[Samba] Changing default UID/GID beginning for AD

Rowland penny rpenny at samba.org
Tue Jun 14 09:18:35 UTC 2016

On 14/06/16 09:50, mathias dufresne wrote:
> 2016-06-13 18:27 GMT+02:00 Rowland penny <rpenny at samba.org 
> <mailto:rpenny at samba.org>>:
>     On 13/06/16 13:13, mathias dufresne wrote:
>         I loved to find out how to achieve that.
>         I did looked for information, all I found was that:
>         https://social.technet.microsoft.com/Forums/en-US/3e184d10-09e3-4eab-9131-6694b86879f8/modify-default-value-of-loginshell-attribute?forum=winserverDS
>         Unfortunately it seems to list all users (I don't know these
>         MS commands
>         but "Get-AdUser -Filter"...) then sending that list to
>         something to modify
>         received users list ("Set-AdObject -Replace
>         @{unixhomedirectory='/bin/sh','bin/bash'}" and
>         https://technet.microsoft.com/en-us/library/ee617215.aspx).
>     You could always use ldbmodify on the Samba4 DC and the attribute
>     you need to change for the users login shell is 'loginShell' :-)
> Yep, MS doc, the dude who wrote that made a mistake, he tried to help 
> at least.

And you passed the mistake on Mathias ! I was trying to help by pointing 
this out and giving a known working way of changing the contents of the 
'loginShell' attribute.

>         I would have looked into AD schema and configuration DIT (or
>         naming
>         context?) but first I did a grep on Samba's source tree
>         looking for
>         "/bin/sh" string but that strnig seems to be used for running
>         commands and
>         shebangs only, I could easily have missed something anyway.
>     Try reading
>     /usr/local/samba/share/setup/ad-schema/MS-AD_Schema_2K8_R2_Attributes.txt
>     Note: the path to your copy may vary.
> I thought schemas were descriptions of attributes and classes, not 
> places to set values. As I could be wrong, I used grep to read that file:
> cat `locate MS-AD_Schema_2K8_R2_Attributes.txt` | grep sh -w -> no 
> answer, "sh" (as word) is not present in that file.
> There is still a chance it is written in configuration DIT but as the 
> same grep was done during the week-end on the whole Samba 4.4.4 source 
> tree without findind more relevant traces of "sh" word, I'm now 
> suspecting the client is the one managing that.

So you think you will find the content of something that is set on 
windows in the Samba source code ? Windows ADUC default content for the 
'loginShell' attribute is '/bin/sh'. The Samba default content for the 
'loginShell' attribute is ' ' , yes that's right, there isn't one!

You are also correct, 'sh' isn't in the the list of Attributes, because 
it is the content of an attribute, not an attribute. The file I pointed 
you to, is a list of all the attributes you can use on a Samba 4 AD DC, 
there is a similar file that contains all the objectclasses.


More information about the samba mailing list