[Samba] libpam-winbind mkhomedir

Rowland penny rpenny at samba.org
Thu Jun 3 09:19:09 UTC 2021

On 03/06/2021 09:48, Marco Gaiarin via samba wrote:
> Mandi! Rowland penny via samba
>    In chel di` si favelave...
>> I personally think that, as standard, Samba should ignore computers as
>> users.
> No, Rowland; if acting as SYSTEM user, windows client OS (try to; then
> fallback to guest if enabled) access shares and resources with the
> machine account, and this is EXTREMELY useful for, as an example, all
> the deply/configuration system (that may have to access to passwords or
> private keys).
> I've currently assigned a GID to 'Domain Computers' (it is not
> ID_BOTH), and i assign UID to computer accounts.
> I don't use the 'mkhome' feature of winbind, but a script in [users]
> share. Anyway, i think that the best solution will be a simple filter
> in 'mkhome', like explicitly add 'require_membership_of = ' with the
> SID of 'Domain Users'.

OK, but the computers don't need a UID for the machine password to work:

rowland at devstation:~$ getent passwd devstation$
rowland at devstation:~$

As you can see, the 'user' 'devstation$' is unknown

However an ldap search using the machine password works:

rowland at devstation:~$ sudo ldbsearch -H ldap://rpidc1 -P 
'sAMAccountName=rowland' | grep 'sAMAccountName'
sAMAccountName: rowland
rowland at devstation:~$


More information about the samba mailing list