Op 14-03-2023 om 11:05 schreef Rowland Penny via samba:> > > On 14/03/2023 09:38, Christian Naumer via samba wrote: >> Am 14.03.23 um 10:31 schrieb Kees van Vloten via samba: >>> I guess the uid is required because a GPO is a file (and something >>> in LDAP). The file is retrieved form the sysvol share and in order >>> to deal with file permissions on Linux you get identified on the >>> filesytem withself with a uid (and gid). In this case it is the >>> computer-account that retrieves the file, at least that is my >>> assumption ? >> >> >> That is correct. However, GPOs are normally on a DC and there a >> computer has a uid (or xid or whatever it is called). That why a DC >> does this differently. >> >> >> Regards >> >> Christian >> >> > > From my testing, this is correct, until you try to use a SID with > getent and then nothing is returned and the you get the error message: > > add_local_groups: SID S-1-5-21-2112549936-2540803609-4198596461-1600 > -> getpwuid(3000148) failed, is nsswitch configured? > > I get the feeling that if the SID could be changed for the computer > name or Unix ID, it would work. > > Rowland >I use rfc2307 and I remember I had to assign uid/gid to computer objects at one point to get rid of different but also similar kind of errors (check ml 14-04-2022), these were the messages: smbd[15370]: [2022/04/14 14:32:56.556685, ?0] ../../source3/auth/auth_util.c:1928(check_account) smbd[15370]: ? check_account: Failed to convert SID S-1-5-21-3042323961-424325435-1432587418-1234 to a UID (dom_user[SAMDOM\computer01$])
On 14/03/2023 10:16, Kees van Vloten via samba wrote:>> > I use rfc2307 and I remember I had to assign uid/gid to computer objects > at one point to get rid of different but also similar kind of errors > (check ml 14-04-2022), these were the messages: > > smbd[15370]: [2022/04/14 14:32:56.556685, ?0] > ../../source3/auth/auth_util.c:1928(check_account) > smbd[15370]: ? check_account: Failed to convert SID > S-1-5-21-3042323961-424325435-1432587418-1234 to a UID > (dom_user[SAMDOM\computer01$]) > > > >That is a different message, Samba was trying to map a SID to a uid and failed because there wasn't a uid to map it to, adding a uidNumber attribute fixed that. What I am saying is, if getent can find a uid or gid, it will return it, but there doesn't seem to be code to map a SID to return the uid to getent. If you think about it, why would there be code to do this, SID's are Windows things and until fairly recently, there was no reason for a Unix computer to be a user, in fact, is there a reason now, do GPO's require this ? Rowland