[Samba] template shell RFC2307 loginShell

Jeff Sadowski jeff.sadowski at gmail.com
Mon Dec 7 19:13:28 UTC 2015


I had some users with bigger uids then 99999 so I bumped up DOMAIN:range to

idmap config DOMAIN:range = 8000-9999999

# getent passwd|wc -l
806

yeah I got 5 more users

I wrote a simple loop like so

wbinfo -u|while read i; do id $i|cut -d, -f1; done > users_list.txt

puts out some nice errors

id: guest: no such user
id: administrator: no such user
...
I'm going to guess none have the uid variable in ad.


On Mon, Dec 7, 2015 at 11:49 AM, Jeff Sadowski <jeff.sadowski at gmail.com>
wrote:

> But that doesn't work for me. As I am saying
> If I set it like that I only see 7 domain users with getent passwd
> experimenting I see if I set
>
>  idmap config * : range = 2000-7999
>  idmap config DOMAIN:range = 8000-99999
>
> I see all my users.
>
> which is really odd because all my users have uids above 10000
>
> What other trouble shooting steps can I take to see why this is acting
> this way?
>
> I edit /etc/samba/smb.conf
> I run a script with the following
>
> service winbind stop
> service samba stop
> net cache flush
> rm -f /var/lib/samba/*.tdb
> rm -f /var/lib/samba/group_mapping.ldb
> sleep 1
> service samba start
> service winbind start
>
> then I do
> getent passwd|wc -l
>
> ########################3
>
> when
>
>  idmap config DOMAIN:range = 10000-99999
>
> # getent passwd|wc -l
> 47
>
> when
>
>  idmap config DOMAIN:range = 9000-99999
>
> # getent passwd|wc -l
> 109
>
> when
>
>  idmap config DOMAIN:range = 8000-99999
>
> # getent passwd|wc -l
> 801
>
> that seems to be as many as I can get
> still doesn't add up as
>
> # cat /etc/passwd|wc -l
> 40
>
> # wbinfo -u|wc -l
> 798
>
> So I should have 838
> users.
> But no matter what I set idmap config DOMAIN:range to I don't see any more
> than 801 users with getent passwd
>
>
> On Mon, Dec 7, 2015 at 9:20 AM, Rowland penny <rpenny at samba.org> wrote:
>
>> On 07/12/15 15:42, Jeff Sadowski wrote:
>>
>>> I finally got to test it and it works OK
>>> something really strange is occurring though
>>>
>>> It works good as follows except for groups but I'll look at that latter
>>> as I see others have mentioned some issues with groups
>>> here is my /etc/samba/smb.conf
>>>
>>>    security = ads
>>>    realm = DOMAIN.LONG
>>>    workgroup = DOMAIN
>>>    idmap config * : backend = tdb
>>>    idmap config * : range = 900-999
>>>    idmap config DOMAIN:backend = ad
>>>    idmap config DOMAIN:range = 1000-99999
>>>    idmap config DOMAIN:schema_mode = rfc2307   winbind nss info =
>>> rfc2307   winbind use default domain = yes
>>>    # so that the users show up in getent
>>>    winbind enum users = Yes
>>>    # doesn't seem to do the same for groups :-/
>>>    winbind enum groups = Yes
>>>    restrict anonymous = 2
>>>
>>> What is strange is when I use the ranges like so
>>>
>>>    idmap config * : range = 1000-9999
>>>    idmap config DOMAIN:range = 10000-99999
>>>
>>> only a small fraction of my users show up when I do a "getent passwd"
>>> they all seem to show up when I do a "wbinfo -u"
>>> and all my users uids are over 10000
>>>
>>> when I set it back to
>>>
>>>    idmap config * : range = 900-999
>>>    idmap config DOMAIN:range = 1000-99999
>>>
>>> I see all my users
>>>
>>>
>>> So going further I find that when I run "id" as myuser I didn't see all
>>> my groups but if I ran "id myuser" I did see all my users
>>> So I tried
>>>
>>>    idmap config * : range = 100000-1099999
>>>    idmap config DOMAIN:range = 0-99999
>>>
>>> and now when I run "id" as myuser I see all my group
>>>
>>
>> You posted that you were using Samba version 4.1.6, this usually means
>> Ubuntu, in which case: 0-999 is reserved for the system users & groups
>> (root etc), 1000 upwards is where you should be putting your local Unix
>> users & groups. This means that you shouldn't really use any number under a
>> '1000' for AD users & groups and you should also leave a small space for
>> local users & groups, hence the advice on the wiki is to use '2000-9999'
>> for your builtin AD users & groups and to use '10000' upwards for your AD
>> users & groups.
>>
>> This means if you give 'Domain Users' the gidNumber of '10000' and then
>> give your users uidNumbers starting from '10000' and use the 'idmap config'
>> block from the wiki, you will be able to see all your users & groups via
>> getent. Note that 'getent group' will not show anything, but 'getent group
>> Domain\ Users' will.
>>
>> You can start both your user & group IDs from '10000', there is no reason
>> to use different ranges.
>>
>> using wbinfo to show users works differently to getent, using 'wbinfo -u'
>> to show your users ensures that winbind can connect to AD, you need to use
>> getent to make sure that your OS can connect to AD, if getent doesn't show
>> your user or group, then the OS will not know about it.
>>
>> Rowland
>>
>>
>>>
>>> On Sat, Dec 5, 2015 at 2:34 AM, Rowland penny <rpenny at samba.org <mailto:
>>> rpenny at samba.org>> wrote:
>>>
>>>     On 05/12/15 02:47, Jeff Sadowski wrote:
>>>
>>>         Thank you Rowland for looking at it.
>>>         I did read the wiki here
>>>         https://wiki.samba.org/index.php/Idmap_config_ad that is how I
>>>         got as far as I did; that and the idmap_ad man page. I could
>>>         not find how to use the loginShell is there a variable I can
>>>         use for it in the template or an option to set to use it?
>>>         loginShell and unixHomedir are not mentioned on the wiki that
>>>         I could find. I'm good with the templated homedir but curious
>>>         how to use the unixHomedir. It seems that the schema_mode =
>>>         rfc2307 is the default as it works fine except for the default
>>>         shells which I have the workaround for. I think I will move
>>>         them out of their home directories and set them else ware,
>>>         where users will need to ask to change the shell. I
>>>         purposefully set rid as the default backend if one does not
>>>         exist explicit for the domain as it worked better for me. What
>>>         I did with the default backend should stop the login if the
>>>         domain isn't explicitly defined.
>>>
>>>
>>>
>>>         On Fri, Dec 4, 2015 at 4:00 PM, Rowland penny
>>>         <rpenny at samba.org <mailto:rpenny at samba.org>
>>>         <mailto:rpenny at samba.org <mailto:rpenny at samba.org>>> wrote:
>>>
>>>             On 04/12/15 22:43, Jeff Sadowski wrote:
>>>
>>>                 We use power broker here at work and where wondering
>>>         why we
>>>                 need it.
>>>
>>>                 I was able to setup a new linux server using samba and
>>>         am able
>>>                 to login
>>>                 with my active directory accounts but I couldn't
>>>         figure out
>>>                 how to set the
>>>                 login shells.
>>>                 I have a work around but would like feedback
>>>                 in my /etc/samba/smb.conf I have the following
>>>
>>>                     security = ads
>>>                     realm = DOMAIN.LONG
>>>                     workgroup = DOMAIN
>>>                     idmap config DOMAIN : backend = ad
>>>                     idmap config DOMAIN : range = 1000-999999999
>>>                     #should not get here
>>>                     idmap config * : range = 999999998-999999999
>>>                     idmap config * :backend      =rid
>>>                     template homedir = /nfs/homes/%U
>>>                     template shell = /nfs/homes/%U/.default_shell
>>>                     winbind use default domain = yes
>>>                     restrict anonymous = 2
>>>
>>>
>>>             Have you considered reading the Samba wiki ?
>>>             Your 'idmap config' block should look similar to this:
>>>
>>>                  # Default idmap config used for BUILTIN and local
>>>         accounts/groups
>>>                    idmap config *:backend = tdb
>>>                    idmap config *:range = 2000-9999
>>>
>>>                    # idmap config for domain SAMDOM
>>>                    idmap config DOMAIN:backend = ad
>>>                    idmap config DOMAIN:schema_mode = rfc2307
>>>                    idmap config DOMAIN:range = 10000-99999
>>>
>>>                    # Use template settings for login shell and home
>>>         directory
>>>                    winbind nss info = template
>>>                    template shell = /nfs/homes/%U/.default_shell
>>>                    template homedir = /nfs/homes/%U
>>>
>>>             Though as you seem to be using uidNumber & gidNumber
>>>         attributes,
>>>             you could also store the loginShell and unixHomedir in AD
>>>         as well.
>>>
>>>             Rowland
>>>
>>>
>>>                 allowing users to pick their shell using
>>>                 ln -s /bin/bash ~/.default_shell
>>>                 or
>>>                 ln -s /bin/tcsh ~/.default_shell
>>>                 ...
>>>
>>>                 It will be easy to create the .default shell for each
>>> user
>>>                 using a simple
>>>                 script I can run on a machine that has power broker
>>>         but I am
>>>                 wondering what
>>>                 others have done to allow users to pick their shell
>>>         using samba to
>>>                 authenticate?
>>>                 What are the downsides of doing it the way I did it?
>>>
>>>                 is there a way to use the loginShell provided by
>>>         rfc2307 that
>>>                 I haven't
>>>                 found documented in samba?
>>>
>>>                 I'm using samba version 4.1.6 if that makes a
>>>         difference. I
>>>                 could probably
>>>                 find a way to upgrade if there is support in newer
>>>         versions.
>>>
>>>
>>>
>>>             --     To unsubscribe from this list go to the following
>>>         URL and read the
>>>             instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>>>
>>>     Samba AD as standard comes with the ability to add RFC2307
>>>     attributes to a user or group (see here for more info:
>>>     https://www.ietf.org/rfc/rfc2307.txt)
>>>     What this means is, if you give a user a uidNumber and at least
>>>     'Domain Users' a gidNumber, then the user will become visible on a
>>>     Unix domain member (aka Unix workstation).
>>>     If you study the list of attributes on the link above, you will
>>>     find that there are more attributes available, amongst them are
>>>     loginShell and homeDirectory. The first is where you can store the
>>>     users login shell (obviously), but there is a problem with the
>>>     second, AD already has an attribute with the same name to store
>>>     the users windows home directory path, so this became
>>>     unixHomeDirectory and is where you can store the users Unix home
>>>     directory.
>>>     If you require more info on the RFC2307 attributes, please ask.
>>>
>>>     Now, as for the 'idmap config' block and which to use, this is
>>>     down to the sysadmin (i.e. you) and is based on what you require.
>>>     There are several backends available, but only two are regularly
>>>     used, the 'ad' and 'rid' backends. Lets deal with the 'rid'
>>>     backend first, this is used if you don't want (or need) to add
>>>     RFC2307 attributes to AD. Your users & groups will be mapped to a
>>>     number inside the range you set i.e. idmap config SAMDOM:range =
>>>     10000-99999. It uses an algorithm to create the IDs from the
>>>     user/group RID and as long as you use the same 'idmap config'
>>>     block on every Unix machine, you will get the same Unix ID on
>>>     every Unix machine. The downside is that you cannot set individual
>>>     homedirs & shells for users and will have to use the template
>>>     lines in smb.conf.
>>>
>>>     The 'ad' backend is different, it uses the RFC2307 attributes for
>>>     the user/group IDs, this does of course mean that you have to add
>>>     a uidNumber attribute containing a unique number to any users that
>>>     you need to be visible to Unix *and* add a gidNumber to Domain
>>>     Users at least. These numbers must be inside the range you set in
>>>     smb.conf, any numbers outside the range will be ignored.
>>>     You can go further with the 'ad' backend, you can add the
>>>     loginShell attribute containing the users shell (/bin/bash for
>>>     instance), you can also add the unixHomeDirectory attribute
>>>     containing the path to the users home directory. To use these, you
>>>     would also need to have the line 'winbind nss info = rfc2307' in
>>>     smb.conf. If you don't want to add these further attributes, you
>>>     can add 'winbind nss info = template' instead and also add the
>>>     template lines.
>>>
>>>     You need these lines in smb.conf:
>>>     idmap config *:backend = tdb
>>>     idmap config *:range = 2000-9999
>>>
>>>     These lines are where Samba will store the mappings for the
>>>     builtin users & groups, without these, it is very unlikely Samba
>>>     will work correctly.
>>>
>>>     Again, any questions, please ask.
>>>
>>>     Rowland
>>>
>>>     --     To unsubscribe from this list go to the following URL and
>>> read the
>>>     instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>


More information about the samba mailing list