[Samba] Fwd: samba-gpupdate nsswitch error

[David Mulder]

On 3/13/23 10:25 AM, Rowland Penny via samba wrote:
>
> Is '1600' the RID for a computer ?
>
> If it is, I think I understand why the messages are occurring.
>
> On Windows, a computer is just a user, but with an extra objectclass 
> and a few other differences, amongst which is the primary group 
> (Domain Computers instead of Domain Users) and the username ends in '$'
>
> I could be missing it and the code is very complex (David, you are a 
> lot smarter than me), but there doesn't seem to be anything to 
> discover that this is a computer and the code is treating it as user.
>
> The fix ? Add code to bail out if you are trying to set a User GPO on 
> a Machine.
>
This is actually old code, which I didn't write (and I don't understand 
it terribly well). Though from looking through the code, I'm pretty sure 
User vs Machine policies are being handled correctly. It's failing while 
fetching a security token for the Machine object (and Peter has been 
having issues when it's fetching the user token). Finding the correct 
GPOs to apply to Machine or User is done in ads_get_gpo_list_internal().

I am ripping all this out though, and I'll be replacing it soon (I'm in 
the middle of work on this). Instead of tying into this old library, I'm 
just communicating with ldap via a SamDB object (in python). So far this 
seems to be much less prone to error.

-- 
David Mulder
Labs Software Engineer, Samba
SUSE
1221 S Valley Grove Way, Suite 500
Pleasant Grove, UT 84062
(P)+1 385.208.2989
dmulder at suse.com
http://www.suse.com