[Samba] odd UID behaviour in Linux hosts connected to Samba AD

Rowland Penny rpenny at samba.org
Fri Jan 17 10:02:15 UTC 2025 

On Thu, 16 Jan 2025 18:01:27 +0100
Christian Naumer via samba <samba at lists.samba.org> wrote:

> 
> 
> Am 16. Januar 2025 17:50:08 MEZ schrieb Rowland Penny via samba
> <samba at lists.samba.org>:
> >There is no way to give users logging into a DC different shells or
> >home directory paths, not even if you use the rfc2307 attributes. A
> >DC only reads uidNumber & gidNumber attributes from AD.
> >
> 
> That ist not true for me. On our DCs home and shell are red from AD.
> 

In the past, Samba didn't read all the rfc2307 attributes from AD on a
DC, it just read uidNumber & gidNumber attributes, now you say it does,
have I missed something ?

This morning I checked my AD and removed all lingering rfc2307
attributes except for 'gidNumber: 10000' on Domain Users.

I then created a new user with:

sudo samba-tool user add rfcuser xxxxxxxx --nis-domain=samdom
--unix-home=/home/modmas/rfcuser --uid-number=10000
--login-shell=/bin/bash --gid-number=10000

Set 'idmap_ldb:use rfc2307 = Yes' in the DCs smb.conf and restarted
Samba.
Note: there are no 'template' lines in the DCs smb.conf, so the
defaults are used.

Running 'getent passwd rfcuser' on the DC produced this:

SAMDOM\rfcuser:*:10000:100::/home/SAMDOM/rfcuser:/bin/false

Well, it doesn't look like Samba is picking up the shell or home
directory from AD.

I then tried to log into the DC via SSH as 'rfcuser':

rowland at devstation:~$ ssh rfcuser at rpidc1
rfcuser at rpidc1's password: 
Creating directory '/home/SAMDOM/rfcuser'.
Linux rpidc1 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr  3 17:24:16 BST 2023 aarch64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Connection to rpidc1 closed.

I think that proves what I said, a Samba DC only uses the uidNumber &
gidNumber rfc2307 attributes from AD, I set 'unixHomeDirectory' to
'/home/modmas/rfcuser', Samba used the default 'template homedir' of
'/home'%D/%U', I set 'loginShell' to '/bin/bash', Samba used the
default 'template shell' of '/bin/false'.

Rowland

More information about the samba mailing list