[Samba] Override Linux homedir given by AD

[Simon]

Hi,

I have successfully joined a Debian 7 box to a 2008 R2 Windows Domain
using Samba and Winbind. The Linux uid is pulled from the uidNumber in
Active Directory as is the shell and home dir. PAM is also configured to
create a user's homedir on login.

The trouble is that in AD the homedir is set to '/User' and I don't want
that to be the case on the Debian boxes - I would like to set it as
/home/domain/user.

Can I override the homedir setting on a per-client basis using the
smb.conf?

I have tried using Template homedir = but it doesn't seem to have an
effect.

Thanks
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Trent W. Buck]

Simon <si...@calmblue.net> writes:

> I have successfully joined a Debian 7 box to a 2008 R2 Windows Domain
> using Samba and Winbind. The Linux uid is pulled from the uidNumber in
> Active Directory as is the shell and home dir. PAM is also configured
> to create a user's homedir on login.
>
> The trouble is that in AD the homedir is set to '/User' and I don't
> want that to be the case on the Debian boxes - I would like to set it
> as /home/domain/user.
>
> Can I override the homedir setting on a per-client basis using the
> smb.conf?

AIUI from other ML correspondents, there are two winbinds
implementations -- one for samba3 and one for samba4 -- and the latter
doesn't let you change $HOME at all, as at 4.0.x.

You probably want to look at sssd instead of winbind.

I'm using a samba 4.0.9 AD DC and nss_winbind, and I got
/home/DOMAIN/alice instead of /home/alice, so I just cheated by running
"ln -s . /home/DOMAIN". I don't think that would work for you.

[Simon]

On 2013-10-30 23:39, tren...@gmail.com wrote:

> Simon <si...@calmblue.net> writes:
>
>> I have successfully joined a Debian 7 box to a 2008 R2 Windows Domain using Samba and Winbind. The Linux uid is pulled from the uidNumber in Active Directory as is the shell and home dir. PAM is also configured to create a user's homedir on login. The trouble is that in AD the homedir is set to '/User' and I don't want that to be the case on the Debian boxes - I would like to set it as /home/domain/user. Can I override the homedir setting on a per-client basis using the smb.conf?
>
> AIUI from other ML correspondents, there are two winbinds
> implementations -- one for samba3 and one for samba4 -- and the latter
> doesn't let you change $HOME at all, as at 4.0.x.
>
> You probably want to look at sssd instead of winbind.
>
> I'm using a samba 4.0.9 AD DC and nss_winbind, and I got
> /home/DOMAIN/alice instead of /home/alice, so I just cheated by running
> "ln -s . /home/DOMAIN". I don't think that would work for you.

Thanks, I'm using Samba version 3.6.6,

Leaving sssd aside for a moment (because winbind seems to be working)
are you saying that with 3.6.6 I _should_ be able to override the 'Home
Directory' pulled from the AD?

My current config:

#=== Global Settings ===
[global]

netbios name = "$hostname"
server string = Samba Server %v on (%L)

#=== Logging Options ===

log level = 3
# logs split per machine
log file = /var/log/samba/%m.log
# max 50KB per log file, then rotate
max log size = 50

#=== Domain Members Options ===

security = ads
realm = DOMAIN.EXAMPLE.COM
workgroup = DOMAIN
password server = dc.domain.example.com
client ntlmv2 auth = yes
restrict anonymous = 2

idmap config * : range = 500-999
idmap config "$domainMs" : backend = ad
idmap config "$domainMs" : schema_mode = rfc2307
idmap config "$domainMs" : readonly = yes
idmap config "$domainMs" : range = 1000-4294967295
idmap negative cache time = 20

winbind cache time = 600
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind expand groups = 2
winbind use default domain = yes
winbind offline logon = true

#=== Browser Control Options ===

local master = no
preferred master = no
os level = 0" >> /etc/samba/smb.conf

[steve]

Hi
Just a few thoughts.

I'm assuming it's not an option to add the correct unixHomeDirectory
attribute in AD? Too many users perhaps?

Also, not possible to link from what you have set in AD to the real data
using wide links?

In sssd you can set:
ldap_user_home_directory =
and then set the homedir in smb.conf

I don't think you can do that with winbind.
HTH
Steve

[Daniel Müller]

smb.conf:

logon script= %a.bat

where %a is substituted with the clients OS.
Google for "samba %a"

-----------------------------------------------
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mue...@tropenklinik.de
Internet: www.tropenklinik.de
-----------------------------------------------
-----Ursprüngliche Nachricht-----
Von: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] Im
Auftrag von Simon
Gesendet: Donnerstag, 31. Oktober 2013 10:40
An: sa...@lists.samba.org
Betreff: Re: [Samba] Override Linux homedir given by AD

[steve]

On Wed, 2013-10-30 at 22:27 +0000, Simon wrote:
> The Linux uid is pulled from the uidNumber in
> Active Directory

Hi
That's a bad idea and may explain why the homedir is not working. It's
best to leave uidNumber as it is and pull uid as samAccountName.

e.g. you would expect a home directory to be something like:
/home/domain/simon
rather than:
/home/domain/30012673

Cheers,
Steve

[Simon]

On 2013-10-31 09:56, steve wrote:

> On Thu, 2013-10-31 at 09:40 +0000, Simon wrote:

> On 2013-10-30 23:39, tren...@gmail.comwrote: Simon <si...@calmblue.net> writes: I have successfully joined a Debian 7 box to a 2008 R2 Windows Domain using Samba and Winbind. The Linux uid is pulled from the uidNumber in Active Directory as is the shell and home dir. PAM is also configured to create a user's homedir on login. The trouble is that in AD the homedir is set to '/User' and I don't want that to be the case on the Debian boxes - I would like to set it as /home/domain/user. Can I override the homedir setting on a per-client basis using the smb.conf? AIUI from other ML correspondents, there are two winbinds implementations -- one for samba3 and one for samba4 -- and the latter doesn't let you change $HOME at all, as at 4.0.x. You probably want to look at sssd instead of winbind. I'm using a samba 4.0.9 AD DC and nss_winbind, and I got /home/DOMAIN/alice instead of /home/alice, so I just cheated by running "ln -s . /home/DOMAIN". I don't think that would work for y

ou.
Thanks, I'm using Samba version 3.6.6, Leaving sssd aside for a moment
(because winbind seems to be working) are you saying that with 3.6.6 I
_should_ be able to override the 'Home Directory' pulled from the AD? My
current config: #=== Global Settings === [global] netbios name =
"$hostname" server string = Samba Server %v on (%L) #=== Logging Options
=== log level = 3 # logs split per machine log file =
/var/log/samba/%m.log # max 50KB per log file, then rotate max log size
= 50 #=== Domain Members Options === security = ads realm =
DOMAIN.EXAMPLE.COM workgroup = DOMAIN password server =
dc.domain.example.com client ntlmv2 auth = yes restrict anonymous = 2
idmap config * : range = 500-999 idmap config "$domainMs" : backend = ad
idmap config "$domainMs" : schema_mode = rfc2307 idmap config
"$domainMs" : readonly = yes idmap config "$domainMs" : range =
1000-4294967295 idmap negative cache time = 20 winbind cache time = 600
winbind nss info = rfc2307 winbind enum users = yes winbind enum groups
= yes winbind expand groups = 2 winbind use default domain = yes winbind
offline logon = true #=== Browser Control Options === local master = no
preferred master = no os level = 0" >> /etc/samba/smb.conf

Hi
Just a few thoughts.

I'm assuming it's not an option to add the correct unixHomeDirectory
attribute in AD? Too many users perhaps?

Also, not possible to link from what you have set in AD to the real data
using wide links?

In sssd you can set:
ldap_user_home_directory =
and then set the homedir in smb.conf

I don't think you can do that with winbind.
HTH
Steve

Thanks,

Ideally yes, setting the correct home directory in AD would be my
preference but at the moment I'm unsure as to all the implications of
doing that here.

Creating a local symbolic link from /Users -> /home/DOMAIN/ is actually
quite neat (thanks also Trent) and probably what I'm going to end up
doing for now.

It seems like sssd is the way forward with Linux AD integration but I
haven't had any success yet - on Debian 7, winbind almost works out the
box.

Do you know of any good guides / resources for sssd, perhaps
specifically for Debain?

[Simon]

On 2013-10-31 10:03, steve wrote:

> On Wed, 2013-10-30 at 22:27 +0000, Simon wrote:
>

>> The Linux uid is pulled from the uidNumber in Active Directory
>

> Hi
> That's a bad idea and may explain why the homedir is not working. It's
> best to leave uidNumber as it is and pull uid as samAccountName.
>
> e.g. you would expect a home directory to be something like:
> /home/domain/simon
> rather than:
> /home/domain/30012673
>
> Cheers,
> Steve

Thanks but I'm not sure I follow,

At the moment when I log on with an AD account that has not logged in
before the users home is created in /User and then if I run the command
'id' the uid matches the attribute called uidNumber in AD.

Is this not good?

[steve]

On Thu, 2013-10-31 at 10:17 +0000, Simon wrote:
>

>
> Do you know of any good guides / resources for sssd, perhaps
> specifically for Debain?

https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd
and
http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html

Unfortunately, Debian is still in the dark ages with sssd. Although the
old versions work OK, to get the new ad backend, you'll need to build
it. Version 1.11.2 was released today:
https://fedorahosted.org/released/sssd/sssd-1.11.2.tar.gz
HTH
Steve

[steve]

On Thu, 2013-10-31 at 10:28 +0000, Simon wrote:
>
> On 2013-10-31 10:03, steve wrote:
>
> > On Wed, 2013-10-30 at 22:27 +0000, Simon wrote:
> >
> >> The Linux uid is pulled from the uidNumber in Active Directory
> >
> > Hi
> > That's a bad idea and may explain why the homedir is not working. It's
> > best to leave uidNumber as it is and pull uid as samAccountName.
> >
> > e.g. you would expect a home directory to be something like:
> > /home/domain/simon
> > rather than:
> > /home/domain/30012673
> >
> > Cheers,
> > Steve
>
> Thanks but I'm not sure I follow,
>
> At the moment when I log on with an AD account that has not logged in
> before the users home is created in /User and then if I run the command
> 'id' the uid matches the attribute called uidNumber in AD.
>
> Is this not good?

In LDAP and AD, we should be careful with what we map to what. uid is a
name that corresponds to a uidNumber:
Here I am in AD:
id steve2
uid=3000021(steve2) gid=20513(Domain Users) groups=20513(Domain Users)

my uid is pulled from AD by samAccountName (steve2)
my uidNumber is pulled from AD as uidNumber (3000021)

So that users can easily identify themselves as a name rather than a
number we usually map passwd uid to samAccountName and do nothing with
uidNumber.

You are mapping uid to uidNumber, which I don't think is what you want.
Cheers,

[Rowland Penny]

On 31/10/13 10:28, Simon wrote:
>
>
> On 2013-10-31 10:03, steve wrote:
>
>> On Wed, 2013-10-30 at 22:27 +0000, Simon wrote:
>>
>>> The Linux uid is pulled from the uidNumber in Active Directory
>> Hi
>> That's a bad idea and may explain why the homedir is not working. It's
>> best to leave uidNumber as it is and pull uid as samAccountName.
>>
>> e.g. you would expect a home directory to be something like:
>> /home/domain/simon
>> rather than:
>> /home/domain/30012673
>>
>> Cheers,
>> Steve
> Thanks but I'm not sure I follow,
>
> At the moment when I log on with an AD account that has not logged in
> before the users home is created in /User and then if I run the command
> 'id' the uid matches the attribute called uidNumber in AD.
>
> Is this not good?

Hi, I think that there is some confusion here, uid seems to be getting
mistaken for uidNumber. uid is the usersname and uidNumber is the users
uid number (obviously), if you create a user through ADUC and then add
the UNIX attributes you get both, uid which is the same as the username
or samAccountName and the uidNumber.

Rowland

[L.P.H. van Belle]

Hai,

I've seen sssd 1.11.1 in ubuntu saucy.

Can i use that one also, aka somebody tried that.
If not, i'll go rebuild this for ubuntu precise and test it.
any options/parameters i need for compile? special options ?

Best regards,

Louis



>-----Oorspronkelijk bericht-----
>Van: st...@steve-ss.com [mailto:samba-...@lists.samba.org]
>Namens steve
>Verzonden: donderdag 31 oktober 2013 11:29
>Aan: sa...@lists.samba.org
>Onderwerp: Re: [Samba] Override Linux homedir given by AD

>
>On Thu, 2013-10-31 at 10:17 +0000, Simon wrote:
>>
>
>>
>> Do you know of any good guides / resources for sssd, perhaps
>> specifically for Debain?
>
>https://wiki.samba.org/index.php/Local_user_management_and_auth
>entication/sssd
>and
>http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html
>
>Unfortunately, Debian is still in the dark ages with sssd. Although the
>old versions work OK, to get the new ad backend, you'll need to build
>it. Version 1.11.2 was released today:
>https://fedorahosted.org/released/sssd/sssd-1.11.2.tar.gz
>HTH
>Steve
>
>
>

[Simon]

On 2013-10-31 10:45, Rowland Penny wrote:

> On 31/10/13 10:28, Simon wrote:
> On 2013-10-31 10:03, steve wrote: On Wed, 2013-10-30 at 22:27 +0000, Simon wrote: The Linux uid is pulled from the uidNumber in Active Directory Hi That's a bad idea and may explain why the homedir is not working. It's best to leave uidNumber as it is and pull uid as samAccountName. e.g. you would expect a home directory to be something like: /home/domain/simon rather than: /home/domain/30012673 Cheers, Steve
Thanks but I'm not sure I follow, At the moment when I log on with an
AD account that has not logged in before the users home is created in
/User and then if I run the command 'id' the uid matches the attribute
called uidNumber in AD. Is this not good?

Hi, I think that there is some confusion here, uid seems to be getting
mistaken for uidNumber. uid is the usersname and uidNumber is the users
uid number (obviously), if you create a user through ADUC and then add
the UNIX attributes you get both, uid which is the same as the username
or samAccountName and the uidNumber.

Rowland

Thanks, that makes sense. Although looking through the attributes in
this AD there is no uid. I'm fairly confident that the configuration is
ok as id does return uid=xxx(username). But I might be wrong.

[Rowland Penny]

On 31/10/13 10:50, L.P.H. van Belle wrote:
> Hai,
>
> I've seen sssd 1.11.1 in ubuntu saucy.
>
> Can i use that one also, aka somebody tried that.
> If not, i'll go rebuild this for ubuntu precise and test it.
> any options/parameters i need for compile? special options ?
>
> Best regards,
>
> Louis
>

Hi Louis, dont bother, there is a ppa:

nano /etc/apt/sources.list

Add:

# sssd
deb http://ppa.launchpad.net/sssd/updates/ubuntu precise main
deb-src http://ppa.launchpad.net/sssd/updates/ubuntu precise main

gpg --keyserver subkeys.pgp.net --recv B9BF7660CA45F42B

gpg --export --armor CA45F42B | sudo apt-key add -

apt-get update
apt-get -y install sssd sssd-tools

Rowland

[Rowland Penny]

If you use samba-tool to add a user, you do not get the 'uid' attribute,
but as I said, if you create a user with ADUC on windows and then add
the Unix attributes you do. So if you need the 'uid' attribute, you will
have to add it with an ldif and ldbmodify.

You are still mixing up windows 'uid' and Linux 'uid'. On windows 'uid'
is the username, on Linux it is the users number.