1. Forum
  2. Usenet
  3. LINUX.SAMBA

  • [Samba] User home and shell lookup on a Samba AD DC

    From Dennis Leeuw via samba@21:1/5 to All on Mon Mar 20 13:40:03 2017
    Hi list,

    I am probably overlooking something, but can not figure out what is
    going on nor can I find something through google.

    I just converted a Samba 4 PDC to Samba 4 AD DC (using the samba
    provided tools). I hooked up a Linux laptop to the network configure
    winbind, joined the domain and am able to login with my credentials from
    Samba AD. However I can not seem to get it working on the machine
    running the Samba AD.

    The situation:
    Samba AD DC:
    Debian 8.7
    Samba 4.2.14
    smb.conf:
    workgroup = DCDOMAIN
    realm = dc-zone.my.domain
    netbios name = PDC
    server role = active directory domain controller
    idmap_ldb: use rfc2307 = yes
    dns forwarder = 192.168.1.1
    winbind use default domain = yes
    winbind nss info = rfc2307
    allow trusted domain = yes
    logon drive = z:
    logon home = \\pdc\users\%U
    # And then some shares...

    Workstation:
    Ubuntu 14.04 LTS
    samba: 4.3.11
    security = ads
    realm = dc-zone.my.domain
    workgroup = DCDOMAIN
    netbios name = my-client
    allow trusted domain = yes
    winbind use default domain = yes
    winbind nss info = rfc2307
    idmap config DCDOMAIN: backend = ad
    idmap config DCDOMAIN: schema_mode = rfc2307
    idmap config DCDOMAIN: range = 500-799999
    idmap config *: backend = ad
    idmap config *: schema_mode = rfc2307
    idmap config *: range = 800000-999999

    An (simpified) example user entry from the samba LDAP looks like this:
    dn: cn=username,CN=Users,DC=....
    cn: username
    unixHomeDirectory: /home/group/username
    displayName: user A
    loginShell: /bin/bash
    uidNumber: 666
    gidNumber: 999

    /etc/nsswitch.conf on both machines has:
    passwd: compat winbind
    group: compat winbind
    shadow: compat winbind

    On the workstation winbind is running as a standalone /usr/sbin/winbind
    and on the samba AD server /usr/sbin/winbind is running as a subprocess
    of /usr/sbin/samba.

    Running wbinfo -i on the workstation shows: username:*:666:999::/home/group/username:/bin/bash

    Running wbinfo -i on the Samba AD server shows:
    username:*:666:999:user A:/home/DCDOMAIN/username:/bin/false

    getent on both machines shows only the local passwd and group stuff,
    while id on both shows:
    uid=666(username) gid=999(group) groups=555(anothergroup),....

    On the workstation I can login through login and through sshd, on the
    server I can (of course) not since the shell is /bin/false.

    Adding the idmap config settings to the server does not solve the problem. Adding security = ads to the server config makes sure samba does not start. Adding "template shell = /bin/bash" to the server configuration makes
    wbinfo output show /bin/bash as shell, and I can login.

    So somehow the /usr/sbin/winbind samba subprocess retrieves different information from the LDAP database. But I canĀ“t figure out what I am
    doing wrong (my assumption is that it is somewhere in the
    configuration). Can someone point me in the right direction?
    Questions:
    - Why doesn't the server config retrieve the shell and home directory
    from LDAP?
    - Why doesn't the workstation config retrieve the displayName field from
    LDAP (although this is harmless for now)?

    With kind regards,

    Dennis Leeuw

    --
    DBG-ICT
    UMC Utrecht


    ------------------------------------------------------------------------------

    De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is
    uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct
    te informeren door het bericht te retourneren. Het Universitair Medisch
    Centrum Utrecht is een publiekrechtelijke rechtspersoon in de zin van de W.H.W. (Wet Hoger Onderwijs en Wetenschappelijk Onderzoek) en staat geregistreerd bij de Kamer van Koophandel voor Midden-Nederland onder nr. 30244197.

    Denk s.v.p aan het milieu voor u deze e-mail afdrukt.

    ------------------------------------------------------------------------------

    This message may contain confidential information and is intended exclusively for the addressee. If you receive this message unintentionally, please do not use the contents but notify the sender immediately by return e-mail. University Medical Center Utrecht is a legal person by public law and is registered at
    the Chamber of Commerce for Midden-Nederland under no. 30244197.

    Please consider the environment before printing this e-mail.

    --
    To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Rowland Penny via samba@21:1/5 to Dennis Leeuw via samba on Mon Mar 20 14:10:02 2017
    On Mon, 20 Mar 2017 13:02:38 +0100
    Dennis Leeuw via samba <samba@lists.samba.org> wrote:

    Hi list,

    I am probably overlooking something, but can not figure out what is
    going on nor can I find something through google.

    I just converted a Samba 4 PDC to Samba 4 AD DC (using the samba
    provided tools). I hooked up a Linux laptop to the network configure
    winbind, joined the domain and am able to login with my credentials
    from Samba AD. However I can not seem to get it working on the
    machine running the Samba AD.

    The situation:
    Samba AD DC:
    Debian 8.7
    Samba 4.2.14

    If you look here:

    https://downloads.van-belle.nl/samba4/samba-4.6.0/

    You will find 4.6.0 amd64 debs, Samba does not support 4.2.x anymore,
    though this doesn't stop you using it.

    smb.conf:

    winbind use default domain = yes
    winbind nss info = rfc2307
    allow trusted domain = yes
    logon drive = z:
    logon home = \\pdc\users\%U

    You might as well remove those lines, they do not work on a DC (Also
    please do not call your DC a PDC, it is confusing)



    Running wbinfo -i on the workstation shows: username:*:666:999::/home/group/username:/bin/bash

    Running wbinfo -i on the Samba AD server shows:
    username:*:666:999:user A:/home/DCDOMAIN/username:/bin/false

    getent on both machines shows only the local passwd and group stuff,

    Ah, but is this 'getent passwd' or 'getent passwd username' ?

    By default, winbind does not enumerate users and groups.

    while id on both shows:
    uid=666(username) gid=999(group) groups=555(anothergroup),....

    On the workstation I can login through login and through sshd, on the
    server I can (of course) not since the shell is /bin/false.

    Adding the idmap config settings to the server does not solve the
    problem.

    They do nothing on A DC unless you upgrade to 4.6.0 and then they will
    stop 'samba' starting.

    Adding security = ads to the server config makes sure samba
    does not start. Adding "template shell = /bin/bash" to the server configuration makes wbinfo output show /bin/bash as shell, and I can
    login.

    Winbind on a DC, does not extract the users unix home dir and login
    shell, you have to use template lines in smb.conf.

    Rowland



    --
    To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)