[Samba] pam_winbind and home folders

Rowland Penny rpenny at samba.org
Fri Dec 16 08:22:53 UTC 2022 


On 16/12/2022 07:49, Piviul via samba wrote:

>>
>> No that isn't PAM, it is a combination of winbind and nsswitch, though 
>> it looks like there is a bug, '10513' is undoubtedly Domain Users and 
>> a computers primary group is Domain Computers.
> 
> ok, it isn't PAM... so do you think it's a bug but not related to the 
> idmap backend I use and even migrating the idmap backend from rid to ad, 
> PAM will continue to create PCs home folders because windbind will 
> continue to say that PCs are users and have "Domain Users" as a primary 
> group, didn't you?

That is not what I said, If you use the 'rid' idmap backend, then all 
users get a 'synthetic' user group of the same name (which is the way 
Linux works, every local user has a group with the same name). Your 
problem is that Samba (when using the 'rid' idmap backend) does this for 
all users, including users that aren't really users in the Unix way: 
'computers'. The 'rid' idmap backend is then further complicating things 
by ignoring the 'computer' users primary group 'Domain Computers' and 
insisting that their primary group is actually 'Domain Users'.

> 
> 
>> [...]
>> There has to be a reason why you are using a dead OS and a dead 
>> version of Samba, but it escapes me.
> 
> no, I don't use it any more; I would only underline that if it is a bug 
> is an old bug.

I am not denying that, but if you are not using the old OS, does the 
problem still exist on what ever version of Samba you are using now ?

> 
> 
>> [...]
>> It looks like you are using the 'rid' idmap backend and if so, there 
>> is a bug for this, see here:
>>
>> https://bugzilla.samba.org/show_bug.cgi?id=13371
> 
> I can't understand 😕... seems that this bug is not present on build 
> from samba-4.10.0 but I find it on samba 4.17.3...
> 
> 
>> But your problem puts another slant on it, care to add to it ?
> 
> yes continue to remove empty PCs home folders, it's not a big problem...
> 
> So do you suggest me to live with it, to do nothing, didn't you?

No, I suggested that you added to the bug report, this needs to be fixed 
so that users get the correct primary group and if that primary group is 
Domain Computers, then the user is ignored and you then wouldn't get 
home directories created for a computer. There may have to be a switch, 
something like 'treat computers as users = yes', because, knowing Samba, 
there will be someone somewhere that wants home directories for computers.

Rowland

More information about the samba mailing list