[Samba] pam_winbind and home folders

Rowland Penny rpenny at samba.org
Thu Dec 15 09:02:24 UTC 2022

On 15/12/2022 08:23, Piviul via samba wrote:
> Sorry for the answer delay...
> On 12/2/22 14:13, Rowland Penny via samba wrote:
>> I think you are going to have to give us more info. For some reason, 
>> PAM seems to be treating the computers as users (which they are in AD, 
>> but rather special users), also it isn't winbind that creates home 
>> directories, it is a PAM plugin.
> yes, you are right, in effect I can't find PC names in users
> $ wbinfo --domain-users | grep $(hostname)
> $
> or in groups
> $ wbinfo --domain-groups | grep $(hostname)
> $
> but for PAM the PC is a user:
> $ getent passwd $(wbinfo --own-domain)\\$(hostname)$
> DOMINIOCSA\psala-lx$:*:21298:10513::/home/DOMINIOCSA/psala-lx_:/bin/bash

No that isn't PAM, it is a combination of winbind and nsswitch, though 
it looks like there is a bug, '10513' is undoubtedly Domain Users and a 
computers primary group is Domain Computers.

> and it is a group too:
> $ getent group $(wbinfo --own-domain)\\$(hostname)$
> DOMINIOCSA\psala-lx$:x:21298:DOMINIOCSA\psala-lx$

That is probably a side effect of the winbind code (synthetic users 
group) and possibly would not happen if the 'ad' idmap backend was used.

> in my nsswitch.conf I have only set:
> $ grep winbind /etc/nsswitch.conf
> passwd:         files winbind systemd
> group:          files winbind systemd
> There is something else I have to do to instruct PAM how to get users?

It isn't PAM.

>> What OS ?
> from debian stretch with built-in samba 4.5.16 to debian bookworm with 
> built-in samba 4.17.3.

There has to be a reason why you are using a dead OS and a dead version 
of Samba, but it escapes me.

>> How have you set the mkhomedir option ?
> $ grep mkhomedir /etc/security/pam_winbind.conf
> mkhomedir = yes

That is just calling pam_mkhomedir

>> Why are the PC's connecting as users ?
> I don't know, I was thinking was inside the smb protocol but... never 
> take anything for granted ;)

I was just asking in case you were doing something strange, which it 
appears you are not. This must be down to another of Windows strange 
ideas, where a computer is also a user, something that is meaningless to 

It looks like you are using the 'rid' idmap backend and if so, there is 
a bug for this, see here:


But your problem puts another slant on it, care to add to it ?


More information about the samba mailing list