samba - Dec 2022 - pam_winbind and home folders

Sorry for the answer delay...

On 12/2/22 14:13, Rowland Penny via samba wrote:
> I think you are going to have to give us more info. For some reason, 
> PAM seems to be treating the computers as users (which they are in AD, 
> but rather special users), also it isn't winbind that creates home 
> directories, it is a PAM plugin.
yes, you are right, in effect I can't find PC names in users

$ wbinfo --domain-users | grep $(hostname)
$

or in groups

$ wbinfo --domain-groups | grep $(hostname)
$

but for PAM the PC is a user:

$ getent passwd $(wbinfo --own-domain)\\$(hostname)$
DOMINIOCSA\psala-lx$:*:21298:10513::/home/DOMINIOCSA/psala-lx_:/bin/bash

and it is a group too:

$ getent group $(wbinfo --own-domain)\\$(hostname)$
DOMINIOCSA\psala-lx$:x:21298:DOMINIOCSA\psala-lx$

in my nsswitch.conf I have only set:

$ grep winbind /etc/nsswitch.conf
passwd:???????? files winbind systemd
group:????????? files winbind systemd

There is something else I have to do to instruct PAM how to get users?
> What OS ?
from debian stretch with built-in samba 4.5.16 to debian bookworm with 
built-in samba 4.17.3.
> How have you set the mkhomedir option ?
$ grep mkhomedir /etc/security/pam_winbind.conf
mkhomedir = yes
> Why are the PC's connecting as users ?
I don't know, I was thinking was inside the smb protocol but... never 
take anything for granted ;)

Best regards

Piviul

On 15/12/2022 08:23, Piviul via samba wrote:
> Sorry for the answer delay...
> 
> On 12/2/22 14:13, Rowland Penny via samba wrote:
>> I think you are going to have to give us more info. For some reason, 
>> PAM seems to be treating the computers as users (which they are in AD, 
>> but rather special users), also it isn't winbind that creates home 
>> directories, it is a PAM plugin.
> 
> yes, you are right, in effect I can't find PC names in users
> 
> $ wbinfo --domain-users | grep $(hostname)
> $
> 
> or in groups
> 
> $ wbinfo --domain-groups | grep $(hostname)
> $
> 
> but for PAM the PC is a user:
> 
> $ getent passwd $(wbinfo --own-domain)\\$(hostname)$
> DOMINIOCSA\psala-lx$:*:21298:10513::/home/DOMINIOCSA/psala-lx_:/bin/bash
No that isn't PAM, it is a combination of winbind and nsswitch, though 
it looks like there is a bug, '10513' is undoubtedly Domain Users and a 
computers primary group is Domain Computers.
> 
> and it is a group too:
> 
> $ getent group $(wbinfo --own-domain)\\$(hostname)$
> DOMINIOCSA\psala-lx$:x:21298:DOMINIOCSA\psala-lx$
That is probably a side effect of the winbind code (synthetic users 
group) and possibly would not happen if the 'ad' idmap backend was used.
> 
> in my nsswitch.conf I have only set:
> 
> $ grep winbind /etc/nsswitch.conf
> passwd:???????? files winbind systemd
> group:????????? files winbind systemd
> 
> There is something else I have to do to instruct PAM how to get users?
It isn't PAM.
> 
>> What OS ?
> 
> from debian stretch with built-in samba 4.5.16 to debian bookworm with 
> built-in samba 4.17.3.
There has to be a reason why you are using a dead OS and a dead version 
of Samba, but it escapes me.
> 
>> How have you set the mkhomedir option ?
> $ grep mkhomedir /etc/security/pam_winbind.conf
> mkhomedir = yes
That is just calling pam_mkhomedir
> 
>> Why are the PC's connecting as users ?
> 
> I don't know, I was thinking was inside the smb protocol but... never 
> take anything for granted ;)
I was just asking in case you were doing something strange, which it 
appears you are not. This must be down to another of Windows strange 
ideas, where a computer is also a user, something that is meaningless to 
Unix.

It looks like you are using the 'rid' idmap backend and if so, there is 
a bug for this, see here:

https://bugzilla.samba.org/show_bug.cgi?id=13371

But your problem puts another slant on it, care to add to it ?

Rowland