[Samba] Discrepancies in getent passwd

Rowland Penny rowlandpenny at googlemail.com
Thu Oct 23 09:59:07 MDT 2014 

On 23/10/14 16:42, John Lewis wrote:
> On 10/23/2014 11:14 AM, Rowland Penny wrote:
>> On 23/10/14 16:01, John Lewis wrote:
>>> On 10/23/2014 10:52 AM, Rowland Penny wrote:
>>>> On 23/10/14 15:45, John Lewis wrote:
>>>>> dictator at keep:~$ getent passwd | grep ldap-connect
>>>>> ldap-connect:*:10000:513:::/usr/sbin/nologin
>>>>> dictator at keep:~$ getent passwd ldap-connect
>>>>> ldap-connect:*:10000:513:::/bin/sh
>>>>>
>>>>>
>>>>> How do I make that shell is always /usr/sbin/nologin for ldap-connect?
>>>> Hi, any chance of a bit more info, OS, what version of samba, smb.conf,
>>>> etc ?
>>>>
>>>> Rowland
>>> dictator at drakeburner:~$ smbclient -V
>>> Version 4.1.11-Debian
>>> dictator at drakeburner:~$ sudo samba -V
>>> Version 4.1.11-Debian
>>> dictator at keep:~$ smbclient -V
>>> Version 3.6.6
>>>
>> Why, oh why, is this like extracting teeth ???
>>
>> You posted dictator at keep, 'dictator' being your user and 'keep' being
>> the hostname of your computer, you have now posted:
>>
>> dictator at drakeburner
>>
>> AND no smb.conf!!!!
>>
>> I take it that you are running an AD DC on 'drakeburner' and 'keep' is a
>> client joined to the domain, but I am just guessing here.
>>
>> If this is the case, then there is, at this time, no way to get the same
>> loginShell on the AD DC server and a client for an individual user.
>>
>> You can get an individual loginShell on clients etc.
>>
>> Rowland
>>
> Sorry, I had go to a meeting.
>
> The machine keep is a generic client, and drakeburner is the Samba AD DC.
>
> dictator at keep:~$ cat /etc/samba/smb.conf
> # Global parameters
> [global]
>          realm = D.OFLAMEO.COM
>          workgroup = OFLAMEO
>          netbios name = KEEP
>          security = ADS
>          encrypt passwords = yes
>          password server = drakeburner.d.oflameo.com
>
> [demoshare]
>          path = /src/samba/test
>          read only = no
>
>
> dictator at drakeburner:~$ cat /etc/samba/smb.conf
> # Global parameters
> [global]
>          workgroup = OFLAMEO
>          realm = D.OFLAMEO.COM
>          netbios name = DRAKEBURNER
>          server role = active directory domain controller
>          dns forwarder = 192.168.2.1
>          idmap_ldb:use rfc2307 = yes
>
> [netlogon]
>          path = /var/lib/samba/sysvol/d.oflameo.com/scripts
>          read only = No
>
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
>
> I can get the correct login shell comes up when I attempt to login as
> ldap-connect to the Samba DC drakeburner.
>
Meetings, they used to be the bane of my life, go and talk at length and 
decide nothing ;-)

If I run 'getent passwd testuser' on my DC, I get this:

EXAMPLE\testuser:*:10000:10000:Test User:/home/EXAMPLE/testuser:/bin/false

But the same command on a client, gets me this:

testuser:*:10000:10000::/home/testuser:/bin/bash

This is because I use the winbind 'ad' backend on the client, at this 
moment in time you cannot use this backend on the AD DC.

To get 'bin/false' for your user everywhere, you will have to add 
rfc2307 attributes to the user in AD, probably easiest by using ADUC on 
a windows machine, you do this with the UNIX Attributes tab. Once the 
user has the attributes, you will need to change smb.conf on the 
clients, have a look here:

https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server

Rowland

More information about the samba mailing list