[Samba] multi home dir locations
steve at steve-ss.com
Thu May 24 11:11:03 MDT 2012
On 05/24/2012 09:44 AM, Collen wrote:
> On 23-5-2012 19:50, steve wrote:
>> On 05/23/2012 07:22 PM, Muhammad Yousuf Khan wrote:
>>> check this.
>>> comment = Roaming Profile Share
>>> path = /nas/users/%D/%U
>>> valid users = %U
>>> read only = No
>>> guest ok = No
>>> browseable = yes
>>> root preexec = /scripts/smbmkdir.sh %D %U
>>> create mask = 4770
>>> directory mask = 4770
>>> store dos attributes = Yes
>>> map archive = No
>>> map system = No
>>> map hidden = No
>>> map readonly = no
>>> if [ ! -e /nas/users/$1/$2 ]; then
>>> mkdir -p /nas/users/$1/$2
>>> chown $2:admin-grp /nas/users/$1/$2
>>> chmod 4770 /nas/users/$1/$2
>>> exit 0
>>> On Wed, May 23, 2012 at 8:28 PM, steve<steve at steve-ss.com> wrote:
>>>> On 05/23/2012 03:56 PM, Collen wrote:
>>>>> Hi all,
>>>>> i've got samba 3.6 joined to a ad domain (s4 in this case)
>>>>> running winbind
>>>>> all looks ok, but i ran into a problem (for us that is)
>>>>> i've got 2 groups (students and employes)
>>>>> who have there home dirs in 2 different places.
>>>> It's not just you:
>>>> we have s3 connected to and s4 domain and we want e.g.
>>>> Under winbind we cannot see how to do it. So we have used the new
>>>> nss-pam-ldapd instead and store the unixHomeDirectory in the
>>>> directory. As
>>>> it's available in both the 2008 and s4 schema it works quickly and
>>>> efficiently. With the homeDirectory [share] and unixHomeDirectory
>>>> mapped by ldapd it works fine. Just like under 2008r2. I Really do
>>>> think we
>>>> should look into this being standard.
>>>> Winbind has done a good job since 2000 but unless it can cope with new
>>>> ideas. . . I'm sure it can. It's just not as easy.
>>>> Please contact us personally for full details.
>> Thanks that's a good idea, but nope. It doesn't work in winbind:
>> I want a student who has a home directory in
>> and a teacher who has a home directory in:
>> path = /home2/DOMAIN/staff<staff name>
>> I can't do that with winbind.
>> As both unixHomeDirectory and the homeDirectory attributes are available
>> in the 20008r2 and Samba4 schemas, why not simply write the values _you_
>> want into the directory and map it using nss-ldapd? As m$ make it
>> available, surely this is what they intend us to do.
> Thx that was indeed the way I was looking for.
> but how can i make it default ?
> that when i add a user it also has the objectclass -> posixaccount ??
> in the user manager from windows ad, i see the unix attributes, but
> can't alter them
> also when I look at the users with ldap, i have to add the
> posixaccount objectclass before i can enter a unixhomedir
> can i add a default objectclass to the users layer ??
> annyway, thx for putting me on the right track...
> Cheers, Collen
Making it default is the easy bit. Install nss-pam-ldapd (libnss-ldapd
and libpam-ldapd under Debian).
Here is our config in /etc/nslcd.conf
map passwd uid samAccountName
map passwd homeDirectory unixHomeDirectory
#map group uniqueMember member
Most of this is site dependent but the mappings are all that are
important. The latest version (0.8.4 up) maps group members too hence
the commented out line.
We have written scripts to implement this but you can do this from Linux
using ldbedit to add only the objects and attributes
Here is an example of a user called steve2 (samba-tool user add steve2
or from ADUC in windows) in the directory to which we have added the
attributes necessary for nss-ldapd mappings:
userPrincipalName: steve2 at polop.site
You can either add the objects and attributes to taste using ldbedit or
write scripts to add
them for you. We have written a suite of well tested scripts called
's4bind' which do all this for you. Remember, if the attributes are
stored in the directory and mapped by something up to date which
understands AD, then there can never be any confusion as to uid, gid,
home directory or whatever. m$ have granted us free access to the posix
attributes necessary to connect Linux machines to 2008r2 and therefore
Samba4 AD. Let's use them to our advantage.
More information about the samba-technical