[Samba] template shell RFC2307 loginShell

Jeff Sadowski jeff.sadowski at gmail.com
Mon Dec 7 15:42:10 UTC 2015

I finally got to test it and it works OK
something really strange is occurring though

It works good as follows except for groups but I'll look at that latter as
I see others have mentioned some issues with groups
here is my /etc/samba/smb.conf

   security = ads
   realm = DOMAIN.LONG
   workgroup = DOMAIN
   idmap config * : backend = tdb
   idmap config * : range = 900-999
   idmap config DOMAIN:backend = ad
   idmap config DOMAIN:range = 1000-99999
   idmap config DOMAIN:schema_mode = rfc2307   winbind nss info = rfc2307
 winbind use default domain = yes
   # so that the users show up in getent
   winbind enum users = Yes
   # doesn't seem to do the same for groups :-/
   winbind enum groups = Yes
   restrict anonymous = 2

What is strange is when I use the ranges like so

   idmap config * : range = 1000-9999
   idmap config DOMAIN:range = 10000-99999

only a small fraction of my users show up when I do a "getent passwd"
they all seem to show up when I do a "wbinfo -u"
and all my users uids are over 10000

when I set it back to

   idmap config * : range = 900-999
   idmap config DOMAIN:range = 1000-99999

I see all my users

So going further I find that when I run "id" as myuser I didn't see all my
groups but if I ran "id myuser" I did see all my users
So I tried

   idmap config * : range = 100000-1099999
   idmap config DOMAIN:range = 0-99999

and now when I run "id" as myuser I see all my group

On Sat, Dec 5, 2015 at 2:34 AM, Rowland penny <rpenny at samba.org> wrote:

> On 05/12/15 02:47, Jeff Sadowski wrote:
>> Thank you Rowland for looking at it.
>> I did read the wiki here https://wiki.samba.org/index.php/Idmap_config_ad
>> that is how I got as far as I did; that and the idmap_ad man page. I could
>> not find how to use the loginShell is there a variable I can use for it in
>> the template or an option to set to use it? loginShell and unixHomedir are
>> not mentioned on the wiki that I could find. I'm good with the templated
>> homedir but curious how to use the unixHomedir. It seems that the
>> schema_mode = rfc2307 is the default as it works fine except for the
>> default shells which I have the workaround for. I think I will move them
>> out of their home directories and set them else ware, where users will need
>> to ask to change the shell. I purposefully set rid as the default backend
>> if one does not exist explicit for the domain as it worked better for me.
>> What I did with the default backend should stop the login if the domain
>> isn't explicitly defined.
>> On Fri, Dec 4, 2015 at 4:00 PM, Rowland penny <rpenny at samba.org <mailto:
>> rpenny at samba.org>> wrote:
>>     On 04/12/15 22:43, Jeff Sadowski wrote:
>>         We use power broker here at work and where wondering why we
>>         need it.
>>         I was able to setup a new linux server using samba and am able
>>         to login
>>         with my active directory accounts but I couldn't figure out
>>         how to set the
>>         login shells.
>>         I have a work around but would like feedback
>>         in my /etc/samba/smb.conf I have the following
>>             security = ads
>>             realm = DOMAIN.LONG
>>             workgroup = DOMAIN
>>             idmap config DOMAIN : backend = ad
>>             idmap config DOMAIN : range = 1000-999999999
>>             #should not get here
>>             idmap config * : range = 999999998-999999999
>>             idmap config * :backend      =rid
>>             template homedir = /nfs/homes/%U
>>             template shell = /nfs/homes/%U/.default_shell
>>             winbind use default domain = yes
>>             restrict anonymous = 2
>>     Have you considered reading the Samba wiki ?
>>     Your 'idmap config' block should look similar to this:
>>          # Default idmap config used for BUILTIN and local accounts/groups
>>            idmap config *:backend = tdb
>>            idmap config *:range = 2000-9999
>>            # idmap config for domain SAMDOM
>>            idmap config DOMAIN:backend = ad
>>            idmap config DOMAIN:schema_mode = rfc2307
>>            idmap config DOMAIN:range = 10000-99999
>>            # Use template settings for login shell and home directory
>>            winbind nss info = template
>>            template shell = /nfs/homes/%U/.default_shell
>>            template homedir = /nfs/homes/%U
>>     Though as you seem to be using uidNumber & gidNumber attributes,
>>     you could also store the loginShell and unixHomedir in AD as well.
>>     Rowland
>>         allowing users to pick their shell using
>>         ln -s /bin/bash ~/.default_shell
>>         or
>>         ln -s /bin/tcsh ~/.default_shell
>>         ...
>>         It will be easy to create the .default shell for each user
>>         using a simple
>>         script I can run on a machine that has power broker but I am
>>         wondering what
>>         others have done to allow users to pick their shell using samba to
>>         authenticate?
>>         What are the downsides of doing it the way I did it?
>>         is there a way to use the loginShell provided by rfc2307 that
>>         I haven't
>>         found documented in samba?
>>         I'm using samba version 4.1.6 if that makes a difference. I
>>         could probably
>>         find a way to upgrade if there is support in newer versions.
>>     --     To unsubscribe from this list go to the following URL and read
>> the
>>     instructions: https://lists.samba.org/mailman/options/samba
> Samba AD as standard comes with the ability to add RFC2307 attributes to a
> user or group (see here for more info:
> https://www.ietf.org/rfc/rfc2307.txt)
> What this means is, if you give a user a uidNumber and at least 'Domain
> Users' a gidNumber, then the user will become visible on a Unix domain
> member (aka Unix workstation).
> If you study the list of attributes on the link above, you will find that
> there are more attributes available, amongst them are loginShell and
> homeDirectory. The first is where you can store the users login shell
> (obviously), but there is a problem with the second, AD already has an
> attribute with the same name to store the users windows home directory
> path, so this became unixHomeDirectory and is where you can store the users
> Unix home directory.
> If you require more info on the RFC2307 attributes, please ask.
> Now, as for the 'idmap config' block and which to use, this is down to the
> sysadmin (i.e. you) and is based on what you require.
> There are several backends available, but only two are regularly used, the
> 'ad' and 'rid' backends. Lets deal with the 'rid' backend first, this is
> used if you don't want (or need) to add RFC2307 attributes to AD. Your
> users & groups will be mapped to a number inside the range you set i.e.
> idmap config SAMDOM:range = 10000-99999. It uses an algorithm to create the
> IDs from the user/group RID and as long as you use the same 'idmap config'
> block on every Unix machine, you will get the same Unix ID on every Unix
> machine. The downside is that you cannot set individual homedirs & shells
> for users and will have to use the template lines in smb.conf.
> The 'ad' backend is different, it uses the RFC2307 attributes for the
> user/group IDs, this does of course mean that you have to add a uidNumber
> attribute containing a unique number to any users that you need to be
> visible to Unix *and* add a gidNumber to Domain Users at least. These
> numbers must be inside the range you set in smb.conf, any numbers outside
> the range will be ignored.
> You can go further with the 'ad' backend, you can add the loginShell
> attribute containing the users shell (/bin/bash for instance), you can also
> add the unixHomeDirectory attribute containing the path to the users home
> directory. To use these, you would also need to have the line 'winbind nss
> info = rfc2307' in smb.conf. If you don't want to add these further
> attributes, you can add 'winbind nss info = template' instead and also add
> the template lines.
> You need these lines in smb.conf:
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> These lines are where Samba will store the mappings for the builtin users
> & groups, without these, it is very unlikely Samba will work correctly.
> Again, any questions, please ask.
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list