[Samba] Discrepancies in getent passwd
Rowland Penny
rowlandpenny at googlemail.com
Thu Oct 23 09:59:07 MDT 2014
On 23/10/14 16:42, John Lewis wrote:
> On 10/23/2014 11:14 AM, Rowland Penny wrote:
>> On 23/10/14 16:01, John Lewis wrote:
>>> On 10/23/2014 10:52 AM, Rowland Penny wrote:
>>>> On 23/10/14 15:45, John Lewis wrote:
>>>>> dictator at keep:~$ getent passwd | grep ldap-connect
>>>>> ldap-connect:*:10000:513:::/usr/sbin/nologin
>>>>> dictator at keep:~$ getent passwd ldap-connect
>>>>> ldap-connect:*:10000:513:::/bin/sh
>>>>>
>>>>>
>>>>> How do I make that shell is always /usr/sbin/nologin for ldap-connect?
>>>> Hi, any chance of a bit more info, OS, what version of samba, smb.conf,
>>>> etc ?
>>>>
>>>> Rowland
>>> dictator at drakeburner:~$ smbclient -V
>>> Version 4.1.11-Debian
>>> dictator at drakeburner:~$ sudo samba -V
>>> Version 4.1.11-Debian
>>> dictator at keep:~$ smbclient -V
>>> Version 3.6.6
>>>
>> Why, oh why, is this like extracting teeth ???
>>
>> You posted dictator at keep, 'dictator' being your user and 'keep' being
>> the hostname of your computer, you have now posted:
>>
>> dictator at drakeburner
>>
>> AND no smb.conf!!!!
>>
>> I take it that you are running an AD DC on 'drakeburner' and 'keep' is a
>> client joined to the domain, but I am just guessing here.
>>
>> If this is the case, then there is, at this time, no way to get the same
>> loginShell on the AD DC server and a client for an individual user.
>>
>> You can get an individual loginShell on clients etc.
>>
>> Rowland
>>
> Sorry, I had go to a meeting.
>
> The machine keep is a generic client, and drakeburner is the Samba AD DC.
>
> dictator at keep:~$ cat /etc/samba/smb.conf
> # Global parameters
> [global]
> realm = D.OFLAMEO.COM
> workgroup = OFLAMEO
> netbios name = KEEP
> security = ADS
> encrypt passwords = yes
> password server = drakeburner.d.oflameo.com
>
> [demoshare]
> path = /src/samba/test
> read only = no
>
>
> dictator at drakeburner:~$ cat /etc/samba/smb.conf
> # Global parameters
> [global]
> workgroup = OFLAMEO
> realm = D.OFLAMEO.COM
> netbios name = DRAKEBURNER
> server role = active directory domain controller
> dns forwarder = 192.168.2.1
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/d.oflameo.com/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> I can get the correct login shell comes up when I attempt to login as
> ldap-connect to the Samba DC drakeburner.
>
Meetings, they used to be the bane of my life, go and talk at length and
decide nothing ;-)
If I run 'getent passwd testuser' on my DC, I get this:
EXAMPLE\testuser:*:10000:10000:Test User:/home/EXAMPLE/testuser:/bin/false
But the same command on a client, gets me this:
testuser:*:10000:10000::/home/testuser:/bin/bash
This is because I use the winbind 'ad' backend on the client, at this
moment in time you cannot use this backend on the AD DC.
To get 'bin/false' for your user everywhere, you will have to add
rfc2307 attributes to the user in AD, probably easiest by using ADUC on
a windows machine, you do this with the UNIX Attributes tab. Once the
user has the attributes, you will need to change smb.conf on the
clients, have a look here:
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
Rowland
More information about the samba
mailing list