[Samba] RFC2307: login shell is always /bin/false

Arne Zachlod arne at nerdkeller.org
Mon Jan 18 14:20:27 UTC 2021 

Hello List,

for anyone interested, I just solved it. My smb.conf of the 
terminalserver was missing a crucial line:

template shell = /bin/sh

Once again, reading the manual saved the day.

- Arne

On 1/14/21 1:19 PM, Arne Zachlod via samba wrote:
> Hello List,
> 
> I'm trying to connect a Linux based Terminal server to my Samba AD DC. 
> The Domain was provisioned with samba 4.3 with the --use-rfc2307 command 
> line attribute.
> 
> In Windows, I configured a login shell for my users, but when doing 
> "getent passwd DOMAIN\\arne", I get /bin/false as a login shell:
> arne:*:10001:10000:Arne Zachlod:/home/DOMAIN/arne:/bin/false
> 
> I double checked everything from the wiki, but maybe I missed womething? 
> Is this even how it's supposed to work?
> 
> I also attached my smb.conf of my DC, as you will probably ask for it 
> anyway, as well as the smb.conf form the terminalserver (samba domain 
> member).
> 
> Thanks
> Arne
> 
> smb.conf DC:
> ========================
> # Global parameters
> [global]
>      workgroup = DOMAIN
>      realm = int.domain.de
>      netbios name = ADDC01
>      server role = active directory domain controller
>      dns forwarder = 10.1.1.1
>      idmap_ldb:use rfc2307 = yes
>      server signing = Auto
> 
> [netlogon]
>      path = /var/lib/samba/sysvol/int.domain.de/scripts
>      read only = No
> 
> [sysvol]
>      path = /var/lib/samba/sysvol
>      read only = No
> 
> 
> smd.conf terminalserver:
> ========================
> [global]
>      netbios name = TS01
>      security = ADS
>      workgroup = DOMAIN
>      realm = INT.DOMAIN.DE
> 
>      logfile = /var/log/samba/%m.log
>      log level = 1
> 
>      # Default idmap config used for BUILTIN and local windows 
> accounts/groups
>      idmap config *:backend = tdb
>      idmap config *:range = 2000-9999
> 
>      # idmap config for domain DOMAIN
>      idmap config DOMAIN:backend = ad
>      idmap config DOMAIN:schema_mode = rfc2307
>      idmap config DOMAIN:range = 10000-99999
> 
>      # Use settings from AD for login shell and home directory
>      winbind nss info = rfc2307
> 
>      winbind enum users = yes
>      winbind enum groups = yes
>      winbind use default domain = yes
>      winbind refresh tickets = yes
> 
>      # disable printing
>      load printers = no
>      printing = bsd
>      printcap name = /dev/null
>      disable spoolss = yes
>

More information about the samba mailing list