winbind > > > (in idmap="ad" mode) would not "see" the accounts with a uidNumber. > > > Naturally, groups of which the computer accounts are members would > > > need gidNumber assigned as well. > > > > > > I understand the OP in this post [2] had the following use case: A > > > startup script uses the computer account to access a samba server. > > In most cases on Unix, computers do not need an ID, but there are always > > corner cases ;-) > > > > > > Questions: > > > > > > 1. Which groups should or should not be assigned gidNumber? The issue > > > [1] indicates that "Domain Computers" should indeed have gidNumber. > > > However my assignment logic [3] specifically excludes "Domain > > > Computers" based on the original recommendation from this post [4] > > > which says "Which groups should be excluded? Just about all the groups > > > that a provision provides, with the exception of Domain Users". > > Well, yes, but as I said, there are always corner cases and in this case > > 'Domain Computers' must have a gidNumber because a computers > > PrimaryGroupID is the RID for 'Domain Computers' > > > > > > 2. What other use cases are there for winbind needing to know about > > > computer accounts? > > No idea, but there are probably some. > > > Is it just Samba file servers? If so, are there other cases where the > > > computer account is authenticating? > > If something goes directly to ldap, then no, but if it relies on > > winbind, then yes. > > > Or should a DC (with "idmap_ldb:use rfc2307 = yes") also need to see > > > computer accounts (e.g. in wbinfo -u)? > > > > Now this is interesting, 'wbinfo -u' on a DC will not show computers, > > but 'getent passwd computername$' will. > > > > RowlandThanks for the feedback, everyone. I implemented the assignment of uidNumber for computer accounts. The details can be found at this merge request: https://gitlab.com/JonathonReinhart/adman/-/merge_requests/7 The other half of the change was relaxing the list of groups excluded from gidNumber assignment. ADMan will now assign a gidNumber to "Domain Computers", "Domain Controllers" and similar groups. Jonathon