On 16/12/2022 15:10, Piviul via samba wrote:> On 12/16/22 09:22, Rowland Penny via samba wrote:
>> On 16/12/2022 07:49, Piviul via samba wrote:
>>>>
>>>> No that isn't PAM, it is a combination of winbind and
nsswitch,
>>>> though it looks like there is a bug, '10513' is
undoubtedly Domain
>>>> Users and a computers primary group is Domain Computers.
>>> ok, it isn't PAM... so do you think it's a bug but not
related to the
>>> idmap backend I use and even migrating the idmap backend from rid
to
>>> ad, PAM will continue to create PCs home folders because windbind
>>> will continue to say that PCs are users and have "Domain
Users" as a
>>> primary group, didn't you?
>> That is not what I said, If you use the 'rid' idmap backend,
then all
>> users get a 'synthetic' user group of the same name (which is
the way
>> Linux works, every local user has a group with the same name). Your
>> problem is that Samba (when using the 'rid' idmap backend) does
this
>> for all users, including users that aren't really users in the Unix
>> way: 'computers'. The 'rid' idmap backend is then
further complicating
>> things by ignoring the 'computer' users primary group
'Domain
>> Computers' and insisting that their primary group is actually
'Domain
>> Users'.
>
> ok, you are right, that's more I argued from the bug report. Reading
the
> bug report I can argue that winbind assign as a primary group "Domain
> Users" even if the primary group is another group. This happen in
idmap
> rid and idmap ad. This happen to real users or PC users. Do you agree?
>
> There is a link between this bug and the PCs home folders I found in the
> users home directory?
>
>>>> [...]
>>>> There has to be a reason why you are using a dead OS and a dead
>>>> version of Samba, but it escapes me.
>>>
>>> no, I don't use it any more; I would only underline that if it
is a
>>> bug is an old bug.
>>
>> I am not denying that, but if you are not using the old OS, does the
>> problem still exist on what ever version of Samba you are using now ?
>
> I'm confused... this bug affect any samba version I used, affect even
> old versions and I hope doesn't depend from the members samba versions
> installed
>
>
>>>> [...]
>>>> It looks like you are using the 'rid' idmap backend and
if so, there
>>>> is a bug for this, see here:
>>>>
>>>> https://bugzilla.samba.org/show_bug.cgi?id=13371
>>>
>>> I can't understand ?... seems that this bug is not present on
build
>>> from samba-4.10.0 but I find it on samba 4.17.3...
>>>
>>>
>>>> But your problem puts another slant on it, care to add to it ?
>>>
>>> yes continue to remove empty PCs home folders, it's not a big
problem...
>>>
>>> So do you suggest me to live with it, to do nothing, didn't
you?
>> No, I suggested that you added to the bug report, this needs to be
>> fixed so that users get the correct primary group and if that primary
>> group is Domain Computers, then the user is ignored and you then
>> wouldn't get home directories created for a computer. There may
have
>> to be a switch, something like 'treat computers as users =
yes',
>> because, knowing Samba, there will be someone somewhere that wants
>> home directories for computers.
>
> Ok, so do you think that home folders are created because PC
"users"
> have "Domain Users" as a default group so do you suggest me to
add this
> problem to the bug report... but are you sure?
>
> Piviul
The problem is that the users primary group is ignored, even if
explicitly set when using the 'ad' idmap backend. If the bug was fixed,
the computer 'users' could be ignored because their primary group is
Domain Computers. Something along the lines of: Ignore a user if their
primary group is Domain Computers, unless a switch is set in smb.conf
That is what I think should be added to the bug report.
Rowland