[Samba] multi home dir locations

steve steve at steve-ss.com
Thu May 24 11:11:03 MDT 2012

On 05/24/2012 09:44 AM, Collen wrote:
> On 23-5-2012 19:50, steve wrote:
>> On 05/23/2012 07:22 PM, Muhammad Yousuf Khan wrote:
>>> check this.
>>> [ProfileShare]
>>> comment = Roaming Profile Share
>>> path = /nas/users/%D/%U
>>> valid users = %U
>>> read only = No
>>> guest ok = No
>>> browseable = yes
>>> root preexec = /scripts/smbmkdir.sh %D %U
>>> create mask = 4770
>>> directory mask = 4770
>>> store dos attributes = Yes
>>> map archive = No
>>> map system = No
>>> map hidden = No
>>> map readonly = no
>>> <smbmkdir.sh>
>>> #!/bin/bash
>>> if [ ! -e /nas/users/$1/$2 ]; then
>>> mkdir -p /nas/users/$1/$2
>>> chown $2:admin-grp /nas/users/$1/$2
>>> chmod 4770 /nas/users/$1/$2
>>> fi
>>> exit 0
>>> On Wed, May 23, 2012 at 8:28 PM, steve<steve at steve-ss.com> wrote:
>>>> On 05/23/2012 03:56 PM, Collen wrote:
>>>>> Hi all,
>>>>> i've got samba 3.6 joined to a ad domain (s4 in this case)
>>>>> running winbind
>>>>> all looks ok, but i ran into a problem (for us that is)
>>>>> i've got 2 groups (students and employes)
>>>>> who have there home dirs in 2 different places.
>>>>> /home/students/<user>
>>>>> /home/employ/<user>
>>>> +1
>>>> It's not just you:
>>>> we have s3 connected to and s4 domain and we want e.g.
>>>> /home2/students/year7
>>>> /home2/students/year7/year7a/<student>
>>>> /home2/students/year7/year7b/<student>
>>>> /home2/staff
>>>> /home2/staff<teacher>
>>>> Under winbind we cannot see how to do it. So we have used the new
>>>> nss-pam-ldapd instead and store the unixHomeDirectory in the
>>>> directory. As
>>>> it's available in both the 2008 and s4 schema it works quickly and
>>>> efficiently. With the homeDirectory [share] and unixHomeDirectory 
>>>> being
>>>> mapped by ldapd it works fine. Just like under 2008r2. I Really do
>>>> think we
>>>> should look into this being standard.
>>>> Winbind has done a good job since 2000 but unless it can cope with new
>>>> ideas. . . I'm sure it can. It's just not as easy.
>>>> Please contact us personally for full details.
>>>> Cheers,
>>>> Steve.
>>>> http://linuxcostablanca.blogspot.com.es/p/s4bind.html
>> Thanks that's a good idea, but nope. It doesn't work in winbind:
>> I want a student who has a home directory in
>> /home2/DOMAIN/students/year7/<student-name>
>> and a teacher who has a home directory in:
>> path = /home2/DOMAIN/staff<staff name>
>> I can't do that with winbind.
>> As both unixHomeDirectory and the homeDirectory attributes are available
>> in the 20008r2 and Samba4 schemas, why not simply write the values _you_
>> want into the directory and map it using nss-ldapd? As m$ make it
>> available, surely this is what they intend us to do.
>> Cheers,
>> Steve
> Thx that was indeed the way I was looking for.
> but how can i make it default ?
> that when i add a user it also has the objectclass -> posixaccount ??
> in the user manager from windows ad, i see the unix attributes, but 
> can't alter them
> also when I look at the users with ldap, i have to add the 
> posixaccount objectclass before i can enter a unixhomedir
> can i add a default objectclass to the users layer ??
> annyway, thx for putting me on the right track...
> Cheers, Collen

Making it default is the easy bit. Install nss-pam-ldapd (libnss-ldapd 
and libpam-ldapd under Debian).

Here is our config in /etc/nslcd.conf

uid nslcd
gid nslcd
uri ldap://sam4dc.polop.site
base dc=polop,dc=site
map    passwd    uid    samAccountName
map    passwd    homeDirectory    unixHomeDirectory
#map    group    uniqueMember    member
sasl_mech GSSAPI
sasl_realm POLOP.SITE
krb5_ccname /tmp/nslcd.tkt

Most of this is site dependent but the mappings are all that are 
important. The latest version (0.8.4 up) maps group members too hence 
the commented out line.

We have written scripts to implement this but you can do this from Linux 
using ldbedit to add only the objects and attributes
you need.

Here is an example of a user called steve2 (samba-tool user add steve2 
or from ADUC in windows) in the directory to which we have added the 
attributes necessary for nss-ldapd mappings:

dn: CN=steve2,CN=Users,DC=polop,DC=site
cn: steve2
instanceType: 4
whenCreated: 20120508141303.0Z
uSNCreated: 3719
name: steve2
objectGUID: 2e73c14e-976e-431e-830e-863494cc4a1c
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
objectSid: S-1-5-21-1196638036-2541980263-511278767-1105
logonCount: 0
sAMAccountName: steve2
sAMAccountType: 805306368
userPrincipalName: steve2 at polop.site
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=polop,DC=site
pwdLastSet: 129809599830000000
uidNumber: 3000008
unixHomeDirectory: /home2/CACTUS/steve2
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
profilePath: \\sam4dc\profiles\steve2
homeDrive: Z:
homeDirectory: \\sam4dc\home\steve2
memberOf: CN=staff,CN=Users,DC=polop,DC=site
primaryGroupID: 513
gidNumber: 20513
userAccountControl: 66048
accountExpires: 0
whenChanged: 20120518160301.0Z
uSNChanged: 3944
distinguishedName: CN=steve2,CN=Users,DC=polop,DC=site

You can either add the objects and attributes to taste using ldbedit or 
write scripts to add
them for you. We have written a suite of well tested scripts called 
's4bind' which do all this for you. Remember, if the attributes are 
stored in the directory and mapped by something up to date which 
understands AD, then there can never be any confusion as to uid, gid, 
home directory or whatever. m$ have granted us free access to the posix 
attributes necessary to connect Linux machines to 2008r2 and therefore 
Samba4 AD. Let's use them to our advantage.



More information about the samba-technical mailing list