On 15/12/2022 08:23, Piviul via samba wrote:> Sorry for the answer delay... > > On 12/2/22 14:13, Rowland Penny via samba wrote: >> I think you are going to have to give us more info. For some reason, >> PAM seems to be treating the computers as users (which they are in AD, >> but rather special users), also it isn't winbind that creates home >> directories, it is a PAM plugin. > > yes, you are right, in effect I can't find PC names in users > > $ wbinfo --domain-users | grep $(hostname) > $ > > or in groups > > $ wbinfo --domain-groups | grep $(hostname) > $ > > but for PAM the PC is a user: > > $ getent passwd $(wbinfo --own-domain)\\$(hostname)$ > DOMINIOCSA\psala-lx$:*:21298:10513::/home/DOMINIOCSA/psala-lx_:/bin/bashNo that isn't PAM, it is a combination of winbind and nsswitch, though it looks like there is a bug, '10513' is undoubtedly Domain Users and a computers primary group is Domain Computers.> > and it is a group too: > > $ getent group $(wbinfo --own-domain)\\$(hostname)$ > DOMINIOCSA\psala-lx$:x:21298:DOMINIOCSA\psala-lx$That is probably a side effect of the winbind code (synthetic users group) and possibly would not happen if the 'ad' idmap backend was used.> > in my nsswitch.conf I have only set: > > $ grep winbind /etc/nsswitch.conf > passwd:???????? files winbind systemd > group:????????? files winbind systemd > > There is something else I have to do to instruct PAM how to get users?It isn't PAM.> >> What OS ? > > from debian stretch with built-in samba 4.5.16 to debian bookworm with > built-in samba 4.17.3.There has to be a reason why you are using a dead OS and a dead version of Samba, but it escapes me.> >> How have you set the mkhomedir option ? > $ grep mkhomedir /etc/security/pam_winbind.conf > mkhomedir = yesThat is just calling pam_mkhomedir> >> Why are the PC's connecting as users ? > > I don't know, I was thinking was inside the smb protocol but... never > take anything for granted ;)I was just asking in case you were doing something strange, which it appears you are not. This must be down to another of Windows strange ideas, where a computer is also a user, something that is meaningless to Unix. It looks like you are using the 'rid' idmap backend and if so, there is a bug for this, see here: https://bugzilla.samba.org/show_bug.cgi?id=13371 But your problem puts another slant on it, care to add to it ? Rowland
On 12/15/22 10:02, Rowland Penny via samba wrote:> On 15/12/2022 08:23, Piviul via samba wrote: >> Sorry for the answer delay... >> >> On 12/2/22 14:13, Rowland Penny via samba wrote: >>> I think you are going to have to give us more info. For some reason, >>> PAM seems to be treating the computers as users (which they are in >>> AD, but rather special users), also it isn't winbind that creates >>> home directories, it is a PAM plugin. >> >> yes, you are right, in effect I can't find PC names in users >> >> $ wbinfo --domain-users | grep $(hostname) >> $ >> >> or in groups >> >> $ wbinfo --domain-groups | grep $(hostname) >> $ >> >> but for PAM the PC is a user: >> >> $ getent passwd $(wbinfo --own-domain)\\$(hostname)$ >> DOMINIOCSA\psala-lx$:*:21298:10513::/home/DOMINIOCSA/psala-lx_:/bin/bash > > No that isn't PAM, it is a combination of winbind and nsswitch, though > it looks like there is a bug, '10513' is undoubtedly Domain Users and > a computers primary group is Domain Computers.ok, it isn't PAM... so do you think it's a bug but not related to the idmap backend I use and even migrating the idmap backend from rid to ad, PAM will continue to create PCs home folders because windbind will continue to say that PCs are users and have "Domain Users" as a primary group, didn't you?> [...] > There has to be a reason why you are using a dead OS and a dead > version of Samba, but it escapes me.no, I don't use it any more; I would only underline that if it is a bug is an old bug.> [...] > It looks like you are using the 'rid' idmap backend and if so, there > is a bug for this, see here: > > https://bugzilla.samba.org/show_bug.cgi?id=13371I can't understand ?... seems that this bug is not present on build from samba-4.10.0 but I find it on samba 4.17.3...> But your problem puts another slant on it, care to add to it ?yes continue to remove empty PCs home folders, it's not a big problem... So do you suggest me to live with it, to do nothing, didn't you? Have a great day Piviul