[Samba] winbind: homeDirectory being ignored

Rowland Penny rowlandpenny at googlemail.com
Tue Jun 24 06:49:40 MDT 2014 

On 24/06/14 13:41, Brian Candler wrote:
> Something strange here. User created using:
>
> root at dc1:~# samba-tool user add user7 Abcd1234 --uid-number=1007 
> --home-directory=/home/user7 --login-shell=/bin/bash
> User 'user7' created successfully
>
> I can see the homeDirectory attribute in the entry. But the home 
> directory that winbind returns is just the template one:
>
> root at adclient:~# getent passwd user7
> user7:*:1007:70001:user7:/home/ADTEST/user7:/bin/bash
>
> Here is /etc/samba/smb.conf on the adclient machine:
>
> --- 8< ---
> [global]
>
>    #netbios name = adclient
>    workgroup = ADTEST
>    security = ADS
>    realm = ADTEST.INT.EXAMPLE.NET
>    encrypt passwords = yes
>    kerberos method = secrets and keytab
>
>    idmap config *:backend = tdb
>    idmap config *:range = 70001-80000
>    idmap config ADTEST:backend = ad
>    idmap config ADTEST:schema_mode = rfc2307
>    idmap config ADTEST:range = 500-40000
>
>    winbind nss info = rfc2307
>    winbind trusted domains only = no
>    winbind use default domain = yes
>    winbind enum users  = yes
>    winbind enum groups = yes
> --- 8< ---
>
> This is based on 
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Set_up_a_basic_smb.conf 
> (and notice that it includes "winbind nss info = rfc2307")
>
> The full LDAP record is below. Both machines are ubuntu 14.04, Samba 
> 4.1.6.
>
> Any ideas what I'm doing wrong?
>
> Thanks,
>
> Brian.
>
> ------------
> root at dc1:~# ldapsearch -b 
> CN=user7,CN=users,DC=adtest,DC=int,DC=example,DC=net
> SASL/GSSAPI authentication started
> SASL username: user at ADTEST.INT.EXAMPLE.NET
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <CN=user7,CN=users,DC=adtest,DC=int,DC=example,DC=net> with 
> scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # user7, Users, adtest.int.example.net
> dn: CN=user7,CN=Users,DC=adtest,DC=int,DC=example,DC=net
> cn: user7
> instanceType: 4
> whenCreated: 20140624123352.0Z
> whenChanged: 20140624123352.0Z
> uSNCreated: 4281
> name: user7
> objectGUID:: XX+EJB9AHk+JuLSU5PkJDA==
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> homeDirectory: /home/user7
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> primaryGroupID: 513
> objectSid:: AQUAAAAAAAUVAAAAZ5nUF79P8gY2aC90ZAQAAA==
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: user7
> sAMAccountType: 805306368
> userPrincipalName: user7 at adtest.int.example.net
> objectCategory: 
> CN=Person,CN=Schema,CN=Configuration,DC=adtest,DC=int,DC=examp
>  le,DC=net
> uidNumber: 1007
> loginShell: /bin/bash
> objectClass: top
> objectClass: posixAccount
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> pwdLastSet: 130480868320000000
> userAccountControl: 512
> uSNChanged: 4285
> distinguishedName: CN=user7,CN=Users,DC=adtest,DC=int,DC=example,DC=net
>
> # search result
> search: 5
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
Your user doesn't have a 'gidNumber'
winbind seems to need the 'gidNumber' attribute before it extracts all 
the users info from AD.

Rowland

More information about the samba mailing list