[Samba] template shell RFC2307 loginShell
Jeff Sadowski
jeff.sadowski at gmail.com
Mon Dec 7 15:42:10 UTC 2015
I finally got to test it and it works OK
something really strange is occurring though
It works good as follows except for groups but I'll look at that latter as
I see others have mentioned some issues with groups
here is my /etc/samba/smb.conf
security = ads
realm = DOMAIN.LONG
workgroup = DOMAIN
idmap config * : backend = tdb
idmap config * : range = 900-999
idmap config DOMAIN:backend = ad
idmap config DOMAIN:range = 1000-99999
idmap config DOMAIN:schema_mode = rfc2307 winbind nss info = rfc2307
winbind use default domain = yes
# so that the users show up in getent
winbind enum users = Yes
# doesn't seem to do the same for groups :-/
winbind enum groups = Yes
restrict anonymous = 2
What is strange is when I use the ranges like so
idmap config * : range = 1000-9999
idmap config DOMAIN:range = 10000-99999
only a small fraction of my users show up when I do a "getent passwd"
they all seem to show up when I do a "wbinfo -u"
and all my users uids are over 10000
when I set it back to
idmap config * : range = 900-999
idmap config DOMAIN:range = 1000-99999
I see all my users
So going further I find that when I run "id" as myuser I didn't see all my
groups but if I ran "id myuser" I did see all my users
So I tried
idmap config * : range = 100000-1099999
idmap config DOMAIN:range = 0-99999
and now when I run "id" as myuser I see all my group
On Sat, Dec 5, 2015 at 2:34 AM, Rowland penny <rpenny at samba.org> wrote:
> On 05/12/15 02:47, Jeff Sadowski wrote:
>
>> Thank you Rowland for looking at it.
>> I did read the wiki here https://wiki.samba.org/index.php/Idmap_config_ad
>> that is how I got as far as I did; that and the idmap_ad man page. I could
>> not find how to use the loginShell is there a variable I can use for it in
>> the template or an option to set to use it? loginShell and unixHomedir are
>> not mentioned on the wiki that I could find. I'm good with the templated
>> homedir but curious how to use the unixHomedir. It seems that the
>> schema_mode = rfc2307 is the default as it works fine except for the
>> default shells which I have the workaround for. I think I will move them
>> out of their home directories and set them else ware, where users will need
>> to ask to change the shell. I purposefully set rid as the default backend
>> if one does not exist explicit for the domain as it worked better for me.
>> What I did with the default backend should stop the login if the domain
>> isn't explicitly defined.
>>
>>
>>
>> On Fri, Dec 4, 2015 at 4:00 PM, Rowland penny <rpenny at samba.org <mailto:
>> rpenny at samba.org>> wrote:
>>
>> On 04/12/15 22:43, Jeff Sadowski wrote:
>>
>> We use power broker here at work and where wondering why we
>> need it.
>>
>> I was able to setup a new linux server using samba and am able
>> to login
>> with my active directory accounts but I couldn't figure out
>> how to set the
>> login shells.
>> I have a work around but would like feedback
>> in my /etc/samba/smb.conf I have the following
>>
>> security = ads
>> realm = DOMAIN.LONG
>> workgroup = DOMAIN
>> idmap config DOMAIN : backend = ad
>> idmap config DOMAIN : range = 1000-999999999
>> #should not get here
>> idmap config * : range = 999999998-999999999
>> idmap config * :backend =rid
>> template homedir = /nfs/homes/%U
>> template shell = /nfs/homes/%U/.default_shell
>> winbind use default domain = yes
>> restrict anonymous = 2
>>
>>
>> Have you considered reading the Samba wiki ?
>> Your 'idmap config' block should look similar to this:
>>
>> # Default idmap config used for BUILTIN and local accounts/groups
>> idmap config *:backend = tdb
>> idmap config *:range = 2000-9999
>>
>> # idmap config for domain SAMDOM
>> idmap config DOMAIN:backend = ad
>> idmap config DOMAIN:schema_mode = rfc2307
>> idmap config DOMAIN:range = 10000-99999
>>
>> # Use template settings for login shell and home directory
>> winbind nss info = template
>> template shell = /nfs/homes/%U/.default_shell
>> template homedir = /nfs/homes/%U
>>
>> Though as you seem to be using uidNumber & gidNumber attributes,
>> you could also store the loginShell and unixHomedir in AD as well.
>>
>> Rowland
>>
>>
>> allowing users to pick their shell using
>> ln -s /bin/bash ~/.default_shell
>> or
>> ln -s /bin/tcsh ~/.default_shell
>> ...
>>
>> It will be easy to create the .default shell for each user
>> using a simple
>> script I can run on a machine that has power broker but I am
>> wondering what
>> others have done to allow users to pick their shell using samba to
>> authenticate?
>> What are the downsides of doing it the way I did it?
>>
>> is there a way to use the loginShell provided by rfc2307 that
>> I haven't
>> found documented in samba?
>>
>> I'm using samba version 4.1.6 if that makes a difference. I
>> could probably
>> find a way to upgrade if there is support in newer versions.
>>
>>
>>
>> -- To unsubscribe from this list go to the following URL and read
>> the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
> Samba AD as standard comes with the ability to add RFC2307 attributes to a
> user or group (see here for more info:
> https://www.ietf.org/rfc/rfc2307.txt)
> What this means is, if you give a user a uidNumber and at least 'Domain
> Users' a gidNumber, then the user will become visible on a Unix domain
> member (aka Unix workstation).
> If you study the list of attributes on the link above, you will find that
> there are more attributes available, amongst them are loginShell and
> homeDirectory. The first is where you can store the users login shell
> (obviously), but there is a problem with the second, AD already has an
> attribute with the same name to store the users windows home directory
> path, so this became unixHomeDirectory and is where you can store the users
> Unix home directory.
> If you require more info on the RFC2307 attributes, please ask.
>
> Now, as for the 'idmap config' block and which to use, this is down to the
> sysadmin (i.e. you) and is based on what you require.
> There are several backends available, but only two are regularly used, the
> 'ad' and 'rid' backends. Lets deal with the 'rid' backend first, this is
> used if you don't want (or need) to add RFC2307 attributes to AD. Your
> users & groups will be mapped to a number inside the range you set i.e.
> idmap config SAMDOM:range = 10000-99999. It uses an algorithm to create the
> IDs from the user/group RID and as long as you use the same 'idmap config'
> block on every Unix machine, you will get the same Unix ID on every Unix
> machine. The downside is that you cannot set individual homedirs & shells
> for users and will have to use the template lines in smb.conf.
>
> The 'ad' backend is different, it uses the RFC2307 attributes for the
> user/group IDs, this does of course mean that you have to add a uidNumber
> attribute containing a unique number to any users that you need to be
> visible to Unix *and* add a gidNumber to Domain Users at least. These
> numbers must be inside the range you set in smb.conf, any numbers outside
> the range will be ignored.
> You can go further with the 'ad' backend, you can add the loginShell
> attribute containing the users shell (/bin/bash for instance), you can also
> add the unixHomeDirectory attribute containing the path to the users home
> directory. To use these, you would also need to have the line 'winbind nss
> info = rfc2307' in smb.conf. If you don't want to add these further
> attributes, you can add 'winbind nss info = template' instead and also add
> the template lines.
>
> You need these lines in smb.conf:
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
>
> These lines are where Samba will store the mappings for the builtin users
> & groups, without these, it is very unlikely Samba will work correctly.
>
> Again, any questions, please ask.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list