[Samba] template shell RFC2307 loginShell

Rowland penny rpenny at samba.org
Sat Dec 5 09:34:57 UTC 2015

On 05/12/15 02:47, Jeff Sadowski wrote:
> Thank you Rowland for looking at it.
> I did read the wiki here 
> https://wiki.samba.org/index.php/Idmap_config_ad  that is how I got as 
> far as I did; that and the idmap_ad man page. I could not find how to 
> use the loginShell is there a variable I can use for it in the 
> template or an option to set to use it? loginShell and unixHomedir are 
> not mentioned on the wiki that I could find. I'm good with the 
> templated homedir but curious how to use the unixHomedir. It seems 
> that the schema_mode = rfc2307 is the default as it works fine except 
> for the default shells which I have the workaround for. I think I will 
> move them out of their home directories and set them else ware, where 
> users will need to ask to change the shell. I purposefully set rid as 
> the default backend if one does not exist explicit for the domain as 
> it worked better for me. What I did with the default backend should 
> stop the login if the domain isn't explicitly defined.
> On Fri, Dec 4, 2015 at 4:00 PM, Rowland penny <rpenny at samba.org 
> <mailto:rpenny at samba.org>> wrote:
>     On 04/12/15 22:43, Jeff Sadowski wrote:
>         We use power broker here at work and where wondering why we
>         need it.
>         I was able to setup a new linux server using samba and am able
>         to login
>         with my active directory accounts but I couldn't figure out
>         how to set the
>         login shells.
>         I have a work around but would like feedback
>         in my /etc/samba/smb.conf I have the following
>             security = ads
>             realm = DOMAIN.LONG
>             workgroup = DOMAIN
>             idmap config DOMAIN : backend = ad
>             idmap config DOMAIN : range = 1000-999999999
>             #should not get here
>             idmap config * : range = 999999998-999999999
>             idmap config * :backend      =rid
>             template homedir = /nfs/homes/%U
>             template shell = /nfs/homes/%U/.default_shell
>             winbind use default domain = yes
>             restrict anonymous = 2
>     Have you considered reading the Samba wiki ?
>     Your 'idmap config' block should look similar to this:
>          # Default idmap config used for BUILTIN and local accounts/groups
>            idmap config *:backend = tdb
>            idmap config *:range = 2000-9999
>            # idmap config for domain SAMDOM
>            idmap config DOMAIN:backend = ad
>            idmap config DOMAIN:schema_mode = rfc2307
>            idmap config DOMAIN:range = 10000-99999
>            # Use template settings for login shell and home directory
>            winbind nss info = template
>            template shell = /nfs/homes/%U/.default_shell
>            template homedir = /nfs/homes/%U
>     Though as you seem to be using uidNumber & gidNumber attributes,
>     you could also store the loginShell and unixHomedir in AD as well.
>     Rowland
>         allowing users to pick their shell using
>         ln -s /bin/bash ~/.default_shell
>         or
>         ln -s /bin/tcsh ~/.default_shell
>         ...
>         It will be easy to create the .default shell for each user
>         using a simple
>         script I can run on a machine that has power broker but I am
>         wondering what
>         others have done to allow users to pick their shell using samba to
>         authenticate?
>         What are the downsides of doing it the way I did it?
>         is there a way to use the loginShell provided by rfc2307 that
>         I haven't
>         found documented in samba?
>         I'm using samba version 4.1.6 if that makes a difference. I
>         could probably
>         find a way to upgrade if there is support in newer versions.
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba

Samba AD as standard comes with the ability to add RFC2307 attributes to 
a user or group (see here for more info: 
What this means is, if you give a user a uidNumber and at least 'Domain 
Users' a gidNumber, then the user will become visible on a Unix domain 
member (aka Unix workstation).
If you study the list of attributes on the link above, you will find 
that there are more attributes available, amongst them are loginShell 
and homeDirectory. The first is where you can store the users login 
shell (obviously), but there is a problem with the second, AD already 
has an attribute with the same name to store the users windows home 
directory path, so this became unixHomeDirectory and is where you can 
store the users Unix home directory.
If you require more info on the RFC2307 attributes, please ask.

Now, as for the 'idmap config' block and which to use, this is down to 
the sysadmin (i.e. you) and is based on what you require.
There are several backends available, but only two are regularly used, 
the 'ad' and 'rid' backends. Lets deal with the 'rid' backend first, 
this is used if you don't want (or need) to add RFC2307 attributes to 
AD. Your users & groups will be mapped to a number inside the range you 
set i.e. idmap config SAMDOM:range = 10000-99999. It uses an algorithm 
to create the IDs from the user/group RID and as long as you use the 
same 'idmap config' block on every Unix machine, you will get the same 
Unix ID on every Unix machine. The downside is that you cannot set 
individual homedirs & shells for users and will have to use the template 
lines in smb.conf.

The 'ad' backend is different, it uses the RFC2307 attributes for the 
user/group IDs, this does of course mean that you have to add a 
uidNumber attribute containing a unique number to any users that you 
need to be visible to Unix *and* add a gidNumber to Domain Users at 
least. These numbers must be inside the range you set in smb.conf, any 
numbers outside the range will be ignored.
You can go further with the 'ad' backend, you can add the loginShell 
attribute containing the users shell (/bin/bash for instance), you can 
also add the unixHomeDirectory attribute containing the path to the 
users home directory. To use these, you would also need to have the line 
'winbind nss info = rfc2307' in smb.conf. If you don't want to add these 
further attributes, you can add 'winbind nss info = template' instead 
and also add the template lines.

You need these lines in smb.conf:
idmap config *:backend = tdb
idmap config *:range = 2000-9999

These lines are where Samba will store the mappings for the builtin 
users & groups, without these, it is very unlikely Samba will work 

Again, any questions, please ask.


More information about the samba mailing list