[Samba] libpam-winbind mkhomedir
Rowland penny
rpenny at samba.org
Wed Jun 2 07:43:53 UTC 2021
On 01/06/2021 22:41, Andrew Walker wrote:
>
>
> On Tue, Jun 1, 2021 at 4:41 PM Rowland penny via samba
> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>
> On 01/06/2021 21:31, Andrew Walker wrote:
> > On Tue, Jun 1, 2021 at 3:53 AM Rowland penny via samba
> > <samba at lists.samba.org <mailto:samba at lists.samba.org>
> <mailto:samba at lists.samba.org <mailto:samba at lists.samba.org>>> wrote:
> >
> > This doesn't affect Linux unless your computers gain a uidNumber
> > and congratulations, you appear to have found
> > a bug.
> >
> >
> > I believe RID backend, which is being used here, can provide
> idmapping
> > for computer accounts, since it just algorithmically maps IDs to
> SIDs.
> > This can be helpful in some situations IIRC where Windows may
> attempt
> > to authenticate to the samba server using its machine account
> rather
> > than the account of the currently logged in user. I believe some
> > backup software does this.
>
>
> I found this out, I had never thought to run 'getent passwd' with a
> computer name, but when I tried it using the 'rid' backend, it
> worked.
> In my opinion it shouldn't, but if it has to, it shouldn't show the
> computers primary group as Domain Users.
>
> Rowland
>
>
> I'll have to think about this some, but I think I agree on this point.
> Perhaps for idmap backends supporting ID_TYPE_BOTH, we could just set
> primary gid to uid.
I personally think that, as standard, Samba should ignore computers as
users. If it must occur because of (in my opinion) broken applications,
it should be by a switch similar to the 'unix_primary_group = yes' used
by the 'ad' backend.
Rowland
More information about the samba
mailing list