Something strange here. User created using: root at dc1:~# samba-tool user add user7 Abcd1234 --uid-number=1007 --home-directory=/home/user7 --login-shell=/bin/bash User 'user7' created successfully I can see the homeDirectory attribute in the entry. But the home directory that winbind returns is just the template one: root at adclient:~# getent passwd user7 user7:*:1007:70001:user7:/home/ADTEST/user7:/bin/bash Here is /etc/samba/smb.conf on the adclient machine: --- 8< --- [global] #netbios name = adclient workgroup = ADTEST security = ADS realm = ADTEST.INT.EXAMPLE.NET encrypt passwords = yes kerberos method = secrets and keytab idmap config *:backend = tdb idmap config *:range = 70001-80000 idmap config ADTEST:backend = ad idmap config ADTEST:schema_mode = rfc2307 idmap config ADTEST:range = 500-40000 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes --- 8< --- This is based on https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Set_up_a_basic_smb.conf (and notice that it includes "winbind nss info = rfc2307") The full LDAP record is below. Both machines are ubuntu 14.04, Samba 4.1.6. Any ideas what I'm doing wrong? Thanks, Brian. ------------ root at dc1:~# ldapsearch -b CN=user7,CN=users,DC=adtest,DC=int,DC=example,DC=net SASL/GSSAPI authentication started SASL username: user at ADTEST.INT.EXAMPLE.NET SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <CN=user7,CN=users,DC=adtest,DC=int,DC=example,DC=net> with scope subtree # filter: (objectclass=*) # requesting: ALL # # user7, Users, adtest.int.example.net dn: CN=user7,CN=Users,DC=adtest,DC=int,DC=example,DC=net cn: user7 instanceType: 4 whenCreated: 20140624123352.0Z whenChanged: 20140624123352.0Z uSNCreated: 4281 name: user7 objectGUID:: XX+EJB9AHk+JuLSU5PkJDA=badPwdCount: 0 codePage: 0 countryCode: 0 homeDirectory: /home/user7 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAZ5nUF79P8gY2aC90ZAQAAA=accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: user7 sAMAccountType: 805306368 userPrincipalName: user7 at adtest.int.example.net objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=adtest,DC=int,DC=examp le,DC=net uidNumber: 1007 loginShell: /bin/bash objectClass: top objectClass: posixAccount objectClass: person objectClass: organizationalPerson objectClass: user pwdLastSet: 130480868320000000 userAccountControl: 512 uSNChanged: 4285 distinguishedName: CN=user7,CN=Users,DC=adtest,DC=int,DC=example,DC=net # search result search: 5 result: 0 Success # numResponses: 2 # numEntries: 1
On 24/06/14 13:41, Brian Candler wrote:> Something strange here. User created using: > > root at dc1:~# samba-tool user add user7 Abcd1234 --uid-number=1007 > --home-directory=/home/user7 --login-shell=/bin/bash > User 'user7' created successfully > > I can see the homeDirectory attribute in the entry. But the home > directory that winbind returns is just the template one: > > root at adclient:~# getent passwd user7 > user7:*:1007:70001:user7:/home/ADTEST/user7:/bin/bash > > Here is /etc/samba/smb.conf on the adclient machine: > > --- 8< --- > [global] > > #netbios name = adclient > workgroup = ADTEST > security = ADS > realm = ADTEST.INT.EXAMPLE.NET > encrypt passwords = yes > kerberos method = secrets and keytab > > idmap config *:backend = tdb > idmap config *:range = 70001-80000 > idmap config ADTEST:backend = ad > idmap config ADTEST:schema_mode = rfc2307 > idmap config ADTEST:range = 500-40000 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > --- 8< --- > > This is based on > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Set_up_a_basic_smb.conf > (and notice that it includes "winbind nss info = rfc2307") > > The full LDAP record is below. Both machines are ubuntu 14.04, Samba > 4.1.6. > > Any ideas what I'm doing wrong? > > Thanks, > > Brian. > > ------------ > root at dc1:~# ldapsearch -b > CN=user7,CN=users,DC=adtest,DC=int,DC=example,DC=net > SASL/GSSAPI authentication started > SASL username: user at ADTEST.INT.EXAMPLE.NET > SASL SSF: 56 > SASL data security layer installed. > # extended LDIF > # > # LDAPv3 > # base <CN=user7,CN=users,DC=adtest,DC=int,DC=example,DC=net> with > scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # user7, Users, adtest.int.example.net > dn: CN=user7,CN=Users,DC=adtest,DC=int,DC=example,DC=net > cn: user7 > instanceType: 4 > whenCreated: 20140624123352.0Z > whenChanged: 20140624123352.0Z > uSNCreated: 4281 > name: user7 > objectGUID:: XX+EJB9AHk+JuLSU5PkJDA=> badPwdCount: 0 > codePage: 0 > countryCode: 0 > homeDirectory: /home/user7 > badPasswordTime: 0 > lastLogoff: 0 > lastLogon: 0 > primaryGroupID: 513 > objectSid:: AQUAAAAAAAUVAAAAZ5nUF79P8gY2aC90ZAQAAA=> accountExpires: 9223372036854775807 > logonCount: 0 > sAMAccountName: user7 > sAMAccountType: 805306368 > userPrincipalName: user7 at adtest.int.example.net > objectCategory: > CN=Person,CN=Schema,CN=Configuration,DC=adtest,DC=int,DC=examp > le,DC=net > uidNumber: 1007 > loginShell: /bin/bash > objectClass: top > objectClass: posixAccount > objectClass: person > objectClass: organizationalPerson > objectClass: user > pwdLastSet: 130480868320000000 > userAccountControl: 512 > uSNChanged: 4285 > distinguishedName: CN=user7,CN=Users,DC=adtest,DC=int,DC=example,DC=net > > # search result > search: 5 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 >Your user doesn't have a 'gidNumber' winbind seems to need the 'gidNumber' attribute before it extracts all the users info from AD. Rowland
> Your user doesn't have a 'gidNumber' winbind seems to need the'gidNumber' attribute before it extracts all the users info from AD. gitNumber seems to be ignored: root at dc1:~# samba-tool user add user8 Abcd1234 --uid-number=1008 --home-directory=/home/user8 --login-shell=/bin/bash --gid-number=1008 root at adclient:~# getent passwd user8 user8:*:1008:70001:user8:/home/ADTEST/user8:/bin/bash ldapsearch shows: ... uidNumber: 1008 gidNumber: 1008 loginShell: /bin/bash ... Maybe gidNumber has to correspond to a real group object? The "domain users" group is this object: # Domain Users, Users, adtest.int.example.net dn: CN=Domain Users,CN=Users,DC=adtest,DC=int,DC=example,DC=net objectClass: top objectClass: group cn: Domain Users description: All domain users instanceType: 4 whenCreated: 20140618075445.0Z whenChanged: 20140618075445.0Z uSNCreated: 3541 uSNChanged: 3541 name: Domain Users objectGUID:: tY04KF2fXEyFT/9qBdevHw=objectSid:: AQUAAAAAAAUVAAAAZ5nUF79P8gY2aC90AQIAAA=sAMAccountName: Domain Users sAMAccountType: 268435456 groupType: -2147483646 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=adtest,DC=int,DC=exampl e,DC=net isCriticalSystemObject: TRUE memberOf: CN=Users,CN=Builtin,DC=adtest,DC=int,DC=example,DC=net distinguishedName: CN=Domain Users,CN=Users,DC=adtest,DC=int,DC=example,DC=net So do I need to add a gidNumber attribute to this entry? Or create a new group? Unfortunately I'm doing this without any Windows tools, and "samba-tool group add" doesn't have a --gid-number flag. So I tried adding gidNumber to the group: root at dc1:~# cat mod.ldif dn: CN=Domain Users,CN=Users,DC=adtest,DC=int,DC=example,DC=net changetype: modify add: gidNumber gidNumber: 1008 - root at dc1:~# ldapmodify -f mod.ldif ldapsearch confirms it's there, but no difference to the result. I also tried adding objectClass: posixGroup to this, still no effect. Any more suggestions? Regards, Brian.
I don't retrieve the source and solution n samba wiki page, but I know that there are a trick about home directory management and winbind Maybe check template homedir (G) in smb.conf ----------------------------------- St?phane PURNELLE Admin. Syst?mes et R?seaux Service Informatique Corman S.A. Tel : 00 32 (0)87/342467 samba-bounces at lists.samba.org wrote on 24/06/2014 14:41:35:> De : Brian Candler <b.candler at pobox.com> > A : samba at lists.samba.org, > Date : 24/06/2014 14:42 > Objet : [Samba] winbind: homeDirectory being ignored > Envoy? par : samba-bounces at lists.samba.org > > Something strange here. User created using: > > root at dc1:~# samba-tool user add user7 Abcd1234 --uid-number=1007 > --home-directory=/home/user7 --login-shell=/bin/bash > User 'user7' created successfully > > I can see the homeDirectory attribute in the entry. But the home > directory that winbind returns is just the template one: > > root at adclient:~# getent passwd user7 > user7:*:1007:70001:user7:/home/ADTEST/user7:/bin/bash > > Here is /etc/samba/smb.conf on the adclient machine: > > --- 8< --- > [global] > > #netbios name = adclient > workgroup = ADTEST > security = ADS > realm = ADTEST.INT.EXAMPLE.NET > encrypt passwords = yes > kerberos method = secrets and keytab > > idmap config *:backend = tdb > idmap config *:range = 70001-80000 > idmap config ADTEST:backend = ad > idmap config ADTEST:schema_mode = rfc2307 > idmap config ADTEST:range = 500-40000 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > --- 8< --- > > This is based on > https://wiki.samba.org/index.php/ > Setup_a_Samba_AD_Member_Server#Set_up_a_basic_smb.conf > (and notice that it includes "winbind nss info = rfc2307") > > The full LDAP record is below. Both machines are ubuntu 14.04, Samba4.1.6.> > Any ideas what I'm doing wrong? > > Thanks, > > Brian. > > ------------ > root at dc1:~# ldapsearch -b > CN=user7,CN=users,DC=adtest,DC=int,DC=example,DC=net > SASL/GSSAPI authentication started > SASL username: user at ADTEST.INT.EXAMPLE.NET > SASL SSF: 56 > SASL data security layer installed. > # extended LDIF > # > # LDAPv3 > # base <CN=user7,CN=users,DC=adtest,DC=int,DC=example,DC=net> with scope> subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # user7, Users, adtest.int.example.net > dn: CN=user7,CN=Users,DC=adtest,DC=int,DC=example,DC=net > cn: user7 > instanceType: 4 > whenCreated: 20140624123352.0Z > whenChanged: 20140624123352.0Z > uSNCreated: 4281 > name: user7 > objectGUID:: XX+EJB9AHk+JuLSU5PkJDA=> badPwdCount: 0 > codePage: 0 > countryCode: 0 > homeDirectory: /home/user7 > badPasswordTime: 0 > lastLogoff: 0 > lastLogon: 0 > primaryGroupID: 513 > objectSid:: AQUAAAAAAAUVAAAAZ5nUF79P8gY2aC90ZAQAAA=> accountExpires: 9223372036854775807 > logonCount: 0 > sAMAccountName: user7 > sAMAccountType: 805306368 > userPrincipalName: user7 at adtest.int.example.net > objectCategory: > CN=Person,CN=Schema,CN=Configuration,DC=adtest,DC=int,DC=examp > le,DC=net > uidNumber: 1007 > loginShell: /bin/bash > objectClass: top > objectClass: posixAccount > objectClass: person > objectClass: organizationalPerson > objectClass: user > pwdLastSet: 130480868320000000 > userAccountControl: 512 > uSNChanged: 4285 > distinguishedName: CN=user7,CN=Users,DC=adtest,DC=int,DC=example,DC=net > > # search result > search: 5 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba