[Samba] template shell RFC2307 loginShell
Jeff Sadowski
jeff.sadowski at gmail.com
Mon Dec 7 15:59:40 UTC 2015
bad testing for groups.
Working with many systems I found I must have been testing on another
system then what I was configuring.
idmap config * : range = 100000-1099999
idmap config DOMAIN:range = 0-99999
worked no different to me from
idmap config * : range = 900-999
idmap config DOMAIN:range = 1000-99999
so I will set it back.
On Mon, Dec 7, 2015 at 8:42 AM, Jeff Sadowski <jeff.sadowski at gmail.com>
wrote:
> I finally got to test it and it works OK
> something really strange is occurring though
>
> It works good as follows except for groups but I'll look at that latter as
> I see others have mentioned some issues with groups
> here is my /etc/samba/smb.conf
>
> security = ads
> realm = DOMAIN.LONG
> workgroup = DOMAIN
> idmap config * : backend = tdb
> idmap config * : range = 900-999
> idmap config DOMAIN:backend = ad
> idmap config DOMAIN:range = 1000-99999
> idmap config DOMAIN:schema_mode = rfc2307 winbind nss info = rfc2307
> winbind use default domain = yes
> # so that the users show up in getent
> winbind enum users = Yes
> # doesn't seem to do the same for groups :-/
> winbind enum groups = Yes
> restrict anonymous = 2
>
> What is strange is when I use the ranges like so
>
> idmap config * : range = 1000-9999
> idmap config DOMAIN:range = 10000-99999
>
> only a small fraction of my users show up when I do a "getent passwd"
> they all seem to show up when I do a "wbinfo -u"
> and all my users uids are over 10000
>
> when I set it back to
>
> idmap config * : range = 900-999
> idmap config DOMAIN:range = 1000-99999
>
> I see all my users
>
>
> So going further I find that when I run "id" as myuser I didn't see all my
> groups but if I ran "id myuser" I did see all my users
> So I tried
>
> idmap config * : range = 100000-1099999
> idmap config DOMAIN:range = 0-99999
>
> and now when I run "id" as myuser I see all my group
>
>
> On Sat, Dec 5, 2015 at 2:34 AM, Rowland penny <rpenny at samba.org> wrote:
>
>> On 05/12/15 02:47, Jeff Sadowski wrote:
>>
>>> Thank you Rowland for looking at it.
>>> I did read the wiki here
>>> https://wiki.samba.org/index.php/Idmap_config_ad that is how I got as
>>> far as I did; that and the idmap_ad man page. I could not find how to use
>>> the loginShell is there a variable I can use for it in the template or an
>>> option to set to use it? loginShell and unixHomedir are not mentioned on
>>> the wiki that I could find. I'm good with the templated homedir but curious
>>> how to use the unixHomedir. It seems that the schema_mode = rfc2307 is the
>>> default as it works fine except for the default shells which I have the
>>> workaround for. I think I will move them out of their home directories and
>>> set them else ware, where users will need to ask to change the shell. I
>>> purposefully set rid as the default backend if one does not exist explicit
>>> for the domain as it worked better for me. What I did with the default
>>> backend should stop the login if the domain isn't explicitly defined.
>>>
>>>
>>>
>>> On Fri, Dec 4, 2015 at 4:00 PM, Rowland penny <rpenny at samba.org <mailto:
>>> rpenny at samba.org>> wrote:
>>>
>>> On 04/12/15 22:43, Jeff Sadowski wrote:
>>>
>>> We use power broker here at work and where wondering why we
>>> need it.
>>>
>>> I was able to setup a new linux server using samba and am able
>>> to login
>>> with my active directory accounts but I couldn't figure out
>>> how to set the
>>> login shells.
>>> I have a work around but would like feedback
>>> in my /etc/samba/smb.conf I have the following
>>>
>>> security = ads
>>> realm = DOMAIN.LONG
>>> workgroup = DOMAIN
>>> idmap config DOMAIN : backend = ad
>>> idmap config DOMAIN : range = 1000-999999999
>>> #should not get here
>>> idmap config * : range = 999999998-999999999
>>> idmap config * :backend =rid
>>> template homedir = /nfs/homes/%U
>>> template shell = /nfs/homes/%U/.default_shell
>>> winbind use default domain = yes
>>> restrict anonymous = 2
>>>
>>>
>>> Have you considered reading the Samba wiki ?
>>> Your 'idmap config' block should look similar to this:
>>>
>>> # Default idmap config used for BUILTIN and local
>>> accounts/groups
>>> idmap config *:backend = tdb
>>> idmap config *:range = 2000-9999
>>>
>>> # idmap config for domain SAMDOM
>>> idmap config DOMAIN:backend = ad
>>> idmap config DOMAIN:schema_mode = rfc2307
>>> idmap config DOMAIN:range = 10000-99999
>>>
>>> # Use template settings for login shell and home directory
>>> winbind nss info = template
>>> template shell = /nfs/homes/%U/.default_shell
>>> template homedir = /nfs/homes/%U
>>>
>>> Though as you seem to be using uidNumber & gidNumber attributes,
>>> you could also store the loginShell and unixHomedir in AD as well.
>>>
>>> Rowland
>>>
>>>
>>> allowing users to pick their shell using
>>> ln -s /bin/bash ~/.default_shell
>>> or
>>> ln -s /bin/tcsh ~/.default_shell
>>> ...
>>>
>>> It will be easy to create the .default shell for each user
>>> using a simple
>>> script I can run on a machine that has power broker but I am
>>> wondering what
>>> others have done to allow users to pick their shell using samba
>>> to
>>> authenticate?
>>> What are the downsides of doing it the way I did it?
>>>
>>> is there a way to use the loginShell provided by rfc2307 that
>>> I haven't
>>> found documented in samba?
>>>
>>> I'm using samba version 4.1.6 if that makes a difference. I
>>> could probably
>>> find a way to upgrade if there is support in newer versions.
>>>
>>>
>>>
>>> -- To unsubscribe from this list go to the following URL and
>>> read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>>>
>> Samba AD as standard comes with the ability to add RFC2307 attributes to
>> a user or group (see here for more info:
>> https://www.ietf.org/rfc/rfc2307.txt)
>> What this means is, if you give a user a uidNumber and at least 'Domain
>> Users' a gidNumber, then the user will become visible on a Unix domain
>> member (aka Unix workstation).
>> If you study the list of attributes on the link above, you will find that
>> there are more attributes available, amongst them are loginShell and
>> homeDirectory. The first is where you can store the users login shell
>> (obviously), but there is a problem with the second, AD already has an
>> attribute with the same name to store the users windows home directory
>> path, so this became unixHomeDirectory and is where you can store the users
>> Unix home directory.
>> If you require more info on the RFC2307 attributes, please ask.
>>
>> Now, as for the 'idmap config' block and which to use, this is down to
>> the sysadmin (i.e. you) and is based on what you require.
>> There are several backends available, but only two are regularly used,
>> the 'ad' and 'rid' backends. Lets deal with the 'rid' backend first, this
>> is used if you don't want (or need) to add RFC2307 attributes to AD. Your
>> users & groups will be mapped to a number inside the range you set i.e.
>> idmap config SAMDOM:range = 10000-99999. It uses an algorithm to create the
>> IDs from the user/group RID and as long as you use the same 'idmap config'
>> block on every Unix machine, you will get the same Unix ID on every Unix
>> machine. The downside is that you cannot set individual homedirs & shells
>> for users and will have to use the template lines in smb.conf.
>>
>> The 'ad' backend is different, it uses the RFC2307 attributes for the
>> user/group IDs, this does of course mean that you have to add a uidNumber
>> attribute containing a unique number to any users that you need to be
>> visible to Unix *and* add a gidNumber to Domain Users at least. These
>> numbers must be inside the range you set in smb.conf, any numbers outside
>> the range will be ignored.
>> You can go further with the 'ad' backend, you can add the loginShell
>> attribute containing the users shell (/bin/bash for instance), you can also
>> add the unixHomeDirectory attribute containing the path to the users home
>> directory. To use these, you would also need to have the line 'winbind nss
>> info = rfc2307' in smb.conf. If you don't want to add these further
>> attributes, you can add 'winbind nss info = template' instead and also add
>> the template lines.
>>
>> You need these lines in smb.conf:
>> idmap config *:backend = tdb
>> idmap config *:range = 2000-9999
>>
>> These lines are where Samba will store the mappings for the builtin users
>> & groups, without these, it is very unlikely Samba will work correctly.
>>
>> Again, any questions, please ask.
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>
More information about the samba
mailing list