[Samba] Password changes and syncing passwords with Linux accounts

Rowland penny rpenny at samba.org
Tue Feb 16 14:55:24 UTC 2016

On 16/02/16 14:07, Chris Hastie wrote:
> On 16/02/2016 13:06, Rowland penny wrote:
>> This is one of the reasons why it is not recommended to use the DC as a
>> fileserver. On a Unix domain member you can use the unixHomeDirectory
>> and loginShell attributes, but on a DC these are ignored, so you need to
>> set the 'template' lines in smb.conf. The only problem is that you
>> cannot have different settings per user.
> That's a shame. Perhaps I'll get around to migrating the DC elsewhere 
> one day, but for now it's going to have to stay.
>> Try: template homedir = /home/%ACCOUNTNAME% 
> That's done the trick, thanks.
>> If  wbinfo and getent are showing duplicate users (note:
>> 'MYDOMAIN\chris' and 'chris' will be treated as the same user), check if
>> the user exists in /etc/passwd and if it does, remove it from 
>> /etc/passwd.
> Even after removing the users from /etc/passwd I still see two 
> MYDOMAIN\chris entries. What's more there is an LDAP entry with 
> CN=chris and another with CN=MYDOMAINchris. If I delete the latter 
> getent returns only one user MYDOMAIN\chris. But as soon as I log in 
> again on a terminal the duplicate user reappears, as does the 
> cn=MYDOMAINchris in LDAP.

This is strange, just logging in shouldn't create a user in AD and when 
you see MYDOMAIN\chris this is just winbind i.e.

This is on a DC:

root at dc1:~# getent passwd rowland
SAMDOM\rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

and this is on a domain member:

rowland at debnet:~$ getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

> Another issue is that having now successfully logged in using the 
> credentials for chris I seem to be viewed as being MYDOMAIN\chris. 
> This is a problem at the very least because MYDOMAIN\chris is not in 
> all the groups that chris is. As he is not in admin, I can't sudo.

You need to sort out the user problem before worrying about sudo, but if 
you are interested, you can store the sudo rules in AD.

How are you logging into the DC that causes the creation of a user in AD ?


More information about the samba mailing list