[Samba] template shell RFC2307 loginShell
Jeff Sadowski
jeff.sadowski at gmail.com
Mon Dec 7 18:49:13 UTC 2015
But that doesn't work for me. As I am saying
If I set it like that I only see 7 domain users with getent passwd
experimenting I see if I set
idmap config * : range = 2000-7999
idmap config DOMAIN:range = 8000-99999
I see all my users.
which is really odd because all my users have uids above 10000
What other trouble shooting steps can I take to see why this is acting this
way?
I edit /etc/samba/smb.conf
I run a script with the following
service winbind stop
service samba stop
net cache flush
rm -f /var/lib/samba/*.tdb
rm -f /var/lib/samba/group_mapping.ldb
sleep 1
service samba start
service winbind start
then I do
getent passwd|wc -l
########################3
when
idmap config DOMAIN:range = 10000-99999
# getent passwd|wc -l
47
when
idmap config DOMAIN:range = 9000-99999
# getent passwd|wc -l
109
when
idmap config DOMAIN:range = 8000-99999
# getent passwd|wc -l
801
that seems to be as many as I can get
still doesn't add up as
# cat /etc/passwd|wc -l
40
# wbinfo -u|wc -l
798
So I should have 838
users.
But no matter what I set idmap config DOMAIN:range to I don't see any more
than 801 users with getent passwd
On Mon, Dec 7, 2015 at 9:20 AM, Rowland penny <rpenny at samba.org> wrote:
> On 07/12/15 15:42, Jeff Sadowski wrote:
>
>> I finally got to test it and it works OK
>> something really strange is occurring though
>>
>> It works good as follows except for groups but I'll look at that latter
>> as I see others have mentioned some issues with groups
>> here is my /etc/samba/smb.conf
>>
>> security = ads
>> realm = DOMAIN.LONG
>> workgroup = DOMAIN
>> idmap config * : backend = tdb
>> idmap config * : range = 900-999
>> idmap config DOMAIN:backend = ad
>> idmap config DOMAIN:range = 1000-99999
>> idmap config DOMAIN:schema_mode = rfc2307 winbind nss info =
>> rfc2307 winbind use default domain = yes
>> # so that the users show up in getent
>> winbind enum users = Yes
>> # doesn't seem to do the same for groups :-/
>> winbind enum groups = Yes
>> restrict anonymous = 2
>>
>> What is strange is when I use the ranges like so
>>
>> idmap config * : range = 1000-9999
>> idmap config DOMAIN:range = 10000-99999
>>
>> only a small fraction of my users show up when I do a "getent passwd"
>> they all seem to show up when I do a "wbinfo -u"
>> and all my users uids are over 10000
>>
>> when I set it back to
>>
>> idmap config * : range = 900-999
>> idmap config DOMAIN:range = 1000-99999
>>
>> I see all my users
>>
>>
>> So going further I find that when I run "id" as myuser I didn't see all
>> my groups but if I ran "id myuser" I did see all my users
>> So I tried
>>
>> idmap config * : range = 100000-1099999
>> idmap config DOMAIN:range = 0-99999
>>
>> and now when I run "id" as myuser I see all my group
>>
>
> You posted that you were using Samba version 4.1.6, this usually means
> Ubuntu, in which case: 0-999 is reserved for the system users & groups
> (root etc), 1000 upwards is where you should be putting your local Unix
> users & groups. This means that you shouldn't really use any number under a
> '1000' for AD users & groups and you should also leave a small space for
> local users & groups, hence the advice on the wiki is to use '2000-9999'
> for your builtin AD users & groups and to use '10000' upwards for your AD
> users & groups.
>
> This means if you give 'Domain Users' the gidNumber of '10000' and then
> give your users uidNumbers starting from '10000' and use the 'idmap config'
> block from the wiki, you will be able to see all your users & groups via
> getent. Note that 'getent group' will not show anything, but 'getent group
> Domain\ Users' will.
>
> You can start both your user & group IDs from '10000', there is no reason
> to use different ranges.
>
> using wbinfo to show users works differently to getent, using 'wbinfo -u'
> to show your users ensures that winbind can connect to AD, you need to use
> getent to make sure that your OS can connect to AD, if getent doesn't show
> your user or group, then the OS will not know about it.
>
> Rowland
>
>
>>
>> On Sat, Dec 5, 2015 at 2:34 AM, Rowland penny <rpenny at samba.org <mailto:
>> rpenny at samba.org>> wrote:
>>
>> On 05/12/15 02:47, Jeff Sadowski wrote:
>>
>> Thank you Rowland for looking at it.
>> I did read the wiki here
>> https://wiki.samba.org/index.php/Idmap_config_ad that is how I
>> got as far as I did; that and the idmap_ad man page. I could
>> not find how to use the loginShell is there a variable I can
>> use for it in the template or an option to set to use it?
>> loginShell and unixHomedir are not mentioned on the wiki that
>> I could find. I'm good with the templated homedir but curious
>> how to use the unixHomedir. It seems that the schema_mode =
>> rfc2307 is the default as it works fine except for the default
>> shells which I have the workaround for. I think I will move
>> them out of their home directories and set them else ware,
>> where users will need to ask to change the shell. I
>> purposefully set rid as the default backend if one does not
>> exist explicit for the domain as it worked better for me. What
>> I did with the default backend should stop the login if the
>> domain isn't explicitly defined.
>>
>>
>>
>> On Fri, Dec 4, 2015 at 4:00 PM, Rowland penny
>> <rpenny at samba.org <mailto:rpenny at samba.org>
>> <mailto:rpenny at samba.org <mailto:rpenny at samba.org>>> wrote:
>>
>> On 04/12/15 22:43, Jeff Sadowski wrote:
>>
>> We use power broker here at work and where wondering
>> why we
>> need it.
>>
>> I was able to setup a new linux server using samba and
>> am able
>> to login
>> with my active directory accounts but I couldn't
>> figure out
>> how to set the
>> login shells.
>> I have a work around but would like feedback
>> in my /etc/samba/smb.conf I have the following
>>
>> security = ads
>> realm = DOMAIN.LONG
>> workgroup = DOMAIN
>> idmap config DOMAIN : backend = ad
>> idmap config DOMAIN : range = 1000-999999999
>> #should not get here
>> idmap config * : range = 999999998-999999999
>> idmap config * :backend =rid
>> template homedir = /nfs/homes/%U
>> template shell = /nfs/homes/%U/.default_shell
>> winbind use default domain = yes
>> restrict anonymous = 2
>>
>>
>> Have you considered reading the Samba wiki ?
>> Your 'idmap config' block should look similar to this:
>>
>> # Default idmap config used for BUILTIN and local
>> accounts/groups
>> idmap config *:backend = tdb
>> idmap config *:range = 2000-9999
>>
>> # idmap config for domain SAMDOM
>> idmap config DOMAIN:backend = ad
>> idmap config DOMAIN:schema_mode = rfc2307
>> idmap config DOMAIN:range = 10000-99999
>>
>> # Use template settings for login shell and home
>> directory
>> winbind nss info = template
>> template shell = /nfs/homes/%U/.default_shell
>> template homedir = /nfs/homes/%U
>>
>> Though as you seem to be using uidNumber & gidNumber
>> attributes,
>> you could also store the loginShell and unixHomedir in AD
>> as well.
>>
>> Rowland
>>
>>
>> allowing users to pick their shell using
>> ln -s /bin/bash ~/.default_shell
>> or
>> ln -s /bin/tcsh ~/.default_shell
>> ...
>>
>> It will be easy to create the .default shell for each user
>> using a simple
>> script I can run on a machine that has power broker
>> but I am
>> wondering what
>> others have done to allow users to pick their shell
>> using samba to
>> authenticate?
>> What are the downsides of doing it the way I did it?
>>
>> is there a way to use the loginShell provided by
>> rfc2307 that
>> I haven't
>> found documented in samba?
>>
>> I'm using samba version 4.1.6 if that makes a
>> difference. I
>> could probably
>> find a way to upgrade if there is support in newer
>> versions.
>>
>>
>>
>> -- To unsubscribe from this list go to the following
>> URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
>> Samba AD as standard comes with the ability to add RFC2307
>> attributes to a user or group (see here for more info:
>> https://www.ietf.org/rfc/rfc2307.txt)
>> What this means is, if you give a user a uidNumber and at least
>> 'Domain Users' a gidNumber, then the user will become visible on a
>> Unix domain member (aka Unix workstation).
>> If you study the list of attributes on the link above, you will
>> find that there are more attributes available, amongst them are
>> loginShell and homeDirectory. The first is where you can store the
>> users login shell (obviously), but there is a problem with the
>> second, AD already has an attribute with the same name to store
>> the users windows home directory path, so this became
>> unixHomeDirectory and is where you can store the users Unix home
>> directory.
>> If you require more info on the RFC2307 attributes, please ask.
>>
>> Now, as for the 'idmap config' block and which to use, this is
>> down to the sysadmin (i.e. you) and is based on what you require.
>> There are several backends available, but only two are regularly
>> used, the 'ad' and 'rid' backends. Lets deal with the 'rid'
>> backend first, this is used if you don't want (or need) to add
>> RFC2307 attributes to AD. Your users & groups will be mapped to a
>> number inside the range you set i.e. idmap config SAMDOM:range =
>> 10000-99999. It uses an algorithm to create the IDs from the
>> user/group RID and as long as you use the same 'idmap config'
>> block on every Unix machine, you will get the same Unix ID on
>> every Unix machine. The downside is that you cannot set individual
>> homedirs & shells for users and will have to use the template
>> lines in smb.conf.
>>
>> The 'ad' backend is different, it uses the RFC2307 attributes for
>> the user/group IDs, this does of course mean that you have to add
>> a uidNumber attribute containing a unique number to any users that
>> you need to be visible to Unix *and* add a gidNumber to Domain
>> Users at least. These numbers must be inside the range you set in
>> smb.conf, any numbers outside the range will be ignored.
>> You can go further with the 'ad' backend, you can add the
>> loginShell attribute containing the users shell (/bin/bash for
>> instance), you can also add the unixHomeDirectory attribute
>> containing the path to the users home directory. To use these, you
>> would also need to have the line 'winbind nss info = rfc2307' in
>> smb.conf. If you don't want to add these further attributes, you
>> can add 'winbind nss info = template' instead and also add the
>> template lines.
>>
>> You need these lines in smb.conf:
>> idmap config *:backend = tdb
>> idmap config *:range = 2000-9999
>>
>> These lines are where Samba will store the mappings for the
>> builtin users & groups, without these, it is very unlikely Samba
>> will work correctly.
>>
>> Again, any questions, please ask.
>>
>> Rowland
>>
>> -- To unsubscribe from this list go to the following URL and read
>> the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list