[Samba] User home and shell lookup on a Samba AD DC

Rowland Penny rpenny at samba.org
Mon Mar 20 13:01:10 UTC 2017

On Mon, 20 Mar 2017 13:02:38 +0100
Dennis Leeuw via samba <samba at lists.samba.org> wrote:

> Hi list,
> I am probably overlooking something, but can not figure out what is 
> going on nor can I find something through google.
> I just converted a Samba 4 PDC to Samba 4 AD DC (using the samba 
> provided tools). I hooked up a Linux laptop to the network configure 
> winbind, joined the domain and am able to login with my credentials
> from Samba AD. However I can not seem to get it working on the
> machine running the Samba AD.
> The situation:
> Samba AD DC:
> Debian 8.7
> Samba 4.2.14

If you look here:


You will find 4.6.0 amd64 debs, Samba does not support 4.2.x anymore,
though this doesn't stop you using it.

> smb.conf:

> winbind use default domain = yes
> winbind nss info = rfc2307
> allow trusted domain = yes
> logon drive = z:
> logon home = \\pdc\users\%U

You might as well remove those lines, they do not work on a DC (Also
please do not call your DC a PDC, it is confusing)

> Running wbinfo -i on the workstation shows:
> username:*:666:999::/home/group/username:/bin/bash
> Running wbinfo -i on the Samba AD server shows:
> username:*:666:999:user A:/home/DCDOMAIN/username:/bin/false
> getent on both machines shows only the local passwd and group stuff, 

Ah, but is this 'getent passwd' or 'getent passwd username' ?

By default, winbind does not enumerate users and groups.

> while id on both shows:
> uid=666(username) gid=999(group) groups=555(anothergroup),....
> On the workstation I can login through login and through sshd, on the 
> server I can (of course) not since the shell is /bin/false.
> Adding the idmap config settings to the server does not solve the
> problem.

They do nothing on A DC unless you upgrade to 4.6.0 and then they will
stop 'samba' starting.
>Adding security = ads to the server config makes sure samba
> does not start. Adding  "template shell = /bin/bash" to the server
> configuration makes wbinfo output show /bin/bash as shell, and I can
> login.

Winbind on a DC, does not extract the users unix home dir and login
shell, you have to use template lines in smb.conf.


More information about the samba mailing list