[Samba] WInbindd Home DIrectory and Shell

Rowland Penny rowlandpenny at googlemail.com
Tue Jun 16 03:49:51 MDT 2015


On 16/06/15 10:22, Brady, Mike wrote:
> On 2015-06-16 19:39, Rowland Penny wrote:
>> On 16/06/15 04:03, Brady, Mike wrote:
>>> With the switch to using winbindd on Domain Controllers in 4.2, 
>>> should a getent passwd now be showing the home directory and shell 
>>> that is in the RFC2307 attributes in the directory like a member 
>>> server does?
>>
>> No, the 'winbindd' change hasn't altered anything here.
>>
>>>
>>> I all ways thought that this was a difference between the internal 
>>> winbind and the external winbindd, but my 4.2 DC looks like it is 
>>> still using the templates rather than looking the values up in the 
>>> directory.
>>>
>>> Centos 7.1/Samba 4.2.2 DC configuration
>>>
>>> /etc/samba/smb.conf
>>> [global]
>>>         workgroup = SAMBA
>>>         realm = samba.xxxxxxx.xx.xx
>>>         netbios name = DC03
>>>         server role = active directory domain controller
>>>
>>>         # Using bind_dlz
>>>         server services = -dns
>>
>>>
>>>         idmap config SAMBA:backend = ad
>>>         idmap config SAMBA:schema_mode = rfc2307
>>>         idmap config SAMBA:range = 1000000-5000000
>>>
>>>         idmap config *:backend = tdb
>>>         idmap config *:range = 70001-80000
>>>         winbind nss info = rfc2307
>>
>> You might as well remove the above lines, they are not doing anything.
>>
>
> I added these because the wikie page 
> https://wiki.samba.org/index.php/RFC2307_backend#Using_Winbindd_on_a_Samba_DC 
> specifically states that these settings are needed.
>
> What range is used for uids for
>>>
>>>         idmap_ldb:use rfc2307 = yes
>>>
>>>         winbind trusted domains only = no
>>>         winbind use default domain = no
>>>         winbind enum users = yes
>>>         winbind enum groups = yes
>>
>> and the above 4 lines
>>
>>>
>>> [netlogon]
>>>         path = /var/lib/samba/sysvol/samba.xxxxxxx.xx.xx/scripts
>>>         read only = No
>>>
>>> [sysvol]
>>>         path = /var/lib/samba/sysvol
>>>         read only = No
>>>
>>> nsswitch.conf has
>>> passwd:     files winbind
>>> group:      files winbind
>>>
>>> Thanks
>>>
>>> Mike
>>
>> Rowland
>

OK, you are correct, the wiki page does say that, but on my test DC 
there is this:

# Global parameters
[global]
     workgroup = SAMBADOM
     realm = SAMBADOM.EXAMPLE.COM
     netbios name = TESTDC1
     server role = active directory domain controller
     dns forwarder = 8.8.8.8
     idmap_ldb:use rfc2307 = yes
     template homedir = /home/%U
     template shell = /bin/bash
##---- disable printing completely
     load printers = no
     printing = bsd
     printcap name = /dev/null
     disable spoolss = yes


[netlogon]
     path = /var/lib/samba/sysvol/sambadom.example.com/scripts
     read only = No

[sysvol]
     path = /var/lib/samba/sysvol
     read only = No

and If I ask getent for an RFC2307 enabled user:

root at testdc1:~# getent passwd user
user:*:10002:10000::/home/user:/bin/bash

So as you can see, the lines you added *do not* do anything.

I tested with and without similar lines and they definitely do not 
change anything.

If you wait a short while, the wiki page will not show the lines you added.

Rowland


More information about the samba mailing list