[Samba] template shell RFC2307 loginShell

Jeff Sadowski jeff.sadowski at gmail.com
Sat Dec 5 02:47:14 UTC 2015

Thank you Rowland for looking at it.
I did read the wiki here https://wiki.samba.org/index.php/Idmap_config_ad
 that is how I got as far as I did; that and the idmap_ad man page. I could
not find how to use the loginShell is there a variable I can use for it in
the template or an option to set to use it? loginShell and unixHomedir are
not mentioned on the wiki that I could find. I'm good with the templated
homedir but curious how to use the unixHomedir. It seems that the schema_mode
= rfc2307 is the default as it works fine except for the default shells
which I have the workaround for. I think I will move them out of their home
directories and set them else ware, where users will need to ask to change
the shell. I purposefully set rid as the default backend if one does not
exist explicit for the domain as it worked better for me. What I did with
the default backend should stop the login if the domain isn't explicitly

On Fri, Dec 4, 2015 at 4:00 PM, Rowland penny <rpenny at samba.org> wrote:

> On 04/12/15 22:43, Jeff Sadowski wrote:
>> We use power broker here at work and where wondering why we need it.
>> I was able to setup a new linux server using samba and am able to login
>> with my active directory accounts but I couldn't figure out how to set the
>> login shells.
>> I have a work around but would like feedback
>> in my /etc/samba/smb.conf I have the following
>>     security = ads
>>     realm = DOMAIN.LONG
>>     workgroup = DOMAIN
>>     idmap config DOMAIN : backend = ad
>>     idmap config DOMAIN : range = 1000-999999999
>>     #should not get here
>>     idmap config * : range = 999999998-999999999
>>     idmap config * :backend      =rid
>>     template homedir = /nfs/homes/%U
>>     template shell = /nfs/homes/%U/.default_shell
>>     winbind use default domain = yes
>>     restrict anonymous = 2
> Have you considered reading the Samba wiki ?
> Your 'idmap config' block should look similar to this:
>      # Default idmap config used for BUILTIN and local accounts/groups
>        idmap config *:backend = tdb
>        idmap config *:range = 2000-9999
>        # idmap config for domain SAMDOM
>        idmap config DOMAIN:backend = ad
>        idmap config DOMAIN:schema_mode = rfc2307
>        idmap config DOMAIN:range = 10000-99999
>        # Use template settings for login shell and home directory
>        winbind nss info = template
>        template shell = /nfs/homes/%U/.default_shell
>        template homedir = /nfs/homes/%U
> Though as you seem to be using uidNumber & gidNumber attributes, you could
> also store the loginShell and unixHomedir in AD as well.
> Rowland
> allowing users to pick their shell using
>> ln -s /bin/bash ~/.default_shell
>> or
>> ln -s /bin/tcsh ~/.default_shell
>> ...
>> It will be easy to create the .default shell for each user using a simple
>> script I can run on a machine that has power broker but I am wondering
>> what
>> others have done to allow users to pick their shell using samba to
>> authenticate?
>> What are the downsides of doing it the way I did it?
>> is there a way to use the loginShell provided by rfc2307 that I haven't
>> found documented in samba?
>> I'm using samba version 4.1.6 if that makes a difference. I could probably
>> find a way to upgrade if there is support in newer versions.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list