Dear colleagues, Could you please describe for me, what is the process/mechanism of creation account for AD computers (hostname/domain_computers)? Red Hat Enterprise Linux Server release 5.11 (Tikanga) LSB Version: :core-4.0-ia32:core-4.0-noarch:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-ia32:printing-4.0-noarch Kernel Version: 2.6.18-408.el5PAE Samba Version 3.0.33-3.40.el5_10 For example I have a setting up samba server with AD integration. I have added some users to access samba. Then when I try to access this server, connection was successfully established, in /home/ folder, I see folder for user, by which I log in - /home/username. All is ok, but with this folder also created another folder for computer account, from which I logged in - /home/hostname , with Owner: hostname/domain_computers How can I disabled this? Config in attachment. Please help me! Thanks in advance, Dmitriy
On Sat, 4 Feb 2017 17:12:46 +0200 Dmitriy Merzlov via samba <samba at lists.samba.org> wrote:> Dear colleagues, > > > > Could you please describe for me, what is the process/mechanism of > creation account for AD computers (hostname/domain_computers)?Not sure what you mean here, the computers account in AD should be created when the computer is joined to the domain.> > > Red Hat Enterprise Linux Server release 5.11 (Tikanga) > > LSB Version: > :core-4.0-ia32:core-4.0-noarch:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-ia32:printing-4.0-noarch > > Kernel Version: 2.6.18-408.el5PAE > > Samba Version 3.0.33-3.40.el5_10Now whilst red-hat is still supporting RHEL5 and the version of Samba that comes with it, Samba declared 3.0.x EOL at the end of 2009.> > > For example I have a setting up samba server with AD integration. I > have added some users to access samba. > > Then when I try to access this server, connection was successfully > established, in /home/ folder, I see folder for user, by which I log > in - /home/username. > > All is ok, but with this folder also created another folder for > computer account, from which I logged in - /home/hostname , with > Owner: hostname/domain_computersSamba is not creating the directories in /home , RHEL is, but I think your problem is that your computers have a uidNumber attribute.> > How can I disabled this? > > > > Config in attachment.Attachments are removed on this list, please post it again, but inside the post ;-) Rowland
On Sat, 4 Feb 2017 18:30:28 +0200 Dmitriy Merzlov <rxwrxrx at gmail.com> wrote:> I will try to some explanation here: > > This is config smb.conf: >Before we get bogged down here, lets get something out of the way, you have this in smb.conf: unix password sync = Yes Are your users in /etc/passwd and AD ? Rowland
On Sat, 4 Feb 2017 20:24:05 +0200 Dmitriy Merzlov <rxwrxrx at gmail.com> wrote:> No, my users only in AD. > > In this rhel server I add AD users only via > *smbpasswd - a username* > I'm not sure, needed this line or not, it can be removed. > >You cannot have a local user and an AD user with the same name, so you might as well remove the line. You do not add users to AD with 'smbpasswd', you add them with ADUC on a windows machine, or if your AD DC is a samba 4 DC, you can use samba-tool. Your machine problem (home dirs being created) is due to computers in AD being not only computers but users as well, but I have never heard of this problem before. Rowland
On Sat, 4 Feb 2017 21:14:33 +0200 Dmitriy Merzlov <rxwrxrx at gmail.com> wrote:> I did not mean, that I create accounts via smbpasswd. I just add > already exsisting AD accounts using this command for access to the > server.You shouldn't need to, you are using the winbind 'rid' backend, so your AD users should automatically become local Unix users as well, provided the libnss links and PAM are setup correctly.> > Samba installed as member DC.Sorry, but if you referring to the RHEL5 machine, it isn't, it is a Unix domain member. A member DC is something else entirely.> > I have another Debian server with newest version Samba 4.x.x & and I > have not a problem same like this.Yes, debian is a lot easier to set up> > But I can not upgrade this server because have old software running > only on Rhel5/centos5I take it this is some proprietary software that you cannot upgrade Rowland
On Sun, 5 Feb 2017 09:19:18 +0200 Dmitriy Merzlov <rxwrxrx at gmail.com> wrote:> So do you have any suggestions, How can I prevent creating this > folders computer accounts with owner domain_computers, > Or I need to set up daily script in crontab to remove folders with > mask hostname* as workaround?:As I said, Samba isn't directly creating the home dirs, your OS is. Your OS seems to be creating the computer home dirs because the winbind 'rid' backend is telling it that your computers are users. As I said previously, a computers object in AD is virtually the same as a users, in fact the only real difference is that a computer account has an extra objectclass 'objectclass: computer'. So, I think you have two options here, change to using the winbind 'ad' backend and give your users a uidNumber attribute and 'Domain Users' a gidNumber. This way your computer accounts will be ignored by winbind. Your other option, because you are using RHEL, you should have an account with red-hat, so ask them if there is any way to config your OS to ignore the computer accounts. Rowland