[Samba] Fwd: Login shell always /bin/false or whatever template is set in smb.conf

Rowland Penny rpenny at samba.org
Tue Nov 6 21:48:53 UTC 2018

On Tue, 6 Nov 2018 21:28:59 +0000
Adam Cook via samba <samba at lists.samba.org> wrote:

> Hi all,
> I have just set up a Samba AD DC, my first time. Ubuntu Server
> 16.04.5 LTS running Samba 4.3.11-Ubuntu.
> If I add the below to */etc/samba/smb.conf* then the /bin/bash shell
> is applied to all users:
> template shell = /bin/bash
> With *samba-tool user add* I am able to specify --login-shell
> parameter however whatever value I pass here does not seem to apply
> correctly, as confirmed by looking at result of *getent passwd
> <user>*.
> For example, I remove the template shell option from smb.conf, restart
> samba-ad-dc.service and run the below command:
> samba-tool user add adam --given-name=Adam --surname=Cook
> > --login-shell=/bin/bash
> Then observe the below:
> root at DC:~# getent passwd adam
> > LAB\adam:*:3000048:100:Adam Cook:/home/LAB/adam:/bin/false
> Am I missing something? I'm conscious of giving all domain users by
> default a shell. I know I can limit SSH access by AD group but my
> train of thought is that if the --login-shell parameter exists in
> samba-tool then it could work somehow.

Yes, you are totally missing the fact that winbind on a DC doesn't
use login shell from AD. However, winbind on a Unix domain member does
use the login shell, as long as you use the 'ad' backend.


More information about the samba mailing list