[Samba] pam_winbind and home folders

Piviul piviul at riminilug.it
Fri Dec 16 15:10:02 UTC 2022

On 12/16/22 09:22, Rowland Penny via samba wrote:
> On 16/12/2022 07:49, Piviul via samba wrote:
>>> No that isn't PAM, it is a combination of winbind and nsswitch, 
>>> though it looks like there is a bug, '10513' is undoubtedly Domain 
>>> Users and a computers primary group is Domain Computers.
>> ok, it isn't PAM... so do you think it's a bug but not related to the 
>> idmap backend I use and even migrating the idmap backend from rid to 
>> ad, PAM will continue to create PCs home folders because windbind 
>> will continue to say that PCs are users and have "Domain Users" as a 
>> primary group, didn't you?
> That is not what I said, If you use the 'rid' idmap backend, then all 
> users get a 'synthetic' user group of the same name (which is the way 
> Linux works, every local user has a group with the same name). Your 
> problem is that Samba (when using the 'rid' idmap backend) does this 
> for all users, including users that aren't really users in the Unix 
> way: 'computers'. The 'rid' idmap backend is then further complicating 
> things by ignoring the 'computer' users primary group 'Domain 
> Computers' and insisting that their primary group is actually 'Domain 
> Users'.

ok, you are right, that's more I argued from the bug report. Reading the 
bug report I can argue that winbind assign as a primary group "Domain 
Users" even if the primary group is another group. This happen in idmap 
rid and idmap ad. This happen to real users or PC users. Do you agree?

There is a link between this bug and the PCs home folders I found in the 
users home directory?

>>> [...]
>>> There has to be a reason why you are using a dead OS and a dead 
>>> version of Samba, but it escapes me.
>> no, I don't use it any more; I would only underline that if it is a 
>> bug is an old bug.
> I am not denying that, but if you are not using the old OS, does the 
> problem still exist on what ever version of Samba you are using now ?

I'm confused... this bug affect any samba version I used, affect even 
old versions and I hope doesn't depend from the members samba versions 

>>> [...]
>>> It looks like you are using the 'rid' idmap backend and if so, there 
>>> is a bug for this, see here:
>>> https://bugzilla.samba.org/show_bug.cgi?id=13371
>> I can't understand 😕... seems that this bug is not present on build 
>> from samba-4.10.0 but I find it on samba 4.17.3...
>>> But your problem puts another slant on it, care to add to it ?
>> yes continue to remove empty PCs home folders, it's not a big problem...
>> So do you suggest me to live with it, to do nothing, didn't you?
> No, I suggested that you added to the bug report, this needs to be 
> fixed so that users get the correct primary group and if that primary 
> group is Domain Computers, then the user is ignored and you then 
> wouldn't get home directories created for a computer. There may have 
> to be a switch, something like 'treat computers as users = yes', 
> because, knowing Samba, there will be someone somewhere that wants 
> home directories for computers.

Ok, so do you think that home folders are created because PC "users" 
have "Domain Users" as a default group so do you suggest me to add this 
problem to the bug report... but are you sure?


More information about the samba mailing list