[Samba] libpam-winbind mkhomedir
Rowland penny
rpenny at samba.org
Thu Jun 3 09:19:09 UTC 2021
On 03/06/2021 09:48, Marco Gaiarin via samba wrote:
> Mandi! Rowland penny via samba
> In chel di` si favelave...
>
>> I personally think that, as standard, Samba should ignore computers as
>> users.
> No, Rowland; if acting as SYSTEM user, windows client OS (try to; then
> fallback to guest if enabled) access shares and resources with the
> machine account, and this is EXTREMELY useful for, as an example, all
> the deply/configuration system (that may have to access to passwords or
> private keys).
>
> I've currently assigned a GID to 'Domain Computers' (it is not
> ID_BOTH), and i assign UID to computer accounts.
>
>
> I don't use the 'mkhome' feature of winbind, but a script in [users]
> share. Anyway, i think that the best solution will be a simple filter
> in 'mkhome', like explicitly add 'require_membership_of = ' with the
> SID of 'Domain Users'.
>
OK, but the computers don't need a UID for the machine password to work:
rowland at devstation:~$ getent passwd devstation$
rowland at devstation:~$
As you can see, the 'user' 'devstation$' is unknown
However an ldap search using the machine password works:
rowland at devstation:~$ sudo ldbsearch -H ldap://rpidc1 -P
'sAMAccountName=rowland' | grep 'sAMAccountName'
sAMAccountName: rowland
rowland at devstation:~$
Rowland
More information about the samba
mailing list