[Samba] unixHomeDirectory, loginShell, etc. on Samba4 AD DC

[Lars Hanke]

Am 16.09.2015 um 08:37 schrieb L.P.H. van Belle:
> What your saying here, below is what im doing with samba and winbind only,
> and it works great.
>
> Your saying winbind sucks, thats your interpertation of you not figuring out
> the correct settings in my opionion.

This may be true - after all I believe in deterministic behaviour of 
programs. But I gave up on winbind after I copied a correctly working 
configuration to other systems and saw different behaviour on each 
system. Spanning from perfect operation to does not work at all and all 
kinds of strange things in between.

> Things i use.
> Samba, winbind, squid-proxy, apache single Sign On, ssh logins with kerberos, nfs4 kerberized, postfix with ldap.
> And proxy apache ssh all use the winbind auth en/or kerberos auth.
>
> So IF you have problems, setting up samba, dont blaim samba, its not always easy to setup, i did about a year of testing before going in to production with this and im still tuning the setup.
> This is not because of a "bad" product, but of the amount of settings you can do, and i also dont know everything, and for that im very happy with all
> helpfull people here on the samba list. Non of the lists im on (may the postfix list) is as active and helpfull as the samba list.

A real pain with samba (but not only with samba of course, for some 
reason this seems to be a property of security software) is the 
difficulty of systematic troubleshooting. You follow often excellent 
howtos and then it either works or it doesn't. If it doesn't, try 
another howto. And yes samba comes with excellent howtos.

> And if you keep a "correct" order of installation, you wil always have a good working samba, really always, this is why i refer to my scripts.

This is hopefully true, if you start from scratch. I had to do a 
floating migration with some systems still using the old Kerbros/LDAP 
and other systems already using AD. All systems with their own history. 
Each system had its unique challenges.

> And this is also why Marc Muehlfeld is working hard on wiki changes.
> And setup like my scripts and it just works, maybe some settings are discussable, but its a good starting point..

I appreciate the great work and I am very grateful. But using scripts 
and howtos does not generate understanding, which is necessary if you 
have to modify the proposed setup or in particular if something breaks 
after it had worked for some time.

And to close the loop this is where nslcd topped winbind. Although I 
invested much less time to understand it, I know every nut and bolt in 
this part. Winbind stayed a piece of magic.

Regards,
  - lars.