[Samba] Controlling [homes] path to obey /etc/passwd while using winbind

Rowland Penny rpenny at samba.org
Tue May 24 20:22:42 UTC 2022


On Tue, 2022-05-24 at 16:58 -0300, frank picabia via samba wrote:
> On Tue, May 24, 2022 at 4:29 PM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
> 
> > On Tue, 2022-05-24 at 15:12 -0300, frank picabia via samba wrote:
> > > Using winbind, security of ADS, I'm finding my path in [homes]
> > > wants to be /home/MYDOMAIN/username
> > > according to what is logged.
> > > 
> > > When I run 'getent passwd | grep username'
> > > it returns the proper local passwd entry with the local home
> > > directory.
> > 
> > That is your problem there, you do not have the same username in
> > /etc/passwd and AD, you just have them in AD.
> > if 'fred' is in /etc/passwd and there is a user called 'fred' in
> > AD,
> > they are NOT the same user and the user in /etc/passwd will be use
> > before the user in AD.
> > 
> > The default for the user home path in smb.conf is /home/%D/%U,
> > where
> > '%D' is the DOMAIN and '%U' is the username
> > > In older samba, %H was working for me, but in Debian Bullseye
> > > I'm having difficulty.  Omitting path from homes isn't a solution
> > > either.
> > 
> > If you are using '[homes]' then you must not set the path
> > parameter.
> > 
> > > I really need the home directory from local Linux passwd file
> > > because my home directories are not as simple as /home/%U
> > 
> > No, you don't, you need to delete all your users from /etc/passwd
> > and
> > ensure they are created in AD.
> > 
> > 
> This makes no sense in our environment.  We have over 20,000 users in
> AD.
> Only a handful of them use our Linux servers, but it's always
> changing
> since it's an academic setting.  We also have different Linux servers
> that do completely different things, like running a CMS vs
> providing a home dir to Comp Sci students.  Setting their home
> directory,
> shell, and so on should happen on the local level, not in AD.

I am not saying that it cannot happen at local level, just that you
cannot have users in /etc/passwd and AD if you are using 'security =
ADS'.
> 
> This has worked before using the local path information in
> /etc/passwd.
> Samba in this new environment is 4.13.13
> 
> All we really want to do with AD is authenticate.

If you just require authentication, then use sssd, but if you require
any shares (which includes home directories), then you need Samba with
winbind and all that entails, among which is that you do not have users
in /etc/passwd and AD.

>   That's how this
> configuration has worked for decades.
> We have to tweak once in awhile as new versions require, but
> eventually we
> get
> it running with our homedir being left defined on each server.
> 
> 
> > Any ideas?
> > 
> > Please post the output of 'testparm -s'
> > 
> > 
> Sure, it's fairly basic.  Someone here, perhaps you, had
> helped get a config running for another Debian system
> a few weeks back.
> 
> 
> Load smb config files from /etc/samba/smb.conf
> Loaded services file OK.
> Weak crypto is allowed
> Server role: ROLE_DOMAIN_MEMBER
> 
> Press enter to see a dump of your service definitions
> 
> # Global parameters
> [global]
>         bind interfaces only = Yes
>         disable spoolss = Yes
>         dns proxy = No
>         interfaces = eno1
>         load printers = No
>         log file = /var/log/samba/%m.log
>         logging = file
>         max log size = 100
>         panic action = /usr/share/samba/panic-action %d
>         printcap name = /dev/null
>         realm = AD.MYDOMAIN.CA
>         security = ADS
>         server string = %h server
>         template shell = /bin/bash
>         winbind expand groups = 2
>         winbind refresh tickets = Yes
>         winbind use default domain = Yes
>         workgroup = MYDOMAIN
>         idmap config mydomain : range = 70000-9999999999
>         idmap config mydomain : backend = rid
>         idmap config * : range = 69998-69999
>         idmap config * : backend = tdb
>         hosts allow = 111.222.
>         printing = bsd
> 
> [homes]
>         comment = Home Directories
>         create mask = 0700
>         directory mask = 0700
>         read only = No
>         valid users = %U

If all your users that log into this Samba server use the same homedir
path, then add 'template homedir = /path/to/users_dir/%U' and change
'valid users = %U' in '[homes]' to 'valid users = %S', this will unsure
that only the user will be able to get into their own homedir.

Rowland







More information about the samba mailing list