[Samba] template shell RFC2307 loginShell
Jeff Sadowski
jeff.sadowski at gmail.com
Sat Dec 5 02:48:53 UTC 2015
I see what I missed now the
winbind nss info = rfc2307
option ahhh I will try that monday.
On Fri, Dec 4, 2015 at 7:47 PM, Jeff Sadowski <jeff.sadowski at gmail.com>
wrote:
> Thank you Rowland for looking at it.
> I did read the wiki here https://wiki.samba.org/index.php/Idmap_config_ad
> that is how I got as far as I did; that and the idmap_ad man page. I could
> not find how to use the loginShell is there a variable I can use for it in
> the template or an option to set to use it? loginShell and unixHomedir are
> not mentioned on the wiki that I could find. I'm good with the templated
> homedir but curious how to use the unixHomedir. It seems that the schema_mode
> = rfc2307 is the default as it works fine except for the default shells
> which I have the workaround for. I think I will move them out of their home
> directories and set them else ware, where users will need to ask to change
> the shell. I purposefully set rid as the default backend if one does not
> exist explicit for the domain as it worked better for me. What I did with
> the default backend should stop the login if the domain isn't explicitly
> defined.
>
>
>
> On Fri, Dec 4, 2015 at 4:00 PM, Rowland penny <rpenny at samba.org> wrote:
>
>> On 04/12/15 22:43, Jeff Sadowski wrote:
>>
>>> We use power broker here at work and where wondering why we need it.
>>>
>>> I was able to setup a new linux server using samba and am able to login
>>> with my active directory accounts but I couldn't figure out how to set
>>> the
>>> login shells.
>>> I have a work around but would like feedback
>>> in my /etc/samba/smb.conf I have the following
>>>
>>> security = ads
>>> realm = DOMAIN.LONG
>>> workgroup = DOMAIN
>>> idmap config DOMAIN : backend = ad
>>> idmap config DOMAIN : range = 1000-999999999
>>> #should not get here
>>> idmap config * : range = 999999998-999999999
>>> idmap config * :backend =rid
>>> template homedir = /nfs/homes/%U
>>> template shell = /nfs/homes/%U/.default_shell
>>> winbind use default domain = yes
>>> restrict anonymous = 2
>>>
>>>
>> Have you considered reading the Samba wiki ?
>> Your 'idmap config' block should look similar to this:
>>
>> # Default idmap config used for BUILTIN and local accounts/groups
>> idmap config *:backend = tdb
>> idmap config *:range = 2000-9999
>>
>> # idmap config for domain SAMDOM
>> idmap config DOMAIN:backend = ad
>> idmap config DOMAIN:schema_mode = rfc2307
>> idmap config DOMAIN:range = 10000-99999
>>
>> # Use template settings for login shell and home directory
>> winbind nss info = template
>> template shell = /nfs/homes/%U/.default_shell
>> template homedir = /nfs/homes/%U
>>
>> Though as you seem to be using uidNumber & gidNumber attributes, you
>> could also store the loginShell and unixHomedir in AD as well.
>>
>> Rowland
>>
>>
>> allowing users to pick their shell using
>>> ln -s /bin/bash ~/.default_shell
>>> or
>>> ln -s /bin/tcsh ~/.default_shell
>>> ...
>>>
>>> It will be easy to create the .default shell for each user using a simple
>>> script I can run on a machine that has power broker but I am wondering
>>> what
>>> others have done to allow users to pick their shell using samba to
>>> authenticate?
>>> What are the downsides of doing it the way I did it?
>>>
>>> is there a way to use the loginShell provided by rfc2307 that I haven't
>>> found documented in samba?
>>>
>>> I'm using samba version 4.1.6 if that makes a difference. I could
>>> probably
>>> find a way to upgrade if there is support in newer versions.
>>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>
More information about the samba
mailing list