[Samba] User home and shell lookup on a Samba AD DC
Rowland Penny
rpenny at samba.org
Mon Mar 20 13:01:10 UTC 2017
On Mon, 20 Mar 2017 13:02:38 +0100
Dennis Leeuw via samba <samba at lists.samba.org> wrote:
> Hi list,
>
> I am probably overlooking something, but can not figure out what is
> going on nor can I find something through google.
>
> I just converted a Samba 4 PDC to Samba 4 AD DC (using the samba
> provided tools). I hooked up a Linux laptop to the network configure
> winbind, joined the domain and am able to login with my credentials
> from Samba AD. However I can not seem to get it working on the
> machine running the Samba AD.
>
> The situation:
> Samba AD DC:
> Debian 8.7
> Samba 4.2.14
If you look here:
https://downloads.van-belle.nl/samba4/samba-4.6.0/
You will find 4.6.0 amd64 debs, Samba does not support 4.2.x anymore,
though this doesn't stop you using it.
> smb.conf:
> winbind use default domain = yes
> winbind nss info = rfc2307
> allow trusted domain = yes
> logon drive = z:
> logon home = \\pdc\users\%U
You might as well remove those lines, they do not work on a DC (Also
please do not call your DC a PDC, it is confusing)
> Running wbinfo -i on the workstation shows:
> username:*:666:999::/home/group/username:/bin/bash
>
> Running wbinfo -i on the Samba AD server shows:
> username:*:666:999:user A:/home/DCDOMAIN/username:/bin/false
>
> getent on both machines shows only the local passwd and group stuff,
Ah, but is this 'getent passwd' or 'getent passwd username' ?
By default, winbind does not enumerate users and groups.
> while id on both shows:
> uid=666(username) gid=999(group) groups=555(anothergroup),....
>
> On the workstation I can login through login and through sshd, on the
> server I can (of course) not since the shell is /bin/false.
>
> Adding the idmap config settings to the server does not solve the
> problem.
They do nothing on A DC unless you upgrade to 4.6.0 and then they will
stop 'samba' starting.
>Adding security = ads to the server config makes sure samba
> does not start. Adding "template shell = /bin/bash" to the server
> configuration makes wbinfo output show /bin/bash as shell, and I can
> login.
Winbind on a DC, does not extract the users unix home dir and login
shell, you have to use template lines in smb.conf.
Rowland
More information about the samba
mailing list