The Samba-Bugzilla – Bug 6454
Explain why computer accounts need uidNumbers
Last modified: 2009-08-17 17:02:25 UTC
in some circumstances, Samba appears to insist on machine accounts having the posixAccount objectClass (and thus, the uidNumber attribute). However, as I understand it, no code is ever run as the machine account, and neither does it own any files; thus, it doesn't actually need a uidNumber.
In fact, if I create machine accounts in LDAP "manually", without the uidNumber attribute, things still appear to work.
Is there some reason why machine accounts like the one below are insufficient? If so, what is it (and what should I expect to break if I use them anyway)? I have tried to find something about this in the documentation, but failed.
sambaAcctFlags: [W ]
Your observations are correct. I know of no specific requirement for a UID/GID pair for a (machine) trust account.
The history of Samba pre-dates the ability to use an LDAP-based directory backend. The earliest implementations of Samba utilized plain-text password support. This made it possible to authenticate against the UNIX /etc/passwd database.
When it became necessary to store the Microsoft Windows NT and LanManager encrytped passwords they were stored in the smbpasswd file. Rather than re-invent the world, the smbpasswd file became an add-on that fills the gap between account information that is needed by the MS Windows client and account information that is available within the UNIX environment. In later releases the tdbsam backend and LDAPsam backend were added. Rather than re-invent the whole account credentials handling methodology, the security account management (SAM) functionality attempts to reuse as much common code as is possible.
So part of the answer is that it is just the way this was implemented, so until someone implements a better methodology that's how it is.
Secondly, Windows NT allocates user, group and trust accounts from the same RID (relative identifier) name space. The key difference between a user or group account, and a trust account is the fact that the trust account ends with a '$' character. The over-the-wire authentication protocols make no distinction between a user or group account and a trust account - they use the same network function calls. It therefore makes sense (because it is a simple solution) to use a common authentication process inside Samba. Since the "add machine account script" is separate from the "add user account script" it is certainly possible not to add the posixAccount objectclass. As far as I am aware this will not break anything.
Perhaps one of the other team members could comment on the finer details of this question.
Since there has been no update or response - I am closing this bug report.