[Samba] winbind: homeDirectory being ignored

Tue Jun 24 07:32:34 MDT 2014

On Tue, 2014-06-24 at 13:49 +0100, Rowland Penny wrote:
> On 24/06/14 13:41, Brian Candler wrote:
> > Something strange here. User created using:
> >
> > root at dc1:~# samba-tool user add user7 Abcd1234 --uid-number=1007 
> > --home-directory=/home/user7 --login-shell=/bin/bash
> > User 'user7' created successfully
> >
> > I can see the homeDirectory attribute in the entry. But the home 
> > directory that winbind returns is just the template one:
> >
> > root at adclient:~# getent passwd user7
> > user7:*:1007:70001:user7:/home/ADTEST/user7:/bin/bash
> >
> > Here is /etc/samba/smb.conf on the adclient machine:
> >
> > --- 8< ---
> > [global]
> >
> >    #netbios name = adclient
> >    workgroup = ADTEST
> >    security = ADS
> >    realm = ADTEST.INT.EXAMPLE.NET
> >    encrypt passwords = yes
> >    kerberos method = secrets and keytab
> >
> >    idmap config *:backend = tdb
> >    idmap config *:range = 70001-80000
> >    idmap config ADTEST:backend = ad
> >    idmap config ADTEST:schema_mode = rfc2307
> >    idmap config ADTEST:range = 500-40000
> >
> >    winbind nss info = rfc2307
> >    winbind trusted domains only = no
> >    winbind use default domain = yes
> >    winbind enum users  = yes
> >    winbind enum groups = yes
> > --- 8< ---
> >
> > This is based on 
> > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Set_up_a_basic_smb.conf 
> > (and notice that it includes "winbind nss info = rfc2307")
> >
> > The full LDAP record is below. Both machines are ubuntu 14.04, Samba 
> > 4.1.6.
> >
> > Any ideas what I'm doing wrong?
> >
> > Thanks,
> >
> > Brian.
> >
> > ------------
> > root at dc1:~# ldapsearch -b 
> > CN=user7,CN=users,DC=adtest,DC=int,DC=example,DC=net
> > SASL/GSSAPI authentication started
> > SASL username: user at ADTEST.INT.EXAMPLE.NET
> > SASL SSF: 56
> > SASL data security layer installed.
> > # extended LDIF
> > #
> > # LDAPv3
> > # base <CN=user7,CN=users,DC=adtest,DC=int,DC=example,DC=net> with 
> > scope subtree
> > # filter: (objectclass=*)
> > # requesting: ALL
> > #
> >
> > # user7, Users, adtest.int.example.net
> > dn: CN=user7,CN=Users,DC=adtest,DC=int,DC=example,DC=net
> > cn: user7
> > instanceType: 4
> > whenCreated: 20140624123352.0Z
> > whenChanged: 20140624123352.0Z
> > uSNCreated: 4281
> > name: user7
> > objectGUID:: XX+EJB9AHk+JuLSU5PkJDA==
> > badPwdCount: 0
> > codePage: 0
> > countryCode: 0
> > homeDirectory: /home/user7
> > badPasswordTime: 0
> > lastLogoff: 0
> > lastLogon: 0
> > primaryGroupID: 513
> > objectSid:: AQUAAAAAAAUVAAAAZ5nUF79P8gY2aC90ZAQAAA==
> > accountExpires: 9223372036854775807
> > logonCount: 0
> > sAMAccountName: user7
> > sAMAccountType: 805306368
> > userPrincipalName: user7 at adtest.int.example.net
> > objectCategory: 
> > CN=Person,CN=Schema,CN=Configuration,DC=adtest,DC=int,DC=examp
> >  le,DC=net
> > uidNumber: 1007
> > loginShell: /bin/bash
> > objectClass: top
> > objectClass: posixAccount
> > objectClass: person
> > objectClass: organizationalPerson
> > objectClass: user
> > pwdLastSet: 130480868320000000
> > userAccountControl: 512
> > uSNChanged: 4285
> > distinguishedName: CN=user7,CN=Users,DC=adtest,DC=int,DC=example,DC=net
> >
> > # search result
> > search: 5
> > result: 0 Success
> >
> > # numResponses: 2
> > # numEntries: 1
> >
> Your user doesn't have a 'gidNumber'
> winbind seems to need the 'gidNumber' attribute before it extracts all 
> the users info from AD.
> 
> Rowland
Hi
We think the OP wants /home/user7 as his uinixHomeDirectory, not his
windows homeDirectory. In this case you cannot use samba-tool to create
it. But it's easy enough to include it. Simply use ldbedit to add:
uinixHomeDirectory: /home/user7
to the dn for user7 and perhaps change his widows homeDirectory to
something relevant.

In addition to Rowland's remarks of course.
HTH
Steve