[Samba] Fwd: Login shell always /bin/false or whatever template is set in smb.conf
Rowland Penny
rpenny at samba.org
Tue Nov 6 21:48:53 UTC 2018
On Tue, 6 Nov 2018 21:28:59 +0000
Adam Cook via samba <samba at lists.samba.org> wrote:
> Hi all,
>
> I have just set up a Samba AD DC, my first time. Ubuntu Server
> 16.04.5 LTS running Samba 4.3.11-Ubuntu.
>
> If I add the below to */etc/samba/smb.conf* then the /bin/bash shell
> is applied to all users:
>
> template shell = /bin/bash
>
>
> With *samba-tool user add* I am able to specify --login-shell
> parameter however whatever value I pass here does not seem to apply
> correctly, as confirmed by looking at result of *getent passwd
> <user>*.
>
> For example, I remove the template shell option from smb.conf, restart
> samba-ad-dc.service and run the below command:
>
> samba-tool user add adam --given-name=Adam --surname=Cook
> > --login-shell=/bin/bash
>
>
> Then observe the below:
>
> root at DC:~# getent passwd adam
> > LAB\adam:*:3000048:100:Adam Cook:/home/LAB/adam:/bin/false
>
>
> Am I missing something? I'm conscious of giving all domain users by
> default a shell. I know I can limit SSH access by AD group but my
> train of thought is that if the --login-shell parameter exists in
> samba-tool then it could work somehow.
>
Yes, you are totally missing the fact that winbind on a DC doesn't
use login shell from AD. However, winbind on a Unix domain member does
use the login shell, as long as you use the 'ad' backend.
Rowland
More information about the samba
mailing list