On Tue, Jun 1, 2021 at 4:41 PM Rowland penny via samba < samba at lists.samba.org> wrote:> On 01/06/2021 21:31, Andrew Walker wrote: > > On Tue, Jun 1, 2021 at 3:53 AM Rowland penny via samba > > <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: > > > > This doesn't affect Linux unless your computers gain a uidNumber > > and congratulations, you appear to have found > > a bug. > > > > > > I believe RID backend, which is being used here, can provide idmapping > > for computer accounts, since it just algorithmically maps IDs to SIDs. > > This can be helpful in some situations IIRC where Windows may attempt > > to authenticate to the samba server using its machine account rather > > than the account of the currently logged in user. I believe some > > backup software does this. > > > I found this out, I had never thought to run 'getent passwd' with a > computer name, but when I tried it using the 'rid' backend, it worked. > In my opinion it shouldn't, but if it has to, it shouldn't show the > computers primary group as Domain Users. > > Rowland >I'll have to think about this some, but I think I agree on this point. Perhaps for idmap backends supporting ID_TYPE_BOTH, we could just set primary gid to uid.
On Tue, Jun 1, 2021 at 5:41 PM Andrew Walker <walker.aj325 at gmail.com> wrote:> > > On Tue, Jun 1, 2021 at 4:41 PM Rowland penny via samba < > samba at lists.samba.org> wrote: > >> On 01/06/2021 21:31, Andrew Walker wrote: >> > On Tue, Jun 1, 2021 at 3:53 AM Rowland penny via samba >> > <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: >> > >> > This doesn't affect Linux unless your computers gain a uidNumber >> > and congratulations, you appear to have found >> > a bug. >> > >> > >> > I believe RID backend, which is being used here, can provide idmapping >> > for computer accounts, since it just algorithmically maps IDs to SIDs. >> > This can be helpful in some situations IIRC where Windows may attempt >> > to authenticate to the samba server using its machine account rather >> > than the account of the currently logged in user. I believe some >> > backup software does this. >> >> >> I found this out, I had never thought to run 'getent passwd' with a >> computer name, but when I tried it using the 'rid' backend, it worked. >> In my opinion it shouldn't, but if it has to, it shouldn't show the >> computers primary group as Domain Users. >> >> Rowland >> > > I'll have to think about this some, but I think I agree on this point. > Perhaps for idmap backends supporting ID_TYPE_BOTH, we could just set > primary gid to uid. >No. That's wrong. We probably need to have a primary group of "Domain Computers" to be correct.
On 01/06/2021 22:41, Andrew Walker wrote:> > > On Tue, Jun 1, 2021 at 4:41 PM Rowland penny via samba > <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: > > On 01/06/2021 21:31, Andrew Walker wrote: > > On Tue, Jun 1, 2021 at 3:53 AM Rowland penny via samba > > <samba at lists.samba.org <mailto:samba at lists.samba.org> > <mailto:samba at lists.samba.org <mailto:samba at lists.samba.org>>> wrote: > > > >? ? ?This doesn't affect Linux unless your computers gain a uidNumber > >? ? ?and congratulations, you appear to have found > >? ? ?a bug. > > > > > > I believe RID backend, which is being used here, can provide > idmapping > > for computer accounts, since it just algorithmically maps IDs to > SIDs. > > This can be helpful in some situations IIRC where Windows may > attempt > > to authenticate to the samba server using its machine account > rather > > than the account of the currently logged in user. I believe some > > backup software does this. > > > I found this out, I had never thought to run 'getent passwd' with a > computer name, but when I tried it using the 'rid' backend, it > worked. > In my opinion it shouldn't, but if it has to, it shouldn't show the > computers primary group as Domain Users. > > Rowland > > > I'll have to think about this some, but I think I agree on this point. > Perhaps for idmap backends supporting ID_TYPE_BOTH, we could just set > primary gid to uid.I personally think that, as standard, Samba should ignore computers as users. If it must occur because of (in my opinion) broken applications, it should be by a switch similar to the 'unix_primary_group = yes' used by the 'ad' backend. Rowland