[Samba] Fwd: samba-gpupdate nsswitch error
David Mulder
dmulder at samba.org
Mon Mar 13 16:38:56 UTC 2023
On 3/13/23 10:25 AM, Rowland Penny via samba wrote:
>
> Is '1600' the RID for a computer ?
>
> If it is, I think I understand why the messages are occurring.
>
> On Windows, a computer is just a user, but with an extra objectclass
> and a few other differences, amongst which is the primary group
> (Domain Computers instead of Domain Users) and the username ends in '$'
>
> I could be missing it and the code is very complex (David, you are a
> lot smarter than me), but there doesn't seem to be anything to
> discover that this is a computer and the code is treating it as user.
>
> The fix ? Add code to bail out if you are trying to set a User GPO on
> a Machine.
>
This is actually old code, which I didn't write (and I don't understand
it terribly well). Though from looking through the code, I'm pretty sure
User vs Machine policies are being handled correctly. It's failing while
fetching a security token for the Machine object (and Peter has been
having issues when it's fetching the user token). Finding the correct
GPOs to apply to Machine or User is done in ads_get_gpo_list_internal().
I am ripping all this out though, and I'll be replacing it soon (I'm in
the middle of work on this). Instead of tying into this old library, I'm
just communicating with ldap via a SamDB object (in python). So far this
seems to be much less prone to error.
--
David Mulder
Labs Software Engineer, Samba
SUSE
1221 S Valley Grove Way, Suite 500
Pleasant Grove, UT 84062
(P)+1 385.208.2989
dmulder at suse.com
http://www.suse.com
More information about the samba
mailing list