similar to: Avoiding uid conflicts between rfc2307 user/groups and computers

Thank you very much for your help !! The problem is that I need a way to create the ID numbers without overwriting the previous one as I don't use ADUC but shell scripts. This is why I use the xidNumber generation (on one specific DC) that take care of that. This idea is not from me, it was used long time ago by a Spanish IT that often come here ;) ( but his method has changed maybe .... )

Mandi! Kacper Wirski via samba In chel di` si favelave... > I understand the OP, I was asking some time ago similar question, but it was > in relation to samba domain member. Thanks, Kacper. > I couldn't get backend: ad to work for > machine accounts, so i switched to idmap: rid and it solved everything. I > tried manually adding UID and GID to Domain Computer group and to

On 2018-01-12 at 16:56 +0000 Rowland Penny sent off: > Surely the authentication of choice would be kerberos and this wouldn't > require a posix account. Rowland, you sound very confident, but still that doesn't make it right. The posix account needs to exist for smbd to be able to switch to the context of the connecting (computer) user. This is not a matter of the authentication

Thank again for your help ! 2018-01-12 21:26 GMT+01:00 Rowland Penny <rpenny at samba.org>: > The problem is, you are thinking in the wrong direction ;-) > If you give a user a uidNumber, or a group a gidNumber, these will be > used instead of the xidNumbers found in idmap.ldb, you do not need to > alter idmap.ldb at all. > The way ADUC works, is by using a couple of

On Mon, 15 Jan 2018 16:18:57 +0100 Kacper Wirski via samba <samba at lists.samba.org> wrote: > Hello, > I understand the OP, I was asking some time ago similar question, but > it was in relation to samba domain member. I couldn't get backend: ad > to work for machine accounts, so i switched to idmap: rid and it > solved everything. I tried manually adding UID and GID to

On Mon, 15 Jan 2018 14:55:55 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > Mandi! L.P.H. van Belle via samba > In chel di` si favelave... > > > > It is not the SYSTEM user (that is a local user to the > > > workstation, so clearly does not exist on the domain). > > Yes it does. Look at "Builtin\system" which is also "NT

2018-01-15 20:14 GMT+01:00 Rowland Penny via samba <samba at lists.samba.org>: > On Mon, 15 Jan 2018 19:51:12 +0100 > Prunk Dump via samba <samba at lists.samba.org> wrote: > >> Thank again for your help ! >> >> 2018-01-12 21:26 GMT+01:00 Rowland Penny <rpenny at samba.org>: >> > The problem is, you are thinking in the wrong direction ;-)

Mandi! Björn JACKE via samba In chel di` si favelave... > machine account instead of the connecting user account. One option is to assign > rfc2307 attributes also for all the machine accounts, too. The other option is Some drawbacks on that? Clearly, apart the management cost of assigning an UID to machine accounts? Clearly, also 'Domain Computers' group have to get assigned an

On 2018-01-12 at 16:24 +0000 Rowland Penny via samba sent off: > > Clearly, also 'Domain Computers' group have to get assigned an GID, > > right? > > Yes. > > The question is, do you need to do this ? Will a computer own anything > on a Unix machine ? it's not the question if he owns anything. It's enough that the machine uses the machine account

On 2018-01-12 at 14:23 +0100 Prunk Dump via samba sent off: > I have some conflicts between uid stored in the rfc2307 attributes and > some local uid from idmap.ldb you should not set up any share except for the default sysvol/netlogon share on the AD DC. If you have no other machine available you can set up a member server for file shares via a lxc container on the same physical machine

Mandi! Rowland Penny via samba In chel di` si favelave... > I am not disputing what you say, I am just asking for concrete proof > that a computer account MUST have a uidNumber account. Rowland, it is not (only) a matter of authentication, it is a matter of 'act' with machine account. I've digged a bit but found nothing than (i use WPKG as deployment system, it is only an

> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Gaiarin via samba > Verzonden: maandag 15 januari 2018 13:03 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Avoiding uid conflicts between rfc2307 > user/groups and computers > > Mandi! Rowland Penny via samba > In chel di` si favelave... > >

I forgot about ldbsearch. Here is a dump of xid numbers. root at dc01:~# ldbsearch -H /var/lib/samba/private/idmap.ldb | grep xidNumber xidNumber: 3000028 xidNumber: 3000013 xidNumber: 3000033 xidNumber: 3000003 xidNumber: 3000032 xidNumber: 3000023 xidNumber: 3000019 xidNumber: 3000010 xidNumber: 65534 xidNumber: 3000031 xidNumber: 3000022 xidNumber: 3000026 xidNumber: 3000017 xidNumber: 3000027

17.07.2015, 17:30, "Rowland Penny" <rowlandpenny241155 at gmail.com>: > On 17/07/15 12:03, Andrej Surkov wrote: >>  I've got this on the backup DC >> >>  root at bdc:~# wbinfo --sid-to-gid S-1-5-21-1166961617-3197558402-3341820450-516 >>  3000000 > > OK, you have problems there, but not what you think. On my first DC > (note I don't have

On Mon, 15 Jan 2018 10:51:54 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > Mandi! Rowland Penny via samba > In chel di` si favelave... > > > I am not disputing what you say, I am just asking for concrete proof > > that a computer account MUST have a uidNumber account. > > Rowland, it is not (only) a matter of authentication, it is a matter

Mandi! Rowland Penny via samba In chel di` si favelave... > 'SYSTEM' is a windows account, there is no concept of the 'SYSTEM' > account on Unix, this includes Samba. Again, i'm speaking more about machine account than LocalSYSTEM account... > Please read this: > https://wiki.samba.org/index.php/The_SYSTEM_Account Seems me perfectly coherent with what i'm

Mandi! L.P.H. van Belle via samba In chel di` si favelave... > > It is not the SYSTEM user (that is a local user to the workstation, so > > clearly does not exist on the domain). > Yes it does. Look at "Builtin\system" which is also "NT Authority\System. Ahem, clearly every machine (workstation, server; i suppose also the domain) have a SYSTEM account, but they

Hello, I understand the OP, I was asking some time ago similar question, but it was in relation to samba domain member. I couldn't get backend: ad to work for machine accounts, so i switched to idmap: rid and it solved everything. I tried manually adding UID and GID to Domain Computer group and to machine accounts, but it didn't seem to work properly, so I gave up especially that RID

On 01/12/14 17:46, steve wrote: > On 01/12/14 18:25, Rowland Penny wrote: >> On 01/12/14 17:16, steve wrote: >>> On 01/12/14 18:11, Rowland Penny wrote: >>>> On 01/12/14 17:09, steve wrote: >>>>> On 01/12/14 17:31, Greg Zartman wrote: >>>>>> On Mon, Dec 1, 2014 at 1:33 AM, Rowland Penny >>>>>> <rowlandpenny at

On 01/12/14 18:23, steve wrote: > On 01/12/14 19:11, Rowland Penny wrote: >> On 01/12/14 17:46, steve wrote: >>> On 01/12/14 18:25, Rowland Penny wrote: >>>> On 01/12/14 17:16, steve wrote: >>>>> On 01/12/14 18:11, Rowland Penny wrote: >>>>>> On 01/12/14 17:09, steve wrote: >>>>>>> On 01/12/14 17:31, Greg Zartman