On 01/06/2021 08:08, Piviul via samba wrote:> > Il 31/05/21 17:47, Rowland penny via samba ha scritto: >> [...] >> What OS is this ? > $ lsb_release -a > No LSB modules are available. > Distributor ID:??? Debian > Description:??? Debian GNU/Linux 10 (buster) > Release:??? 10 > Codename:??? busterJust saying Debian buster would have been enough ?> > >> Normally, the users Unix home directory is the one shown by 'getent >> passwd USERNAME' , > > mhhh.... in effect if I run the command getent passwd using a hostname > instead of a username I get something similar to:Ah, I now know where the spurious home directories are coming from.> > # getent passwd <domain>\\<hostname>$ > > <domain>\<hostname>$:*:22110:10513::/home/<domain>/<hostname>_:/bin/bash > > There is something wrong in domain configuration?No, there is nothing wrong with the domain configuration (as such), but there is something wrong with your understanding of AD. A computer in AD is just a user with an extra objectclass (funnily enough, this objectclass is called 'computer'), so you shouldn't really be running getent using a computer name . This doesn't affect Linux unless your computers gain a uidNumber and congratulations, you appear to have found a bug. Can you try removing what you added to? /etc/security/pam_winbind.conf and then run pam-auth-update and ensure 'Create home directory on login' is enabled. This may cure your problem.> >>> So I have no idea where your extra folders are coming from. Can you >> post your smb.conf and the contents of /etc/security/pam_winbind.conf > > $ testparm > > # Global parameters > [global] > ??? log file = /var/log/samba/log.%m > ??? logging = file > ??? map to guest = Bad User > ??? max log size = 1000 > ??? obey pam restrictions = Yes > ??? pam password change = Yes > ??? panic action = /usr/share/samba/panic-action %d > ??? realm = AD.CSARICERCHE.COM > ??? security = ADS > ??? server min protocol = NT1 > ??? server string = %h server > ??? template shell = /bin/bash > ??? usershare allow guests = Yes > ??? winbind refresh tickets = Yes > ??? wins server = 192.168.64.2'wins' in AD ????? Rowland
On Tue, Jun 1, 2021 at 3:53 AM Rowland penny via samba < samba at lists.samba.org> wrote:> This doesn't affect Linux unless your computers gain a uidNumber and > congratulations, you appear to have found > a bug. >I believe RID backend, which is being used here, can provide idmapping for computer accounts, since it just algorithmically maps IDs to SIDs. This can be helpful in some situations IIRC where Windows may attempt to authenticate to the samba server using its machine account rather than the account of the currently logged in user. I believe some backup software does this.
Sorry for the delay, I've gone out for some days... Il 01/06/21 09:52, Rowland penny via samba ha scritto:> [...] > No, there is nothing wrong with the domain configuration (as such), > but there is something wrong with your understanding of AD. A computer > in AD is just a user with an extra objectclass (funnily enough, this > objectclass is called 'computer'), so you shouldn't really be running > getent using a computer name . This doesn't affect Linux unless your > computers gain a uidNumber and congratulations, you appear to have > found a bug. Can you try removing what you added to? > /etc/security/pam_winbind.conf and then run pam-auth-update and ensure > 'Create home directory on login' is enabled. This may cure your problem.Hi Rowland, I'm not the one that ask a uidNumber to a PC name, but I guess that some program does: I continue to see computer's names in domain home directory even if I delete them.>>> So I have no idea where your extra folders are coming from. Can you >>> post your smb.conf and the contents of /etc/security/pam_winbind.conf >> >> $ testparm >> >> # Global parameters >> [global] >> ??? log file = /var/log/samba/log.%m >> ??? logging = file >> ??? map to guest = Bad User >> ??? max log size = 1000 >> ??? obey pam restrictions = Yes >> ??? pam password change = Yes >> ??? panic action = /usr/share/samba/panic-action %d >> ??? realm = AD.CSARICERCHE.COM >> ??? security = ADS >> ??? server min protocol = NT1 >> ??? server string = %h server >> ??? template shell = /bin/bash >> ??? usershare allow guests = Yes >> ??? winbind refresh tickets = Yes >> ??? wins server = 192.168.64.2 > > > 'wins' in AD ?????...ooops! I don't know how that was happened, the wins server param gone in my smb.conf; any way I've removed it now, thank you Rowland. Reading further in the post, seems me to understand that I can hope in the next future to stop to see PC's home folders in the domain users home folder? Best regards Piviul