[Samba] Password changes and syncing passwords with Linux accounts

Rowland penny rpenny at samba.org
Tue Feb 16 13:06:37 UTC 2016

On 16/02/16 12:38, Chris Hastie wrote:
> On 16/02/16 09:32, Rowland penny wrote:
>> I would suggest that you start here:
>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>> Some of the info is also applicable if you use a DC as a fileserver 
>> and you will have to click on links to get the full info.
> OK. I've done my best to try and understand this. I presume that as 
> the machine is the AD-DC it's already a member of the AD. A key point 
> seemed to be nsswitch.conf, which I have changed. Now getent passwd 
> does return all the domain accounts, but all the login shells are 
> returned as /bin/false and home directories as /home/MYDOMAIN/someuser

This is one of the reasons why it is not recommended to use the DC as a 
fileserver. On a Unix domain member you can use the unixHomeDirectory 
and loginShell attributes, but on a DC these are ignored, so you need to 
set the 'template' lines in smb.conf. The only problem is that you 
cannot have different settings per user.

> This is despite the fact that looking directly at the LDAP records my 
> own account says loginShell /bin/bash and unixHomeDirectory 
> /home/chris. An attempt to login fails because "Could not chdir to 
> home directory /home/MYDOMAIN/chris: No such file or directory" (I'm 
> actually surprised it wasn't the /bin/false that was the deciding factor)
> Using
>     template homedir = /home/%U
>     template shell = /bin/bash
> gets the shell to /bin/bash, but for everyone. But the home directory 
> for all users becomes /home/%U, ie no substitution of %U is done. How 
> can I get the shells and home directories to be returned as desired?

Try: template homedir  = /home/%ACCOUNTNAME%

> Also, the username is always preceded by MYDOMAIN\. Oddly as well, 
> wbinfo -u includes both a 'chris' and a 'MYDOMAIN\chris', and getent 
> passwd returns two separate MYDOMAIN\chris lines. Whether this is a 
> problem I don't know, but there doesn't seem much point in going 
> further until I can at least see sensible shells and home directories.

If  wbinfo and getent are showing duplicate users (note: 
'MYDOMAIN\chris' and 'chris' will be treated as the same user), check if 
the user exists in /etc/passwd and if it does, remove it from /etc/passwd.


More information about the samba mailing list