thr3ads.net - samba - [Samba] libpam-winbind mkhomedir [Jun 2021]

If this information is useful, please help other people find it:
Share via:

Marco Gaiarin

2021-Jun-03 08:48 UTC

[Samba] libpam-winbind mkhomedir

Mandi! Rowland penny via samba
  In chel di` si favelave...
> I personally think that, as standard, Samba should ignore computers as
> users.
No, Rowland; if acting as SYSTEM user, windows client OS (try to; then
fallback to guest if enabled) access shares and resources with the
machine account, and this is EXTREMELY useful for, as an example, all
the deply/configuration system (that may have to access to passwords or
private keys).

I've currently assigned a GID to 'Domain Computers' (it is not
ID_BOTH), and i assign UID to computer accounts.


I don't use the 'mkhome' feature of winbind, but a script in [users]
share. Anyway, i think that the best solution will be a simple filter
in 'mkhome', like explicitly add 'require_membership_of = ' with
the
SID of 'Domain Users'.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

Rowland penny

2021-Jun-03 09:19 UTC

head link

[Samba] libpam-winbind mkhomedir

On 03/06/2021 09:48, Marco Gaiarin via samba wrote:> Mandi! Rowland penny via samba
>    In chel di` si favelave...
>
>> I personally think that, as standard, Samba should ignore computers as
>> users.
> No, Rowland; if acting as SYSTEM user, windows client OS (try to; then
> fallback to guest if enabled) access shares and resources with the
> machine account, and this is EXTREMELY useful for, as an example, all
> the deply/configuration system (that may have to access to passwords or
> private keys).
>
> I've currently assigned a GID to 'Domain Computers' (it is not
> ID_BOTH), and i assign UID to computer accounts.
>
>
> I don't use the 'mkhome' feature of winbind, but a script in
[users]
> share. Anyway, i think that the best solution will be a simple filter
> in 'mkhome', like explicitly add 'require_membership_of = '
with the
> SID of 'Domain Users'.
>
OK, but the computers don't need a UID for the machine password to work:

rowland at devstation:~$ getent passwd devstation$
rowland at devstation:~$

As you can see, the 'user' 'devstation$' is unknown

However an ldap search using the machine password works:

rowland at devstation:~$ sudo ldbsearch -H ldap://rpidc1 -P 
'sAMAccountName=rowland' | grep 'sAMAccountName'
sAMAccountName: rowland
rowland at devstation:~$

Rowland

samba - Jun 2021 - libpam-winbind mkhomedir

[Samba] libpam-winbind mkhomedir

[Samba] libpam-winbind mkhomedir