[Samba] Getent Differences on a DC and a Member Server

Ritter, Marcel (RRZE) marcel.ritter at fau.de
Fri Jul 10 07:05:45 UTC 2015


Hi,

I know there've been some workarounds on this topic, however I'm missing
the reason for winbind to behave differently on a DC and on a member
server (I also had to work around that problem and I'd really like it fixed).

If there's a technical reason for it, it'd be nice to know about it.
If there isn't, then it's just a bug that should be fixed.

Could someone of the development team please comment on this?

Bye,
    Marcel

-----Ursprüngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Felix Matouschek
Gesendet: Freitag, 3. Juli 2015 10:31
An: 'David Minard'; samba at lists.samba.org
Betreff: Re: [Samba] Getent Differences on a DC and a Member Server

Hi David,

> Just to clarify, is it only the DC that doesn't return desired values of HomeDirectory and Shell?

Yes, it is only the DC that doesn't pull HomeDirectory and Shell via rfc2307. (when using winbindd) Member servers with winbindd do pull the desired values without problems, I have it setup like this and it works without problems.

I have only two ideas to solve your problem: either you don't allow logins from users on the DC or you switch over to sssd on the DC.
I suppose sssd should be suitable to achieve your desired results on the DC.

> that is why I mentioned that I don't have SSSD installed - nor any 
> other nsswitch back to our current LDAP

But you do have winbind in your nsswitch?

Greetings,
Felix

-----Ursprüngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von David Minard
Gesendet: Freitag, 3. Juli 2015 03:28
An: samba at lists.samba.org
Betreff: Re: [Samba] Getent Differences on a DC and a Member Server

Thank you Felix.
On 02/07/15 16:18, Felix Matouschek wrote:
> Hi David,
>
> I experienced this issue as well, it's currently a limitation of Samba 4.2.2.
> Samba 4.2.2 DCs do not support pulling home directories and login shells from AD via rfc2307.
>
> I solved this issue with the "template homedir" and "template shell" directives.
> You lose some flexibility but at least it works.

     Lack of flexibility is my main problem.  Unfortunately without restructuring how our home directories are set up, I need the flexibility.  I need HomeDirectories etc to be pulled from the AD if I'm to retire our current LDAP servers and use Samba4 as a replacement.
>
> Excerpt from my DC smb.conf:
>
> winbind nss info = rfc2307:MYDOMAIN, template template shell = 
> /bin/bash template homedir = /home/users/%U
>
> Greetings,
> Felix

     Just to clarify, is it only the DC that doesn't return desired values of HomeDirectory and Shell?

     I ask because my member server is returning the desired values, but I get the impression that it should not be from comments on the list.  
Rowland was helping me with winbindd over the last few weeks and I got the impression that my Member Server should not be returning correct HomeDirectory and Shell - but it is - that is why I mentioned that I don't have SSSD installed - nor any other nsswitch back to our current LDAP.  I need to know if what I am seeing is a freak of computing, or expected behaviour.

> -----Ursprüngliche Nachricht-----
> Von: samba-bounces at lists.samba.org
> [mailto:samba-bounces at lists.samba.org] Im Auftrag von David Minard
> Gesendet: Donnerstag, 2. Juli 2015 06:18
> An: samba at lists.samba.org
> Betreff: [Samba] Getent Differences on a DC and a Member Server
>
> G'day All,
>
>       I'm running Centos 7, Samba4.2.2.  (SSSD is NOT running (not 
> even installed on the Member Server))
>
> /etc/nsswitch on both:
>
> passwd:     files winbind
> group:      files winbind
>
> the winbind libs have been sym-linked as described in the tiki.  All seems to be working well on both the DC and Member Server.
>
> Both smb.fonfs have:
>
>     idmap config *:backend = tdb
>     idmap config *:range = 3000000-4000000
>     idmap config AD:backend = ad
>     idmap config AD:schema_mode = rfc2307
>     idmap config AD:range = 600-2999999
>
>     winbind nss info = rfc2307
>     winbind trusted domains only = no
>     winbind use default domain = yes
>     winbind enum users  = yes
>     winbind enum groups = yes
>     winbind refresh tickets = Yes
>
>
> On the DC I've changed winbind to winbindd in the "server services"
> line, and winbindd starts up as expected.
>
> Can anyone tell me why I get slightly different answers from 'getent passwd [username]' from a DC and a Member Server.
>
> eg: getent passwd fred
>
> DC:
>
> fred:*:4999:1001:Fred Nerks:/home/AD/fred:/bin/false
>
> On a Member Server:
>
> fred:*:4999:1001:Fred Nerks:/home/fred:/bin/tcsh
>
>
> On the DC the HomeDirectory and Shell Fields are not what I defined for user Fred.
>
> On the Member Server, Homedirectory and Shell are what I defined for user Fred.
>
> Why is there a difference?
>
>
>
> --
> This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>

-- 

Cheers,
David Minard.
Ph:    0247 360 155
Fax:    0247 360 770

School of Computing, Engineering, and Mathematics Building Y - Penrith Campus (Kingswood) Locked bag 1797 Penrith South DC NSW 1797

[Sometimes waking up just isn't worth the insult of the day to come.]


--
This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list