[Samba] template shell RFC2307 loginShell

Jeff Sadowski jeff.sadowski at gmail.com
Mon Dec 7 18:49:13 UTC 2015

But that doesn't work for me. As I am saying
If I set it like that I only see 7 domain users with getent passwd
experimenting I see if I set

 idmap config * : range = 2000-7999
 idmap config DOMAIN:range = 8000-99999

I see all my users.

which is really odd because all my users have uids above 10000

What other trouble shooting steps can I take to see why this is acting this

I edit /etc/samba/smb.conf
I run a script with the following

service winbind stop
service samba stop
net cache flush
rm -f /var/lib/samba/*.tdb
rm -f /var/lib/samba/group_mapping.ldb
sleep 1
service samba start
service winbind start

then I do
getent passwd|wc -l



 idmap config DOMAIN:range = 10000-99999

# getent passwd|wc -l


 idmap config DOMAIN:range = 9000-99999

# getent passwd|wc -l


 idmap config DOMAIN:range = 8000-99999

# getent passwd|wc -l

that seems to be as many as I can get
still doesn't add up as

# cat /etc/passwd|wc -l

# wbinfo -u|wc -l

So I should have 838
But no matter what I set idmap config DOMAIN:range to I don't see any more
than 801 users with getent passwd

On Mon, Dec 7, 2015 at 9:20 AM, Rowland penny <rpenny at samba.org> wrote:

> On 07/12/15 15:42, Jeff Sadowski wrote:
>> I finally got to test it and it works OK
>> something really strange is occurring though
>> It works good as follows except for groups but I'll look at that latter
>> as I see others have mentioned some issues with groups
>> here is my /etc/samba/smb.conf
>>    security = ads
>>    realm = DOMAIN.LONG
>>    workgroup = DOMAIN
>>    idmap config * : backend = tdb
>>    idmap config * : range = 900-999
>>    idmap config DOMAIN:backend = ad
>>    idmap config DOMAIN:range = 1000-99999
>>    idmap config DOMAIN:schema_mode = rfc2307   winbind nss info =
>> rfc2307   winbind use default domain = yes
>>    # so that the users show up in getent
>>    winbind enum users = Yes
>>    # doesn't seem to do the same for groups :-/
>>    winbind enum groups = Yes
>>    restrict anonymous = 2
>> What is strange is when I use the ranges like so
>>    idmap config * : range = 1000-9999
>>    idmap config DOMAIN:range = 10000-99999
>> only a small fraction of my users show up when I do a "getent passwd"
>> they all seem to show up when I do a "wbinfo -u"
>> and all my users uids are over 10000
>> when I set it back to
>>    idmap config * : range = 900-999
>>    idmap config DOMAIN:range = 1000-99999
>> I see all my users
>> So going further I find that when I run "id" as myuser I didn't see all
>> my groups but if I ran "id myuser" I did see all my users
>> So I tried
>>    idmap config * : range = 100000-1099999
>>    idmap config DOMAIN:range = 0-99999
>> and now when I run "id" as myuser I see all my group
> You posted that you were using Samba version 4.1.6, this usually means
> Ubuntu, in which case: 0-999 is reserved for the system users & groups
> (root etc), 1000 upwards is where you should be putting your local Unix
> users & groups. This means that you shouldn't really use any number under a
> '1000' for AD users & groups and you should also leave a small space for
> local users & groups, hence the advice on the wiki is to use '2000-9999'
> for your builtin AD users & groups and to use '10000' upwards for your AD
> users & groups.
> This means if you give 'Domain Users' the gidNumber of '10000' and then
> give your users uidNumbers starting from '10000' and use the 'idmap config'
> block from the wiki, you will be able to see all your users & groups via
> getent. Note that 'getent group' will not show anything, but 'getent group
> Domain\ Users' will.
> You can start both your user & group IDs from '10000', there is no reason
> to use different ranges.
> using wbinfo to show users works differently to getent, using 'wbinfo -u'
> to show your users ensures that winbind can connect to AD, you need to use
> getent to make sure that your OS can connect to AD, if getent doesn't show
> your user or group, then the OS will not know about it.
> Rowland
>> On Sat, Dec 5, 2015 at 2:34 AM, Rowland penny <rpenny at samba.org <mailto:
>> rpenny at samba.org>> wrote:
>>     On 05/12/15 02:47, Jeff Sadowski wrote:
>>         Thank you Rowland for looking at it.
>>         I did read the wiki here
>>         https://wiki.samba.org/index.php/Idmap_config_ad that is how I
>>         got as far as I did; that and the idmap_ad man page. I could
>>         not find how to use the loginShell is there a variable I can
>>         use for it in the template or an option to set to use it?
>>         loginShell and unixHomedir are not mentioned on the wiki that
>>         I could find. I'm good with the templated homedir but curious
>>         how to use the unixHomedir. It seems that the schema_mode =
>>         rfc2307 is the default as it works fine except for the default
>>         shells which I have the workaround for. I think I will move
>>         them out of their home directories and set them else ware,
>>         where users will need to ask to change the shell. I
>>         purposefully set rid as the default backend if one does not
>>         exist explicit for the domain as it worked better for me. What
>>         I did with the default backend should stop the login if the
>>         domain isn't explicitly defined.
>>         On Fri, Dec 4, 2015 at 4:00 PM, Rowland penny
>>         <rpenny at samba.org <mailto:rpenny at samba.org>
>>         <mailto:rpenny at samba.org <mailto:rpenny at samba.org>>> wrote:
>>             On 04/12/15 22:43, Jeff Sadowski wrote:
>>                 We use power broker here at work and where wondering
>>         why we
>>                 need it.
>>                 I was able to setup a new linux server using samba and
>>         am able
>>                 to login
>>                 with my active directory accounts but I couldn't
>>         figure out
>>                 how to set the
>>                 login shells.
>>                 I have a work around but would like feedback
>>                 in my /etc/samba/smb.conf I have the following
>>                     security = ads
>>                     realm = DOMAIN.LONG
>>                     workgroup = DOMAIN
>>                     idmap config DOMAIN : backend = ad
>>                     idmap config DOMAIN : range = 1000-999999999
>>                     #should not get here
>>                     idmap config * : range = 999999998-999999999
>>                     idmap config * :backend      =rid
>>                     template homedir = /nfs/homes/%U
>>                     template shell = /nfs/homes/%U/.default_shell
>>                     winbind use default domain = yes
>>                     restrict anonymous = 2
>>             Have you considered reading the Samba wiki ?
>>             Your 'idmap config' block should look similar to this:
>>                  # Default idmap config used for BUILTIN and local
>>         accounts/groups
>>                    idmap config *:backend = tdb
>>                    idmap config *:range = 2000-9999
>>                    # idmap config for domain SAMDOM
>>                    idmap config DOMAIN:backend = ad
>>                    idmap config DOMAIN:schema_mode = rfc2307
>>                    idmap config DOMAIN:range = 10000-99999
>>                    # Use template settings for login shell and home
>>         directory
>>                    winbind nss info = template
>>                    template shell = /nfs/homes/%U/.default_shell
>>                    template homedir = /nfs/homes/%U
>>             Though as you seem to be using uidNumber & gidNumber
>>         attributes,
>>             you could also store the loginShell and unixHomedir in AD
>>         as well.
>>             Rowland
>>                 allowing users to pick their shell using
>>                 ln -s /bin/bash ~/.default_shell
>>                 or
>>                 ln -s /bin/tcsh ~/.default_shell
>>                 ...
>>                 It will be easy to create the .default shell for each user
>>                 using a simple
>>                 script I can run on a machine that has power broker
>>         but I am
>>                 wondering what
>>                 others have done to allow users to pick their shell
>>         using samba to
>>                 authenticate?
>>                 What are the downsides of doing it the way I did it?
>>                 is there a way to use the loginShell provided by
>>         rfc2307 that
>>                 I haven't
>>                 found documented in samba?
>>                 I'm using samba version 4.1.6 if that makes a
>>         difference. I
>>                 could probably
>>                 find a way to upgrade if there is support in newer
>>         versions.
>>             --     To unsubscribe from this list go to the following
>>         URL and read the
>>             instructions: https://lists.samba.org/mailman/options/samba
>>     Samba AD as standard comes with the ability to add RFC2307
>>     attributes to a user or group (see here for more info:
>>     https://www.ietf.org/rfc/rfc2307.txt)
>>     What this means is, if you give a user a uidNumber and at least
>>     'Domain Users' a gidNumber, then the user will become visible on a
>>     Unix domain member (aka Unix workstation).
>>     If you study the list of attributes on the link above, you will
>>     find that there are more attributes available, amongst them are
>>     loginShell and homeDirectory. The first is where you can store the
>>     users login shell (obviously), but there is a problem with the
>>     second, AD already has an attribute with the same name to store
>>     the users windows home directory path, so this became
>>     unixHomeDirectory and is where you can store the users Unix home
>>     directory.
>>     If you require more info on the RFC2307 attributes, please ask.
>>     Now, as for the 'idmap config' block and which to use, this is
>>     down to the sysadmin (i.e. you) and is based on what you require.
>>     There are several backends available, but only two are regularly
>>     used, the 'ad' and 'rid' backends. Lets deal with the 'rid'
>>     backend first, this is used if you don't want (or need) to add
>>     RFC2307 attributes to AD. Your users & groups will be mapped to a
>>     number inside the range you set i.e. idmap config SAMDOM:range =
>>     10000-99999. It uses an algorithm to create the IDs from the
>>     user/group RID and as long as you use the same 'idmap config'
>>     block on every Unix machine, you will get the same Unix ID on
>>     every Unix machine. The downside is that you cannot set individual
>>     homedirs & shells for users and will have to use the template
>>     lines in smb.conf.
>>     The 'ad' backend is different, it uses the RFC2307 attributes for
>>     the user/group IDs, this does of course mean that you have to add
>>     a uidNumber attribute containing a unique number to any users that
>>     you need to be visible to Unix *and* add a gidNumber to Domain
>>     Users at least. These numbers must be inside the range you set in
>>     smb.conf, any numbers outside the range will be ignored.
>>     You can go further with the 'ad' backend, you can add the
>>     loginShell attribute containing the users shell (/bin/bash for
>>     instance), you can also add the unixHomeDirectory attribute
>>     containing the path to the users home directory. To use these, you
>>     would also need to have the line 'winbind nss info = rfc2307' in
>>     smb.conf. If you don't want to add these further attributes, you
>>     can add 'winbind nss info = template' instead and also add the
>>     template lines.
>>     You need these lines in smb.conf:
>>     idmap config *:backend = tdb
>>     idmap config *:range = 2000-9999
>>     These lines are where Samba will store the mappings for the
>>     builtin users & groups, without these, it is very unlikely Samba
>>     will work correctly.
>>     Again, any questions, please ask.
>>     Rowland
>>     --     To unsubscribe from this list go to the following URL and read
>> the
>>     instructions: https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list