[Samba] User home and shell lookup on a Samba AD DC

Mon Mar 20 12:02:38 UTC 2017

Hi list,

I am probably overlooking something, but can not figure out what is 
going on nor can I find something through google.

I just converted a Samba 4 PDC to Samba 4 AD DC (using the samba 
provided tools). I hooked up a Linux laptop to the network configure 
winbind, joined the domain and am able to login with my credentials from 
Samba AD. However I can not seem to get it working on the machine 
running the Samba AD.

The situation:
Samba AD DC:
Debian 8.7
Samba 4.2.14
smb.conf:
workgroup = DCDOMAIN
realm = dc-zone.my.domain
netbios name = PDC
server role = active directory domain controller
idmap_ldb: use rfc2307 = yes
dns forwarder = 192.168.1.1
winbind use default domain = yes
winbind nss info = rfc2307
allow trusted domain = yes
logon drive = z:
logon home = \\pdc\users\%U
# And then some shares...

Workstation:
Ubuntu 14.04 LTS
samba: 4.3.11
security = ads
realm = dc-zone.my.domain
workgroup = DCDOMAIN
netbios name = my-client
allow trusted domain = yes
winbind use default domain = yes
winbind nss info = rfc2307
idmap config DCDOMAIN: backend = ad
idmap config DCDOMAIN: schema_mode = rfc2307
idmap config DCDOMAIN: range = 500-799999
idmap config *: backend = ad
idmap config *: schema_mode = rfc2307
idmap config *: range = 800000-999999

An (simpified) example user entry from the samba LDAP looks like this:
dn: cn=username,CN=Users,DC=....
cn: username
unixHomeDirectory: /home/group/username
displayName: user A
loginShell: /bin/bash
uidNumber: 666
gidNumber: 999

/etc/nsswitch.conf on both machines has:
passwd: compat winbind
group: compat winbind
shadow: compat winbind

On the workstation winbind is running as a standalone /usr/sbin/winbind 
and on the samba AD server /usr/sbin/winbind is running as a subprocess 
of /usr/sbin/samba.

Running wbinfo -i on the workstation shows:
username:*:666:999::/home/group/username:/bin/bash

Running wbinfo -i on the Samba AD server shows:
username:*:666:999:user A:/home/DCDOMAIN/username:/bin/false

getent on both machines shows only the local passwd and group stuff, 
while id on both shows:
uid=666(username) gid=999(group) groups=555(anothergroup),....

On the workstation I can login through login and through sshd, on the 
server I can (of course) not since the shell is /bin/false.

Adding the idmap config settings to the server does not solve the problem.
Adding security = ads to the server config makes sure samba does not start.
Adding  "template shell = /bin/bash" to the server configuration makes 
wbinfo output show /bin/bash as shell, and I can login.

So somehow the /usr/sbin/winbind samba subprocess retrieves different 
information from the LDAP database. But I can´t figure out what I am 
doing wrong (my assumption is that it is somewhere in the 
configuration). Can someone point me in the right direction?
Questions:
- Why doesn't the server config retrieve the shell and home directory 
from LDAP?
- Why doesn't the workstation config retrieve the displayName field from 
LDAP (although this is harmless for now)?

With kind regards,

Dennis Leeuw

-- 
DBG-ICT
UMC Utrecht

------------------------------------------------------------------------------

De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is
uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht
ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct
te informeren door het bericht te retourneren. Het Universitair Medisch
Centrum Utrecht is een publiekrechtelijke rechtspersoon in de zin van de W.H.W.
(Wet Hoger Onderwijs en Wetenschappelijk Onderzoek) en staat geregistreerd bij
de Kamer van Koophandel voor Midden-Nederland onder nr. 30244197.

Denk s.v.p aan het milieu voor u deze e-mail afdrukt.

------------------------------------------------------------------------------

This message may contain confidential information and is intended exclusively
for the addressee. If you receive this message unintentionally, please do not
use the contents but notify the sender immediately by return e-mail. University
Medical Center Utrecht is a legal person by public law and is registered at
the Chamber of Commerce for Midden-Nederland under no. 30244197.

Please consider the environment before printing this e-mail.