Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] template shell RFC2307 loginShell
117 views
Skip to first unread message
Jeff Sadowski
Dec 4, 2015, 5:50:03 PM12/4/15
to
We use power broker here at work and where wondering why we need it.
I was able to setup a new linux server using samba and am able to login
with my active directory accounts but I couldn't figure out how to set the
login shells.
I have a work around but would like feedback
in my /etc/samba/smb.conf I have the following
security = ads
realm = DOMAIN.LONG
workgroup = DOMAIN
idmap config DOMAIN : backend = ad
idmap config DOMAIN : range = 1000-999999999
#should not get here
idmap config * : range = 999999998-999999999
idmap config * :backend =rid
template homedir = /nfs/homes/%U
template shell = /nfs/homes/%U/.default_shell
winbind use default domain = yes
restrict anonymous = 2
allowing users to pick their shell using
ln -s /bin/bash ~/.default_shell
or
ln -s /bin/tcsh ~/.default_shell
...
It will be easy to create the .default shell for each user using a simple
script I can run on a machine that has power broker but I am wondering what
others have done to allow users to pick their shell using samba to
authenticate?
What are the downsides of doing it the way I did it?
is there a way to use the loginShell provided by rfc2307 that I haven't
found documented in samba?
I'm using samba version 4.1.6 if that makes a difference. I could probably
find a way to upgrade if there is support in newer versions.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I was able to setup a new linux server using samba and am able to login
with my active directory accounts but I couldn't figure out how to set the
login shells.
I have a work around but would like feedback
in my /etc/samba/smb.conf I have the following
security = ads
realm = DOMAIN.LONG
workgroup = DOMAIN
idmap config DOMAIN : backend = ad
idmap config DOMAIN : range = 1000-999999999
#should not get here
idmap config * : range = 999999998-999999999
idmap config * :backend =rid
template homedir = /nfs/homes/%U
template shell = /nfs/homes/%U/.default_shell
winbind use default domain = yes
restrict anonymous = 2
allowing users to pick their shell using
ln -s /bin/bash ~/.default_shell
or
ln -s /bin/tcsh ~/.default_shell
...
It will be easy to create the .default shell for each user using a simple
script I can run on a machine that has power broker but I am wondering what
others have done to allow users to pick their shell using samba to
authenticate?
What are the downsides of doing it the way I did it?
is there a way to use the loginShell provided by rfc2307 that I haven't
found documented in samba?
I'm using samba version 4.1.6 if that makes a difference. I could probably
find a way to upgrade if there is support in newer versions.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland penny
Dec 4, 2015, 6:10:03 PM12/4/15
to
On 04/12/15 22:43, Jeff Sadowski wrote:
> We use power broker here at work and where wondering why we need it.
>
> I was able to setup a new linux server using samba and am able to login
> with my active directory accounts but I couldn't figure out how to set the
> login shells.
> I have a work around but would like feedback
> in my /etc/samba/smb.conf I have the following
>
> security = ads
> realm = DOMAIN.LONG
> workgroup = DOMAIN
> idmap config DOMAIN : backend = ad
> idmap config DOMAIN : range = 1000-999999999
> #should not get here
> idmap config * : range = 999999998-999999999
> idmap config * :backend =rid
> template homedir = /nfs/homes/%U
> template shell = /nfs/homes/%U/.default_shell
> winbind use default domain = yes
> restrict anonymous = 2
>
Have you considered reading the Samba wiki ?
> We use power broker here at work and where wondering why we need it.
>
> I was able to setup a new linux server using samba and am able to login
> with my active directory accounts but I couldn't figure out how to set the
> login shells.
> I have a work around but would like feedback
> in my /etc/samba/smb.conf I have the following
>
> security = ads
> realm = DOMAIN.LONG
> workgroup = DOMAIN
> idmap config DOMAIN : backend = ad
> idmap config DOMAIN : range = 1000-999999999
> #should not get here
> idmap config * : range = 999999998-999999999
> idmap config * :backend =rid
> template homedir = /nfs/homes/%U
> template shell = /nfs/homes/%U/.default_shell
> winbind use default domain = yes
> restrict anonymous = 2
>
Your 'idmap config' block should look similar to this:
# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 2000-9999
# idmap config for domain SAMDOM
idmap config DOMAIN:backend = ad
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 10000-99999
# Use template settings for login shell and home directory
winbind nss info = template
template shell = /nfs/homes/%U/.default_shell
template homedir = /nfs/homes/%U
Though as you seem to be using uidNumber & gidNumber attributes, you
could also store the loginShell and unixHomedir in AD as well.
Rowland
Jeff Sadowski
Dec 4, 2015, 10:00:04 PM12/4/15
to
I see what I missed now the
winbind nss info = rfc2307
option ahhh I will try that monday.
On Fri, Dec 4, 2015 at 7:47 PM, Jeff Sadowski <jeff.s...@gmail.com>
wrote:
> Thank you Rowland for looking at it.
> I did read the wiki here https://wiki.samba.org/index.php/Idmap_config_ad
> that is how I got as far as I did; that and the idmap_ad man page. I could
> not find how to use the loginShell is there a variable I can use for it in
> the template or an option to set to use it? loginShell and unixHomedir are
> not mentioned on the wiki that I could find. I'm good with the templated
> homedir but curious how to use the unixHomedir. It seems that the schema_mode
> = rfc2307 is the default as it works fine except for the default shells
> which I have the workaround for. I think I will move them out of their home
> directories and set them else ware, where users will need to ask to change
> the shell. I purposefully set rid as the default backend if one does not
> exist explicit for the domain as it worked better for me. What I did with
> the default backend should stop the login if the domain isn't explicitly
> defined.
winbind nss info = rfc2307
option ahhh I will try that monday.
On Fri, Dec 4, 2015 at 7:47 PM, Jeff Sadowski <jeff.s...@gmail.com>
wrote:
> Thank you Rowland for looking at it.
> I did read the wiki here https://wiki.samba.org/index.php/Idmap_config_ad
> that is how I got as far as I did; that and the idmap_ad man page. I could
> not find how to use the loginShell is there a variable I can use for it in
> the template or an option to set to use it? loginShell and unixHomedir are
> not mentioned on the wiki that I could find. I'm good with the templated
> homedir but curious how to use the unixHomedir. It seems that the schema_mode
> = rfc2307 is the default as it works fine except for the default shells
> which I have the workaround for. I think I will move them out of their home
> directories and set them else ware, where users will need to ask to change
> the shell. I purposefully set rid as the default backend if one does not
> exist explicit for the domain as it worked better for me. What I did with
> the default backend should stop the login if the domain isn't explicitly
> defined.
Jeff Sadowski
Dec 4, 2015, 10:00:04 PM12/4/15
to
Thank you Rowland for looking at it.
I did read the wiki here https://wiki.samba.org/index.php/Idmap_config_ad
that is how I got as far as I did; that and the idmap_ad man page. I could
not find how to use the loginShell is there a variable I can use for it in
the template or an option to set to use it? loginShell and unixHomedir are
not mentioned on the wiki that I could find. I'm good with the templated
homedir but curious how to use the unixHomedir. It seems that the schema_mode
= rfc2307 is the default as it works fine except for the default shells
which I have the workaround for. I think I will move them out of their home
directories and set them else ware, where users will need to ask to change
the shell. I purposefully set rid as the default backend if one does not
exist explicit for the domain as it worked better for me. What I did with
the default backend should stop the login if the domain isn't explicitly
defined.
On Fri, Dec 4, 2015 at 4:00 PM, Rowland penny <rpe...@samba.org> wrote:
I did read the wiki here https://wiki.samba.org/index.php/Idmap_config_ad
that is how I got as far as I did; that and the idmap_ad man page. I could
not find how to use the loginShell is there a variable I can use for it in
the template or an option to set to use it? loginShell and unixHomedir are
not mentioned on the wiki that I could find. I'm good with the templated
homedir but curious how to use the unixHomedir. It seems that the schema_mode
= rfc2307 is the default as it works fine except for the default shells
which I have the workaround for. I think I will move them out of their home
directories and set them else ware, where users will need to ask to change
the shell. I purposefully set rid as the default backend if one does not
exist explicit for the domain as it worked better for me. What I did with
the default backend should stop the login if the domain isn't explicitly
defined.
On Fri, Dec 4, 2015 at 4:00 PM, Rowland penny <rpe...@samba.org> wrote:
Rowland penny
Dec 5, 2015, 4:40:04 AM12/5/15
to
a user or group (see here for more info:
https://www.ietf.org/rfc/rfc2307.txt)
What this means is, if you give a user a uidNumber and at least 'Domain
Users' a gidNumber, then the user will become visible on a Unix domain
member (aka Unix workstation).
If you study the list of attributes on the link above, you will find
that there are more attributes available, amongst them are loginShell
and homeDirectory. The first is where you can store the users login
shell (obviously), but there is a problem with the second, AD already
has an attribute with the same name to store the users windows home
directory path, so this became unixHomeDirectory and is where you can
store the users Unix home directory.
If you require more info on the RFC2307 attributes, please ask.
Now, as for the 'idmap config' block and which to use, this is down to
the sysadmin (i.e. you) and is based on what you require.
There are several backends available, but only two are regularly used,
the 'ad' and 'rid' backends. Lets deal with the 'rid' backend first,
this is used if you don't want (or need) to add RFC2307 attributes to
AD. Your users & groups will be mapped to a number inside the range you
set i.e. idmap config SAMDOM:range = 10000-99999. It uses an algorithm
to create the IDs from the user/group RID and as long as you use the
same 'idmap config' block on every Unix machine, you will get the same
Unix ID on every Unix machine. The downside is that you cannot set
individual homedirs & shells for users and will have to use the template
lines in smb.conf.
The 'ad' backend is different, it uses the RFC2307 attributes for the
user/group IDs, this does of course mean that you have to add a
uidNumber attribute containing a unique number to any users that you
need to be visible to Unix *and* add a gidNumber to Domain Users at
least. These numbers must be inside the range you set in smb.conf, any
numbers outside the range will be ignored.
You can go further with the 'ad' backend, you can add the loginShell
attribute containing the users shell (/bin/bash for instance), you can
also add the unixHomeDirectory attribute containing the path to the
users home directory. To use these, you would also need to have the line
'winbind nss info = rfc2307' in smb.conf. If you don't want to add these
further attributes, you can add 'winbind nss info = template' instead
and also add the template lines.
You need these lines in smb.conf:
idmap config *:backend = tdb
idmap config *:range = 2000-9999
These lines are where Samba will store the mappings for the builtin
idmap config *:range = 2000-9999
users & groups, without these, it is very unlikely Samba will work
correctly.
Again, any questions, please ask.
Rowland
Jeff Sadowski
Dec 7, 2015, 10:50:05 AM12/7/15
to
I finally got to test it and it works OK
something really strange is occurring though
It works good as follows except for groups but I'll look at that latter as
I see others have mentioned some issues with groups
here is my /etc/samba/smb.conf
security = ads
realm = DOMAIN.LONG
workgroup = DOMAIN
winbind enum users = Yes
# doesn't seem to do the same for groups :-/
winbind enum groups = Yes
restrict anonymous = 2
What is strange is when I use the ranges like so
idmap config * : range = 1000-9999
they all seem to show up when I do a "wbinfo -u"
and all my users uids are over 10000
when I set it back to
idmap config * : range = 900-999
So going further I find that when I run "id" as myuser I didn't see all my
groups but if I ran "id myuser" I did see all my users
So I tried
idmap config * : range = 100000-1099999
idmap config DOMAIN:range = 0-99999
and now when I run "id" as myuser I see all my group
something really strange is occurring though
It works good as follows except for groups but I'll look at that latter as
I see others have mentioned some issues with groups
here is my /etc/samba/smb.conf
security = ads
realm = DOMAIN.LONG
workgroup = DOMAIN
idmap config * : backend = tdb
idmap config * : range = 900-999
idmap config DOMAIN:backend = ad
idmap config DOMAIN:range = 1000-99999
idmap config DOMAIN:schema_mode = rfc2307 winbind nss info = rfc2307
idmap config DOMAIN:range = 1000-99999
winbind use default domain = yes
# so that the users show up in getent
winbind enum users = Yes
# doesn't seem to do the same for groups :-/
winbind enum groups = Yes
restrict anonymous = 2
What is strange is when I use the ranges like so
idmap config * : range = 1000-9999
idmap config DOMAIN:range = 10000-99999
only a small fraction of my users show up when I do a "getent passwd"
they all seem to show up when I do a "wbinfo -u"
and all my users uids are over 10000
when I set it back to
idmap config * : range = 900-999
idmap config DOMAIN:range = 1000-99999
I see all my users
So going further I find that when I run "id" as myuser I didn't see all my
groups but if I ran "id myuser" I did see all my users
So I tried
idmap config * : range = 100000-1099999
idmap config DOMAIN:range = 0-99999
and now when I run "id" as myuser I see all my group
Jeff Sadowski
Dec 7, 2015, 11:10:04 AM12/7/15
to
bad testing for groups.
Working with many systems I found I must have been testing on another
system then what I was configuring.
idmap config * : range = 100000-1099999
idmap config DOMAIN:range = 0-99999
worked no different to me from
idmap config * : range = 900-999
idmap config DOMAIN:range = 1000-99999
so I will set it back.
On Mon, Dec 7, 2015 at 8:42 AM, Jeff Sadowski <jeff.s...@gmail.com>
wrote:
Working with many systems I found I must have been testing on another
system then what I was configuring.
idmap config * : range = 100000-1099999
idmap config DOMAIN:range = 0-99999
idmap config * : range = 900-999
idmap config DOMAIN:range = 1000-99999
On Mon, Dec 7, 2015 at 8:42 AM, Jeff Sadowski <jeff.s...@gmail.com>
wrote:
Rowland penny
Dec 7, 2015, 11:30:03 AM12/7/15
to
Ubuntu, in which case: 0-999 is reserved for the system users & groups
(root etc), 1000 upwards is where you should be putting your local Unix
users & groups. This means that you shouldn't really use any number
under a '1000' for AD users & groups and you should also leave a small
space for local users & groups, hence the advice on the wiki is to use
'2000-9999' for your builtin AD users & groups and to use '10000'
upwards for your AD users & groups.
This means if you give 'Domain Users' the gidNumber of '10000' and then
give your users uidNumbers starting from '10000' and use the 'idmap
config' block from the wiki, you will be able to see all your users &
groups via getent. Note that 'getent group' will not show anything, but
'getent group Domain\ Users' will.
You can start both your user & group IDs from '10000', there is no
reason to use different ranges.
using wbinfo to show users works differently to getent, using 'wbinfo
-u' to show your users ensures that winbind can connect to AD, you need
to use getent to make sure that your OS can connect to AD, if getent
doesn't show your user or group, then the OS will not know about it.
Rowland
>
>
> On Sat, Dec 5, 2015 at 2:34 AM, Rowland penny <rpe...@samba.org
> <mailto:rpe...@samba.org>> wrote:
>
> On 05/12/15 02:47, Jeff Sadowski wrote:
>
> Thank you Rowland for looking at it.
> I did read the wiki here
> https://wiki.samba.org/index.php/Idmap_config_ad that is how I
> got as far as I did; that and the idmap_ad man page. I could
> not find how to use the loginShell is there a variable I can
> use for it in the template or an option to set to use it?
> loginShell and unixHomedir are not mentioned on the wiki that
> I could find. I'm good with the templated homedir but curious
> how to use the unixHomedir. It seems that the schema_mode =
> rfc2307 is the default as it works fine except for the default
> shells which I have the workaround for. I think I will move
> them out of their home directories and set them else ware,
> where users will need to ask to change the shell. I
> purposefully set rid as the default backend if one does not
> exist explicit for the domain as it worked better for me. What
> I did with the default backend should stop the login if the
> domain isn't explicitly defined.
>
>
>
> On Fri, Dec 4, 2015 at 4:00 PM, Rowland penny
> <rpe...@samba.org <mailto:rpe...@samba.org>
Jeff Sadowski
Dec 7, 2015, 2:00:03 PM12/7/15
to
But that doesn't work for me. As I am saying
If I set it like that I only see 7 domain users with getent passwd
experimenting I see if I set
idmap config * : range = 2000-7999
idmap config DOMAIN:range = 8000-99999
I see all my users.
which is really odd because all my users have uids above 10000
What other trouble shooting steps can I take to see why this is acting this
way?
I edit /etc/samba/smb.conf
I run a script with the following
service winbind stop
service samba stop
net cache flush
rm -f /var/lib/samba/*.tdb
rm -f /var/lib/samba/group_mapping.ldb
sleep 1
service samba start
service winbind start
then I do
getent passwd|wc -l
########################3
when
idmap config DOMAIN:range = 10000-99999
# getent passwd|wc -l
47
when
idmap config DOMAIN:range = 9000-99999
# getent passwd|wc -l
109
when
idmap config DOMAIN:range = 8000-99999
# getent passwd|wc -l
801
that seems to be as many as I can get
still doesn't add up as
# cat /etc/passwd|wc -l
40
# wbinfo -u|wc -l
798
So I should have 838
users.
But no matter what I set idmap config DOMAIN:range to I don't see any more
than 801 users with getent passwd
If I set it like that I only see 7 domain users with getent passwd
experimenting I see if I set
idmap config * : range = 2000-7999
idmap config DOMAIN:range = 8000-99999
I see all my users.
which is really odd because all my users have uids above 10000
What other trouble shooting steps can I take to see why this is acting this
way?
I edit /etc/samba/smb.conf
I run a script with the following
service winbind stop
service samba stop
net cache flush
rm -f /var/lib/samba/*.tdb
rm -f /var/lib/samba/group_mapping.ldb
sleep 1
service samba start
service winbind start
then I do
getent passwd|wc -l
########################3
when
idmap config DOMAIN:range = 10000-99999
47
when
idmap config DOMAIN:range = 9000-99999
# getent passwd|wc -l
109
when
idmap config DOMAIN:range = 8000-99999
# getent passwd|wc -l
801
that seems to be as many as I can get
still doesn't add up as
# cat /etc/passwd|wc -l
40
# wbinfo -u|wc -l
798
So I should have 838
users.
But no matter what I set idmap config DOMAIN:range to I don't see any more
than 801 users with getent passwd
Rowland penny
Dec 7, 2015, 2:10:04 PM12/7/15
to
All your users have a uidNumber attribute containing a unique number
between 10000 to 99999 ?
Does 'Domain Users' have a gidNumber attribute containing a number
between 10000 to 99999 ?
Any user that doesn't have a uidNumber, or one outside the 10000-99999
will be ignored, could this be your problem?
What OS is the client running on and what is the AD DC ?
Jeff Sadowski
Dec 7, 2015, 2:20:03 PM12/7/15
to
I had some users with bigger uids then 99999 so I bumped up DOMAIN:range to
idmap config DOMAIN:range = 8000-9999999
# getent passwd|wc -l
806
yeah I got 5 more users
I wrote a simple loop like so
wbinfo -u|while read i; do id $i|cut -d, -f1; done > users_list.txt
puts out some nice errors
id: guest: no such user
id: administrator: no such user
...
I'm going to guess none have the uid variable in ad.
On Mon, Dec 7, 2015 at 11:49 AM, Jeff Sadowski <jeff.s...@gmail.com>
wrote:
idmap config DOMAIN:range = 8000-9999999
# getent passwd|wc -l
yeah I got 5 more users
I wrote a simple loop like so
wbinfo -u|while read i; do id $i|cut -d, -f1; done > users_list.txt
puts out some nice errors
id: guest: no such user
id: administrator: no such user
...
I'm going to guess none have the uid variable in ad.
On Mon, Dec 7, 2015 at 11:49 AM, Jeff Sadowski <jeff.s...@gmail.com>
wrote:
Rowland penny
Dec 7, 2015, 2:30:03 PM12/7/15
to
On 07/12/15 19:13, Jeff Sadowski wrote:
> I had some users with bigger uids then 99999 so I bumped up
> DOMAIN:range to
>
> idmap config DOMAIN:range = 8000-9999999
>
> # getent passwd|wc -l
> 806
>
> yeah I got 5 more users
>
> I wrote a simple loop like so
>
> wbinfo -u|while read i; do id $i|cut -d, -f1; done > users_list.txt
>
> puts out some nice errors
>
> id: guest: no such user
> id: administrator: no such user
> ...
> I'm going to guess none have the uid variable in ad.
Probably not, but the two above probably shouldn't have one anyway.
> I had some users with bigger uids then 99999 so I bumped up
> DOMAIN:range to
>
> idmap config DOMAIN:range = 8000-9999999
>
> # getent passwd|wc -l
> 806
>
> yeah I got 5 more users
>
> I wrote a simple loop like so
>
> wbinfo -u|while read i; do id $i|cut -d, -f1; done > users_list.txt
>
> puts out some nice errors
>
> id: guest: no such user
> id: administrator: no such user
> ...
> I'm going to guess none have the uid variable in ad.
Rowland penny
Dec 7, 2015, 2:40:03 PM12/7/15
to
On 07/12/15 19:28, Jeff Sadowski wrote:
> wbinfo -u|while read i; do id $i|cut -d, -f1; done > users_list.txt 2>
> bad_list.txt
>
> # cat users_list.txt | cut -d'(' -f1|cut -d= -f2|sort -n|head -n 1
> 9102
>
> # cat users_list.txt | cut -d'(' -f1|cut -d= -f2|sort -n|tail -n 1
> 8921272
>
> seems to be my issue thank you.
>
> # cat bad_list.txt |wc -l
> 32
>
> looking through those users I found none had uids or gids but I don't
> care about any of them
>
> # cat users_list.txt | wc -l
> 766
>
> also
> 32
>
> 798+40-32=806
>
> All unseen users have no uids
Great, I think you have got it working :-)
Rowland
> wbinfo -u|while read i; do id $i|cut -d, -f1; done > users_list.txt 2>
> bad_list.txt
>
> # cat users_list.txt | cut -d'(' -f1|cut -d= -f2|sort -n|head -n 1
> 9102
>
> # cat users_list.txt | cut -d'(' -f1|cut -d= -f2|sort -n|tail -n 1
> 8921272
>
> seems to be my issue thank you.
>
> # cat bad_list.txt |wc -l
> 32
>
> looking through those users I found none had uids or gids but I don't
> care about any of them
>
> # cat users_list.txt | wc -l
> 766
> # cat /etc/passwd|wc -l
> 40
> 40
> # getent passwd|wc -l
> 806
>
> yeah the numbers add up
> 806
>
>
> also
> # cat /etc/passwd|wc -l
> 40
> # wbinfo -u|wc -l
> 798
> # cat bad_list.txt |wc -l
> 40
> # wbinfo -u|wc -l
> 798
> 32
>
> 798+40-32=806
>
> All unseen users have no uids
Great, I think you have got it working :-)
Rowland
Jeff Sadowski
Dec 7, 2015, 2:40:04 PM12/7/15
to
wbinfo -u|while read i; do id $i|cut -d, -f1; done > users_list.txt 2>
bad_list.txt
# cat users_list.txt | cut -d'(' -f1|cut -d= -f2|sort -n|head -n 1
9102
# cat users_list.txt | cut -d'(' -f1|cut -d= -f2|sort -n|tail -n 1
8921272
seems to be my issue thank you.
# cat bad_list.txt |wc -l
32
looking through those users I found none had uids or gids but I don't care
about any of them
# cat users_list.txt | wc -l
766
bad_list.txt
# cat users_list.txt | cut -d'(' -f1|cut -d= -f2|sort -n|head -n 1
9102
# cat users_list.txt | cut -d'(' -f1|cut -d= -f2|sort -n|tail -n 1
8921272
seems to be my issue thank you.
# cat bad_list.txt |wc -l
32
looking through those users I found none had uids or gids but I don't care
about any of them
# cat users_list.txt | wc -l
766
# cat /etc/passwd|wc -l
40
40
# getent passwd|wc -l
806
yeah the numbers add up
also
806
yeah the numbers add up
also
# cat /etc/passwd|wc -l
40
# wbinfo -u|wc -l
798
40
# wbinfo -u|wc -l
798
# cat bad_list.txt |wc -l
32
798+40-32=806
All unseen users have no uids
32
798+40-32=806
All unseen users have no uids
0 new messages