samba - Jun 2021 - libpam-winbind mkhomedir

On 01/06/2021 22:41, Andrew Walker wrote:
>
>
> On Tue, Jun 1, 2021 at 4:41 PM Rowland penny via samba 
> <samba at lists.samba.org <mailto:samba at lists.samba.org>>
wrote:
>
>     On 01/06/2021 21:31, Andrew Walker wrote:
>     > On Tue, Jun 1, 2021 at 3:53 AM Rowland penny via samba
>     > <samba at lists.samba.org <mailto:samba at
lists.samba.org>
>     <mailto:samba at lists.samba.org <mailto:samba at
lists.samba.org>>> wrote:
>     >
>     >? ? ?This doesn't affect Linux unless your computers gain a
uidNumber
>     >? ? ?and congratulations, you appear to have found
>     >? ? ?a bug.
>     >
>     >
>     > I believe RID backend, which is being used here, can provide
>     idmapping
>     > for computer accounts, since it just algorithmically maps IDs to
>     SIDs.
>     > This can be helpful in some situations IIRC where Windows may
>     attempt
>     > to authenticate to the samba server using its machine account
>     rather
>     > than the account of the currently logged in user. I believe some
>     > backup software does this.
>
>
>     I found this out, I had never thought to run 'getent passwd'
with a
>     computer name, but when I tried it using the 'rid' backend, it
>     worked.
>     In my opinion it shouldn't, but if it has to, it shouldn't show
the
>     computers primary group as Domain Users.
>
>     Rowland
>
>
> I'll have to think about this some, but I think I agree on this point. 
> Perhaps for idmap backends supporting ID_TYPE_BOTH, we could just set 
> primary gid to uid.

I personally think that, as standard, Samba should ignore computers as 
users. If it must occur because of (in my opinion) broken applications, 
it should be by a switch similar to the 'unix_primary_group = yes' used 
by the 'ad' backend.

Rowland

Mandi! Rowland penny via samba
  In chel di` si favelave...
> I personally think that, as standard, Samba should ignore computers as
> users.
No, Rowland; if acting as SYSTEM user, windows client OS (try to; then
fallback to guest if enabled) access shares and resources with the
machine account, and this is EXTREMELY useful for, as an example, all
the deply/configuration system (that may have to access to passwords or
private keys).

I've currently assigned a GID to 'Domain Computers' (it is not
ID_BOTH), and i assign UID to computer accounts.


I don't use the 'mkhome' feature of winbind, but a script in [users]
share. Anyway, i think that the best solution will be a simple filter
in 'mkhome', like explicitly add 'require_membership_of = ' with
the
SID of 'Domain Users'.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)