[Samba] Controlling [homes] path to obey /etc/passwd while using winbind
frank picabia
fpicabia at gmail.com
Tue May 24 19:58:57 UTC 2022
On Tue, May 24, 2022 at 4:29 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Tue, 2022-05-24 at 15:12 -0300, frank picabia via samba wrote:
> > Using winbind, security of ADS, I'm finding my path in [homes]
> > wants to be /home/MYDOMAIN/username
> > according to what is logged.
> >
> > When I run 'getent passwd | grep username'
> > it returns the proper local passwd entry with the local home
> > directory.
>
> That is your problem there, you do not have the same username in
> /etc/passwd and AD, you just have them in AD.
> if 'fred' is in /etc/passwd and there is a user called 'fred' in AD,
> they are NOT the same user and the user in /etc/passwd will be use
> before the user in AD.
>
> The default for the user home path in smb.conf is /home/%D/%U, where
> '%D' is the DOMAIN and '%U' is the username
> >
> > In older samba, %H was working for me, but in Debian Bullseye
> > I'm having difficulty. Omitting path from homes isn't a solution
> > either.
>
> If you are using '[homes]' then you must not set the path parameter.
>
> >
> > I really need the home directory from local Linux passwd file
> > because my home directories are not as simple as /home/%U
>
> No, you don't, you need to delete all your users from /etc/passwd and
> ensure they are created in AD.
>
>
This makes no sense in our environment. We have over 20,000 users in AD.
Only a handful of them use our Linux servers, but it's always changing
since it's an academic setting. We also have different Linux servers
that do completely different things, like running a CMS vs
providing a home dir to Comp Sci students. Setting their home directory,
shell, and so on should happen on the local level, not in AD.
This has worked before using the local path information in /etc/passwd.
Samba in this new environment is 4.13.13
All we really want to do with AD is authenticate. That's how this
configuration has worked for decades.
We have to tweak once in awhile as new versions require, but eventually we
get
it running with our homedir being left defined on each server.
> Any ideas?
>
> Please post the output of 'testparm -s'
>
>
Sure, it's fairly basic. Someone here, perhaps you, had
helped get a config running for another Debian system
a few weeks back.
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
# Global parameters
[global]
bind interfaces only = Yes
disable spoolss = Yes
dns proxy = No
interfaces = eno1
load printers = No
log file = /var/log/samba/%m.log
logging = file
max log size = 100
panic action = /usr/share/samba/panic-action %d
printcap name = /dev/null
realm = AD.MYDOMAIN.CA
security = ADS
server string = %h server
template shell = /bin/bash
winbind expand groups = 2
winbind refresh tickets = Yes
winbind use default domain = Yes
workgroup = MYDOMAIN
idmap config mydomain : range = 70000-9999999999
idmap config mydomain : backend = rid
idmap config * : range = 69998-69999
idmap config * : backend = tdb
hosts allow = 111.222.
printing = bsd
[homes]
comment = Home Directories
create mask = 0700
directory mask = 0700
read only = No
valid users = %U
More information about the samba
mailing list