[Samba] pam_winbind and home folders
Rowland Penny
rpenny at samba.org
Fri Dec 16 16:12:27 UTC 2022
On 16/12/2022 15:10, Piviul via samba wrote:
> On 12/16/22 09:22, Rowland Penny via samba wrote:
>> On 16/12/2022 07:49, Piviul via samba wrote:
>>>>
>>>> No that isn't PAM, it is a combination of winbind and nsswitch,
>>>> though it looks like there is a bug, '10513' is undoubtedly Domain
>>>> Users and a computers primary group is Domain Computers.
>>> ok, it isn't PAM... so do you think it's a bug but not related to the
>>> idmap backend I use and even migrating the idmap backend from rid to
>>> ad, PAM will continue to create PCs home folders because windbind
>>> will continue to say that PCs are users and have "Domain Users" as a
>>> primary group, didn't you?
>> That is not what I said, If you use the 'rid' idmap backend, then all
>> users get a 'synthetic' user group of the same name (which is the way
>> Linux works, every local user has a group with the same name). Your
>> problem is that Samba (when using the 'rid' idmap backend) does this
>> for all users, including users that aren't really users in the Unix
>> way: 'computers'. The 'rid' idmap backend is then further complicating
>> things by ignoring the 'computer' users primary group 'Domain
>> Computers' and insisting that their primary group is actually 'Domain
>> Users'.
>
> ok, you are right, that's more I argued from the bug report. Reading the
> bug report I can argue that winbind assign as a primary group "Domain
> Users" even if the primary group is another group. This happen in idmap
> rid and idmap ad. This happen to real users or PC users. Do you agree?
>
> There is a link between this bug and the PCs home folders I found in the
> users home directory?
>
>>>> [...]
>>>> There has to be a reason why you are using a dead OS and a dead
>>>> version of Samba, but it escapes me.
>>>
>>> no, I don't use it any more; I would only underline that if it is a
>>> bug is an old bug.
>>
>> I am not denying that, but if you are not using the old OS, does the
>> problem still exist on what ever version of Samba you are using now ?
>
> I'm confused... this bug affect any samba version I used, affect even
> old versions and I hope doesn't depend from the members samba versions
> installed
>
>
>>>> [...]
>>>> It looks like you are using the 'rid' idmap backend and if so, there
>>>> is a bug for this, see here:
>>>>
>>>> https://bugzilla.samba.org/show_bug.cgi?id=13371
>>>
>>> I can't understand 😕... seems that this bug is not present on build
>>> from samba-4.10.0 but I find it on samba 4.17.3...
>>>
>>>
>>>> But your problem puts another slant on it, care to add to it ?
>>>
>>> yes continue to remove empty PCs home folders, it's not a big problem...
>>>
>>> So do you suggest me to live with it, to do nothing, didn't you?
>> No, I suggested that you added to the bug report, this needs to be
>> fixed so that users get the correct primary group and if that primary
>> group is Domain Computers, then the user is ignored and you then
>> wouldn't get home directories created for a computer. There may have
>> to be a switch, something like 'treat computers as users = yes',
>> because, knowing Samba, there will be someone somewhere that wants
>> home directories for computers.
>
> Ok, so do you think that home folders are created because PC "users"
> have "Domain Users" as a default group so do you suggest me to add this
> problem to the bug report... but are you sure?
>
> Piviul
The problem is that the users primary group is ignored, even if
explicitly set when using the 'ad' idmap backend. If the bug was fixed,
the computer 'users' could be ignored because their primary group is
Domain Computers. Something along the lines of: Ignore a user if their
primary group is Domain Computers, unless a switch is set in smb.conf
That is what I think should be added to the bug report.
Rowland
More information about the samba
mailing list