On 13/03/2023 16:38, David Mulder via samba wrote:>
> On 3/13/23 10:25 AM, Rowland Penny via samba wrote:
>>
>> Is '1600' the RID for a computer ?
>>
>> If it is, I think I understand why the messages are occurring.
>>
>> On Windows, a computer is just a user, but with an extra objectclass
>> and a few other differences, amongst which is the primary group
>> (Domain Computers instead of Domain Users) and the username ends in
'$'
>>
>> I could be missing it and the code is very complex (David, you are a
>> lot smarter than me), but there doesn't seem to be anything to
>> discover that this is a computer and the code is treating it as user.
>>
>> The fix ? Add code to bail out if you are trying to set a User GPO on
>> a Machine.
>>
> This is actually old code, which I didn't write (and I don't
understand
> it terribly well). Though from looking through the code, I'm pretty
sure
> User vs Machine policies are being handled correctly. It's failing
while
> fetching a security token for the Machine object (and Peter has been
> having issues when it's fetching the user token). Finding the correct
> GPOs to apply to Machine or User is done in ads_get_gpo_list_internal().
>
> I am ripping all this out though, and I'll be replacing it soon
(I'm in
> the middle of work on this). Instead of tying into this old library,
I'm
> just communicating with ldap via a SamDB object (in python). So far this
> seems to be much less prone to error.
>
Glad it isn't just myself having problems understanding that code, it is
horrible :-D
If it is a machine, why is it trying to look up a uid ? I traced where
the error message is coming from, but couldn't understand what was
calling it, perhaps if I spent a morning, I could track this down, but
probably not worth it, if the code is going.
Rowland