On 13/03/2023 15:11, Dr. Nicola Mingotti via samba wrote:> Hi all, > > Peter, i think i have a problem similar to yours. > > I am running on Debian stable, package, bullseye backports > --- > $> /usr/sbin/samba --version > Version 4.17.5-Debian > --- > > I just moved my "dc" from another machine, using the join/demote > procedure. Everything fine, but I see this ugly message in "journalctl -xe" > ----------- > > Mar 13 15:31:42 dc1 winbindd[482]:?? /usr/sbin/samba-gpupdate: > add_local_groups: SID S-1-5-21-2112549936-2540803609-4198596461-1600 -> > getpwuid(3000148) failed, is nsswitch configured?Is '1600' the RID for a computer ? If it is, I think I understand why the messages are occurring. On Windows, a computer is just a user, but with an extra objectclass and a few other differences, amongst which is the primary group (Domain Computers instead of Domain Users) and the username ends in '$' I could be missing it and the code is very complex (David, you are a lot smarter than me), but there doesn't seem to be anything to discover that this is a computer and the code is treating it as user. The fix ? Add code to bail out if you are trying to set a User GPO on a Machine. Rowland
On 3/13/23 10:25 AM, Rowland Penny via samba wrote:> > Is '1600' the RID for a computer ? > > If it is, I think I understand why the messages are occurring. > > On Windows, a computer is just a user, but with an extra objectclass > and a few other differences, amongst which is the primary group > (Domain Computers instead of Domain Users) and the username ends in '$' > > I could be missing it and the code is very complex (David, you are a > lot smarter than me), but there doesn't seem to be anything to > discover that this is a computer and the code is treating it as user. > > The fix ? Add code to bail out if you are trying to set a User GPO on > a Machine. >This is actually old code, which I didn't write (and I don't understand it terribly well). Though from looking through the code, I'm pretty sure User vs Machine policies are being handled correctly. It's failing while fetching a security token for the Machine object (and Peter has been having issues when it's fetching the user token). Finding the correct GPOs to apply to Machine or User is done in ads_get_gpo_list_internal(). I am ripping all this out though, and I'll be replacing it soon (I'm in the middle of work on this). Instead of tying into this old library, I'm just communicating with ldap via a SamDB object (in python). So far this seems to be much less prone to error. -- David Mulder Labs Software Engineer, Samba SUSE 1221 S Valley Grove Way, Suite 500 Pleasant Grove, UT 84062 (P)+1 385.208.2989 dmulder at suse.com http://www.suse.com