[Samba] Fwd: samba-gpupdate nsswitch error

[Rowland Penny]

On 13/03/2023 16:38, David Mulder via samba wrote:
> 
> On 3/13/23 10:25 AM, Rowland Penny via samba wrote:
>>
>> Is '1600' the RID for a computer ?
>>
>> If it is, I think I understand why the messages are occurring.
>>
>> On Windows, a computer is just a user, but with an extra objectclass 
>> and a few other differences, amongst which is the primary group 
>> (Domain Computers instead of Domain Users) and the username ends in '$'
>>
>> I could be missing it and the code is very complex (David, you are a 
>> lot smarter than me), but there doesn't seem to be anything to 
>> discover that this is a computer and the code is treating it as user.
>>
>> The fix ? Add code to bail out if you are trying to set a User GPO on 
>> a Machine.
>>
> This is actually old code, which I didn't write (and I don't understand 
> it terribly well). Though from looking through the code, I'm pretty sure 
> User vs Machine policies are being handled correctly. It's failing while 
> fetching a security token for the Machine object (and Peter has been 
> having issues when it's fetching the user token). Finding the correct 
> GPOs to apply to Machine or User is done in ads_get_gpo_list_internal().
> 
> I am ripping all this out though, and I'll be replacing it soon (I'm in 
> the middle of work on this). Instead of tying into this old library, I'm 
> just communicating with ldap via a SamDB object (in python). So far this 
> seems to be much less prone to error.
> 

Glad it isn't just myself having problems understanding that code, it is 
horrible :-D

If it is a machine, why is it trying to look up a uid ? I traced where 
the error message is coming from, but couldn't understand what was 
calling it, perhaps if I spent a morning, I could track this down, but 
probably not worth it, if the code is going.

Rowland