Web lists-archives.com

Re: [Samba] User home and shell lookup on a Samba AD DC

On Mon, 20 Mar 2017 13:02:38 +0100
Dennis Leeuw via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi list,
> I am probably overlooking something, but can not figure out what is 
> going on nor can I find something through google.
> I just converted a Samba 4 PDC to Samba 4 AD DC (using the samba 
> provided tools). I hooked up a Linux laptop to the network configure 
> winbind, joined the domain and am able to login with my credentials
> from Samba AD. However I can not seem to get it working on the
> machine running the Samba AD.
> The situation:
> Samba AD DC:
> Debian 8.7
> Samba 4.2.14

If you look here:


You will find 4.6.0 amd64 debs, Samba does not support 4.2.x anymore,
though this doesn't stop you using it.

> smb.conf:

> winbind use default domain = yes
> winbind nss info = rfc2307
> allow trusted domain = yes
> logon drive = z:
> logon home = \\pdc\users\%U

You might as well remove those lines, they do not work on a DC (Also
please do not call your DC a PDC, it is confusing)

> Running wbinfo -i on the workstation shows:
> username:*:666:999::/home/group/username:/bin/bash
> Running wbinfo -i on the Samba AD server shows:
> username:*:666:999:user A:/home/DCDOMAIN/username:/bin/false
> getent on both machines shows only the local passwd and group stuff, 

Ah, but is this 'getent passwd' or 'getent passwd username' ?

By default, winbind does not enumerate users and groups.

> while id on both shows:
> uid=666(username) gid=999(group) groups=555(anothergroup),....
> On the workstation I can login through login and through sshd, on the 
> server I can (of course) not since the shell is /bin/false.
> Adding the idmap config settings to the server does not solve the
> problem.

They do nothing on A DC unless you upgrade to 4.6.0 and then they will
stop 'samba' starting.
>Adding security = ads to the server config makes sure samba
> does not start. Adding  "template shell = /bin/bash" to the server
> configuration makes wbinfo output show /bin/bash as shell, and I can
> login.

Winbind on a DC, does not extract the users unix home dir and login
shell, you have to use template lines in smb.conf.


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba