[Samba] template shell RFC2307 loginShell
Jeff Sadowski
jeff.sadowski at gmail.com
Mon Dec 7 19:13:28 UTC 2015
I had some users with bigger uids then 99999 so I bumped up DOMAIN:range to
idmap config DOMAIN:range = 8000-9999999
# getent passwd|wc -l
806
yeah I got 5 more users
I wrote a simple loop like so
wbinfo -u|while read i; do id $i|cut -d, -f1; done > users_list.txt
puts out some nice errors
id: guest: no such user
id: administrator: no such user
...
I'm going to guess none have the uid variable in ad.
On Mon, Dec 7, 2015 at 11:49 AM, Jeff Sadowski <jeff.sadowski at gmail.com>
wrote:
> But that doesn't work for me. As I am saying
> If I set it like that I only see 7 domain users with getent passwd
> experimenting I see if I set
>
> idmap config * : range = 2000-7999
> idmap config DOMAIN:range = 8000-99999
>
> I see all my users.
>
> which is really odd because all my users have uids above 10000
>
> What other trouble shooting steps can I take to see why this is acting
> this way?
>
> I edit /etc/samba/smb.conf
> I run a script with the following
>
> service winbind stop
> service samba stop
> net cache flush
> rm -f /var/lib/samba/*.tdb
> rm -f /var/lib/samba/group_mapping.ldb
> sleep 1
> service samba start
> service winbind start
>
> then I do
> getent passwd|wc -l
>
> ########################3
>
> when
>
> idmap config DOMAIN:range = 10000-99999
>
> # getent passwd|wc -l
> 47
>
> when
>
> idmap config DOMAIN:range = 9000-99999
>
> # getent passwd|wc -l
> 109
>
> when
>
> idmap config DOMAIN:range = 8000-99999
>
> # getent passwd|wc -l
> 801
>
> that seems to be as many as I can get
> still doesn't add up as
>
> # cat /etc/passwd|wc -l
> 40
>
> # wbinfo -u|wc -l
> 798
>
> So I should have 838
> users.
> But no matter what I set idmap config DOMAIN:range to I don't see any more
> than 801 users with getent passwd
>
>
> On Mon, Dec 7, 2015 at 9:20 AM, Rowland penny <rpenny at samba.org> wrote:
>
>> On 07/12/15 15:42, Jeff Sadowski wrote:
>>
>>> I finally got to test it and it works OK
>>> something really strange is occurring though
>>>
>>> It works good as follows except for groups but I'll look at that latter
>>> as I see others have mentioned some issues with groups
>>> here is my /etc/samba/smb.conf
>>>
>>> security = ads
>>> realm = DOMAIN.LONG
>>> workgroup = DOMAIN
>>> idmap config * : backend = tdb
>>> idmap config * : range = 900-999
>>> idmap config DOMAIN:backend = ad
>>> idmap config DOMAIN:range = 1000-99999
>>> idmap config DOMAIN:schema_mode = rfc2307 winbind nss info =
>>> rfc2307 winbind use default domain = yes
>>> # so that the users show up in getent
>>> winbind enum users = Yes
>>> # doesn't seem to do the same for groups :-/
>>> winbind enum groups = Yes
>>> restrict anonymous = 2
>>>
>>> What is strange is when I use the ranges like so
>>>
>>> idmap config * : range = 1000-9999
>>> idmap config DOMAIN:range = 10000-99999
>>>
>>> only a small fraction of my users show up when I do a "getent passwd"
>>> they all seem to show up when I do a "wbinfo -u"
>>> and all my users uids are over 10000
>>>
>>> when I set it back to
>>>
>>> idmap config * : range = 900-999
>>> idmap config DOMAIN:range = 1000-99999
>>>
>>> I see all my users
>>>
>>>
>>> So going further I find that when I run "id" as myuser I didn't see all
>>> my groups but if I ran "id myuser" I did see all my users
>>> So I tried
>>>
>>> idmap config * : range = 100000-1099999
>>> idmap config DOMAIN:range = 0-99999
>>>
>>> and now when I run "id" as myuser I see all my group
>>>
>>
>> You posted that you were using Samba version 4.1.6, this usually means
>> Ubuntu, in which case: 0-999 is reserved for the system users & groups
>> (root etc), 1000 upwards is where you should be putting your local Unix
>> users & groups. This means that you shouldn't really use any number under a
>> '1000' for AD users & groups and you should also leave a small space for
>> local users & groups, hence the advice on the wiki is to use '2000-9999'
>> for your builtin AD users & groups and to use '10000' upwards for your AD
>> users & groups.
>>
>> This means if you give 'Domain Users' the gidNumber of '10000' and then
>> give your users uidNumbers starting from '10000' and use the 'idmap config'
>> block from the wiki, you will be able to see all your users & groups via
>> getent. Note that 'getent group' will not show anything, but 'getent group
>> Domain\ Users' will.
>>
>> You can start both your user & group IDs from '10000', there is no reason
>> to use different ranges.
>>
>> using wbinfo to show users works differently to getent, using 'wbinfo -u'
>> to show your users ensures that winbind can connect to AD, you need to use
>> getent to make sure that your OS can connect to AD, if getent doesn't show
>> your user or group, then the OS will not know about it.
>>
>> Rowland
>>
>>
>>>
>>> On Sat, Dec 5, 2015 at 2:34 AM, Rowland penny <rpenny at samba.org <mailto:
>>> rpenny at samba.org>> wrote:
>>>
>>> On 05/12/15 02:47, Jeff Sadowski wrote:
>>>
>>> Thank you Rowland for looking at it.
>>> I did read the wiki here
>>> https://wiki.samba.org/index.php/Idmap_config_ad that is how I
>>> got as far as I did; that and the idmap_ad man page. I could
>>> not find how to use the loginShell is there a variable I can
>>> use for it in the template or an option to set to use it?
>>> loginShell and unixHomedir are not mentioned on the wiki that
>>> I could find. I'm good with the templated homedir but curious
>>> how to use the unixHomedir. It seems that the schema_mode =
>>> rfc2307 is the default as it works fine except for the default
>>> shells which I have the workaround for. I think I will move
>>> them out of their home directories and set them else ware,
>>> where users will need to ask to change the shell. I
>>> purposefully set rid as the default backend if one does not
>>> exist explicit for the domain as it worked better for me. What
>>> I did with the default backend should stop the login if the
>>> domain isn't explicitly defined.
>>>
>>>
>>>
>>> On Fri, Dec 4, 2015 at 4:00 PM, Rowland penny
>>> <rpenny at samba.org <mailto:rpenny at samba.org>
>>> <mailto:rpenny at samba.org <mailto:rpenny at samba.org>>> wrote:
>>>
>>> On 04/12/15 22:43, Jeff Sadowski wrote:
>>>
>>> We use power broker here at work and where wondering
>>> why we
>>> need it.
>>>
>>> I was able to setup a new linux server using samba and
>>> am able
>>> to login
>>> with my active directory accounts but I couldn't
>>> figure out
>>> how to set the
>>> login shells.
>>> I have a work around but would like feedback
>>> in my /etc/samba/smb.conf I have the following
>>>
>>> security = ads
>>> realm = DOMAIN.LONG
>>> workgroup = DOMAIN
>>> idmap config DOMAIN : backend = ad
>>> idmap config DOMAIN : range = 1000-999999999
>>> #should not get here
>>> idmap config * : range = 999999998-999999999
>>> idmap config * :backend =rid
>>> template homedir = /nfs/homes/%U
>>> template shell = /nfs/homes/%U/.default_shell
>>> winbind use default domain = yes
>>> restrict anonymous = 2
>>>
>>>
>>> Have you considered reading the Samba wiki ?
>>> Your 'idmap config' block should look similar to this:
>>>
>>> # Default idmap config used for BUILTIN and local
>>> accounts/groups
>>> idmap config *:backend = tdb
>>> idmap config *:range = 2000-9999
>>>
>>> # idmap config for domain SAMDOM
>>> idmap config DOMAIN:backend = ad
>>> idmap config DOMAIN:schema_mode = rfc2307
>>> idmap config DOMAIN:range = 10000-99999
>>>
>>> # Use template settings for login shell and home
>>> directory
>>> winbind nss info = template
>>> template shell = /nfs/homes/%U/.default_shell
>>> template homedir = /nfs/homes/%U
>>>
>>> Though as you seem to be using uidNumber & gidNumber
>>> attributes,
>>> you could also store the loginShell and unixHomedir in AD
>>> as well.
>>>
>>> Rowland
>>>
>>>
>>> allowing users to pick their shell using
>>> ln -s /bin/bash ~/.default_shell
>>> or
>>> ln -s /bin/tcsh ~/.default_shell
>>> ...
>>>
>>> It will be easy to create the .default shell for each
>>> user
>>> using a simple
>>> script I can run on a machine that has power broker
>>> but I am
>>> wondering what
>>> others have done to allow users to pick their shell
>>> using samba to
>>> authenticate?
>>> What are the downsides of doing it the way I did it?
>>>
>>> is there a way to use the loginShell provided by
>>> rfc2307 that
>>> I haven't
>>> found documented in samba?
>>>
>>> I'm using samba version 4.1.6 if that makes a
>>> difference. I
>>> could probably
>>> find a way to upgrade if there is support in newer
>>> versions.
>>>
>>>
>>>
>>> -- To unsubscribe from this list go to the following
>>> URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>>>
>>> Samba AD as standard comes with the ability to add RFC2307
>>> attributes to a user or group (see here for more info:
>>> https://www.ietf.org/rfc/rfc2307.txt)
>>> What this means is, if you give a user a uidNumber and at least
>>> 'Domain Users' a gidNumber, then the user will become visible on a
>>> Unix domain member (aka Unix workstation).
>>> If you study the list of attributes on the link above, you will
>>> find that there are more attributes available, amongst them are
>>> loginShell and homeDirectory. The first is where you can store the
>>> users login shell (obviously), but there is a problem with the
>>> second, AD already has an attribute with the same name to store
>>> the users windows home directory path, so this became
>>> unixHomeDirectory and is where you can store the users Unix home
>>> directory.
>>> If you require more info on the RFC2307 attributes, please ask.
>>>
>>> Now, as for the 'idmap config' block and which to use, this is
>>> down to the sysadmin (i.e. you) and is based on what you require.
>>> There are several backends available, but only two are regularly
>>> used, the 'ad' and 'rid' backends. Lets deal with the 'rid'
>>> backend first, this is used if you don't want (or need) to add
>>> RFC2307 attributes to AD. Your users & groups will be mapped to a
>>> number inside the range you set i.e. idmap config SAMDOM:range =
>>> 10000-99999. It uses an algorithm to create the IDs from the
>>> user/group RID and as long as you use the same 'idmap config'
>>> block on every Unix machine, you will get the same Unix ID on
>>> every Unix machine. The downside is that you cannot set individual
>>> homedirs & shells for users and will have to use the template
>>> lines in smb.conf.
>>>
>>> The 'ad' backend is different, it uses the RFC2307 attributes for
>>> the user/group IDs, this does of course mean that you have to add
>>> a uidNumber attribute containing a unique number to any users that
>>> you need to be visible to Unix *and* add a gidNumber to Domain
>>> Users at least. These numbers must be inside the range you set in
>>> smb.conf, any numbers outside the range will be ignored.
>>> You can go further with the 'ad' backend, you can add the
>>> loginShell attribute containing the users shell (/bin/bash for
>>> instance), you can also add the unixHomeDirectory attribute
>>> containing the path to the users home directory. To use these, you
>>> would also need to have the line 'winbind nss info = rfc2307' in
>>> smb.conf. If you don't want to add these further attributes, you
>>> can add 'winbind nss info = template' instead and also add the
>>> template lines.
>>>
>>> You need these lines in smb.conf:
>>> idmap config *:backend = tdb
>>> idmap config *:range = 2000-9999
>>>
>>> These lines are where Samba will store the mappings for the
>>> builtin users & groups, without these, it is very unlikely Samba
>>> will work correctly.
>>>
>>> Again, any questions, please ask.
>>>
>>> Rowland
>>>
>>> -- To unsubscribe from this list go to the following URL and
>>> read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>
More information about the samba
mailing list