[Samba] winbind rfc2307 not being obeyed

Jeff Sadowski jeff.sadowski at gmail.com
Mon Oct 30 16:58:01 UTC 2017 

nope that just brute forced homedir and shell. It'll work for what I
want this machine for but I'd like to get the homedir and shell from
AD

On Mon, Oct 30, 2017 at 10:54 AM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
> My smb.conf file now looks like so
> [global]
> #--authconfig--start-line--
>
> # Generated by authconfig on 2017/10/30 10:47:34
> # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
> # Any modification may be deleted or altered by authconfig in future
>
>    workgroup = MIND
>    password server = MIND.UNM.EDU
>    realm = MIND.UNM.EDU
>    security = ads
>    idmap config * : range = 2000-7999
>    template homedir = /na/homes/%U
>    template shell = /bin/bash
>    kerberos method = secrets only
>    winbind use default domain = true
>    winbind offline logon = false
>
> #--authconfig--end-line--
> ;   security = ads
> ;   realm = MIND.UNM.EDU
> ;   workgroup = MIND
>    idmap config * : backend = tdb
>    idmap config * : range = 2000-7999
>    idmap config MIND:backend = ad
>    idmap config MIND:schema_mode = rfc2307
>    idmap config MIND:range = 8000-9999999
>    winbind nss info = rfc2307
> ;   winbind use default domain = yes
>    # so that the users show up in getent
>    winbind enum users = yes
>    # so that the groups show up in getent
>    winbind enum groups = yes
>    restrict anonymous = 2
>    #added the following 2 for the Badlock updates that change the defaults
>    #to no longer work with my domain controllers
>    ldap server require strong auth = no
>    client ldap sasl wrapping = plain
> ;   template homedir=/na/homes/%U
> ;   template shell=/bin/bash
>
> On Mon, Oct 30, 2017 at 10:53 AM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
>> fedora's authconfig must edit a bunch of files
>>
>> On Mon, Oct 30, 2017 at 10:53 AM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
>>> I found what I needed to do
>>> DOMAIN=MIND.UNM.EDU
>>> SHORT=MIND
>>> authconfig --enablekrb5 --krb5kdc=${DOMAIN}
>>> --krb5adminserver=${DOMAIN} --krb5realm=${DOMAIN} --enablewinbind
>>> --enablewinbindauth --smbsecurity=ads --smbrealm=${DOMAIN}
>>> --smbservers=${DOMAIN} --smbworkgroup=${SHORT}
>>> --winbindtemplatehomedir=/na/homes/%U --winbindtemplateshell=/bin/bash
>>> --enablemkhomedir --enablewinbindusedefaultdomain --update
>>>
>>> this worked
>>>
>>> On Mon, Oct 30, 2017 at 10:11 AM, Rowland Penny via samba
>>> <samba at lists.samba.org> wrote:
>>>> On Mon, 30 Oct 2017 09:49:24 -0600
>>>> Jeff Sadowski via samba <samba at lists.samba.org> wrote:
>>>>
>>>>> OS:fedora-26
>>>>> SAMBA:4.6.8
>>>>> [root at squints ~]# cat /etc/samba/smb.conf
>>>>> [global]
>>>>>    security = ads
>>>>>    realm = MIND.UNM.EDU
>>>>>    workgroup = MIND
>>>>>    idmap config * : backend = tdb
>>>>>    idmap config * : range = 2000-7999
>>>>>    idmap config MIND:backend = ad
>>>>>    idmap config MIND:schema_mode = rfc2307
>>>>>    idmap config MIND:range = 8000-9999999
>>>>>    winbind nss info = rfc2307
>>>>>    winbind use default domain = yes
>>>>>    # so that the users show up in getent
>>>>>    winbind enum users = yes
>>>>>    # so that the groups show up in getent
>>>>>    winbind enum groups = yes
>>>>>    restrict anonymous = 2
>>>>>    #added the following 2 for the Badlock updates that change the
>>>>> defaults #to no longer work with my domain controllers
>>>>>    ldap server require strong auth = no
>>>>>    client ldap sasl wrapping = plain
>>>>>
>>>>> [root at squints ~]# getent passwd jsadowski
>>>>> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false
>>>>>
>>>>> however from an ubuntu machine with the same smb.conf it looks like so
>>>>> OS:ubuntu-16.04
>>>>> SAMBA:4.3.11
>>>>> root at daddles:~# getent passwd jsadowski
>>>>> jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash
>>>>>
>>>>> which is how AD shows it as well.
>>>>>
>>>>> Did something change in newer versions of samba that I need to add
>>>>> more config options?
>>>>>
>>>>
>>>> Yes, there have been changes and no, you don't have to use them and
>>>> they wouldn't cause your problem.
>>>>
>>>> Your smb.conf shows you are using the 'ad' backend and you say you are
>>>> using the same smb.conf on both machines.
>>>>
>>>> So, why are there these different:
>>>>
>>>> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false
>>>> jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash
>>>>
>>>> Which RFC2307 attributes have you added to AD ?
>>>> The above user seems to have the same uidNumber, but Domain Users
>>>> seems to have two different gidNumbers (8513 and 8000), the
>>>> unixHomeDirectory also has two identities, as does loginShell
>>>>
>>>> Rowland
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list