[Samba] template shell RFC2307 loginShell

Rowland penny rpenny at samba.org
Fri Dec 4 23:00:52 UTC 2015

On 04/12/15 22:43, Jeff Sadowski wrote:
> We use power broker here at work and where wondering why we need it.
> I was able to setup a new linux server using samba and am able to login
> with my active directory accounts but I couldn't figure out how to set the
> login shells.
> I have a work around but would like feedback
> in my /etc/samba/smb.conf I have the following
>     security = ads
>     realm = DOMAIN.LONG
>     workgroup = DOMAIN
>     idmap config DOMAIN : backend = ad
>     idmap config DOMAIN : range = 1000-999999999
>     #should not get here
>     idmap config * : range = 999999998-999999999
>     idmap config * :backend      =rid
>     template homedir = /nfs/homes/%U
>     template shell = /nfs/homes/%U/.default_shell
>     winbind use default domain = yes
>     restrict anonymous = 2

Have you considered reading the Samba wiki ?
Your 'idmap config' block should look similar to this:

      # Default idmap config used for BUILTIN and local accounts/groups
        idmap config *:backend = tdb
        idmap config *:range = 2000-9999

        # idmap config for domain SAMDOM
        idmap config DOMAIN:backend = ad
        idmap config DOMAIN:schema_mode = rfc2307
        idmap config DOMAIN:range = 10000-99999

        # Use template settings for login shell and home directory
        winbind nss info = template
        template shell = /nfs/homes/%U/.default_shell
        template homedir = /nfs/homes/%U

Though as you seem to be using uidNumber & gidNumber attributes, you 
could also store the loginShell and unixHomedir in AD as well.


> allowing users to pick their shell using
> ln -s /bin/bash ~/.default_shell
> or
> ln -s /bin/tcsh ~/.default_shell
> ...
> It will be easy to create the .default shell for each user using a simple
> script I can run on a machine that has power broker but I am wondering what
> others have done to allow users to pick their shell using samba to
> authenticate?
> What are the downsides of doing it the way I did it?
> is there a way to use the loginShell provided by rfc2307 that I haven't
> found documented in samba?
> I'm using samba version 4.1.6 if that makes a difference. I could probably
> find a way to upgrade if there is support in newer versions.

More information about the samba mailing list