samba - Jul 2015 - Getent Differences on a DC and a Member Server

G'day All,

     I'm running Centos 7, Samba4.2.2.  (SSSD is NOT running (not even 
installed on the Member Server))

/etc/nsswitch on both:

passwd:     files winbind
group:      files winbind

the winbind libs have been sym-linked as described in the tiki.  All 
seems to be working well on both the DC and Member Server.

Both smb.fonfs have:

   idmap config *:backend = tdb
   idmap config *:range = 3000000-4000000
   idmap config AD:backend = ad
   idmap config AD:schema_mode = rfc2307
   idmap config AD:range = 600-2999999

   winbind nss info = rfc2307
   winbind trusted domains only = no
   winbind use default domain = yes
   winbind enum users  = yes
   winbind enum groups = yes
   winbind refresh tickets = Yes


On the DC I've changed winbind to winbindd in the "server
services"
line, and winbindd starts up as expected.

Can anyone tell me why I get slightly different answers from 'getent 
passwd [username]' from a DC and a Member Server.

eg: getent passwd fred

DC:

fred:*:4999:1001:Fred Nerks:/home/AD/fred:/bin/false

On a Member Server:

fred:*:4999:1001:Fred Nerks:/home/fred:/bin/tcsh


On the DC the HomeDirectory and Shell Fields are not what I defined for 
user Fred.

On the Member Server, Homedirectory and Shell are what I defined for 
user Fred.

Why is there a difference?



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Hi David,

I experienced this issue as well, it's currently a limitation of Samba
4.2.2.
Samba 4.2.2 DCs do not support pulling home directories and login shells from AD
via rfc2307.

I solved this issue with the "template homedir" and "template
shell" directives.
You lose some flexibility but at least it works.

Excerpt from my DC smb.conf:

winbind nss info = rfc2307:MYDOMAIN, template
template shell = /bin/bash
template homedir = /home/users/%U

Greetings,
Felix

-----Urspr?ngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
Im Auftrag von David Minard
Gesendet: Donnerstag, 2. Juli 2015 06:18
An: samba at lists.samba.org
Betreff: [Samba] Getent Differences on a DC and a Member Server

G'day All,

     I'm running Centos 7, Samba4.2.2.  (SSSD is NOT running (not even
installed on the Member Server))

/etc/nsswitch on both:

passwd:     files winbind
group:      files winbind

the winbind libs have been sym-linked as described in the tiki.  All seems to be
working well on both the DC and Member Server.

Both smb.fonfs have:

   idmap config *:backend = tdb
   idmap config *:range = 3000000-4000000
   idmap config AD:backend = ad
   idmap config AD:schema_mode = rfc2307
   idmap config AD:range = 600-2999999

   winbind nss info = rfc2307
   winbind trusted domains only = no
   winbind use default domain = yes
   winbind enum users  = yes
   winbind enum groups = yes
   winbind refresh tickets = Yes


On the DC I've changed winbind to winbindd in the "server
services"
line, and winbindd starts up as expected.

Can anyone tell me why I get slightly different answers from 'getent passwd
[username]' from a DC and a Member Server.

eg: getent passwd fred

DC:

fred:*:4999:1001:Fred Nerks:/home/AD/fred:/bin/false

On a Member Server:

fred:*:4999:1001:Fred Nerks:/home/fred:/bin/tcsh


On the DC the HomeDirectory and Shell Fields are not what I defined for user
Fred.

On the Member Server, Homedirectory and Shell are what I defined for user Fred.

Why is there a difference?



--
This message has been scanned for viruses and dangerous content by MailScanner,
and is believed to be clean.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Thank you Felix.
On 02/07/15 16:18, Felix Matouschek wrote:
> Hi David,
>
> I experienced this issue as well, it's currently a limitation of Samba
4.2.2.
> Samba 4.2.2 DCs do not support pulling home directories and login shells
from AD via rfc2307.
>
> I solved this issue with the "template homedir" and
"template shell" directives.
> You lose some flexibility but at least it works.
     Lack of flexibility is my main problem.  Unfortunately without 
restructuring how our home directories are set up, I need the 
flexibility.  I need HomeDirectories etc to be pulled from the AD if I'm 
to retire our current LDAP servers and use Samba4 as a
replacement.
>
> Excerpt from my DC smb.conf:
>
> winbind nss info = rfc2307:MYDOMAIN, template
> template shell = /bin/bash
> template homedir = /home/users/%U
>
> Greetings,
> Felix
     Just to clarify, is it only the DC that doesn't return desired 
values of HomeDirectory and Shell?

     I ask because my member server is returning the desired values, but 
I get the impression that it should not be from comments on the list.  
Rowland was helping me with winbindd over the last few weeks and I got 
the impression that my Member Server should not be returning correct 
HomeDirectory and Shell - but it is - that is why I mentioned that I 
don't have SSSD installed - nor any other nsswitch back to our current 
LDAP.  I need to know if what I am seeing is a freak of computing, or 
expected behaviour.
> -----Urspr?ngliche Nachricht-----
> Von: samba-bounces at lists.samba.org [mailto:samba-bounces at
lists.samba.org] Im Auftrag von David Minard
> Gesendet: Donnerstag, 2. Juli 2015 06:18
> An: samba at lists.samba.org
> Betreff: [Samba] Getent Differences on a DC and a Member Server
>
> G'day All,
>
>       I'm running Centos 7, Samba4.2.2.  (SSSD is NOT running (not even
installed on the Member Server))
>
> /etc/nsswitch on both:
>
> passwd:     files winbind
> group:      files winbind
>
> the winbind libs have been sym-linked as described in the tiki.  All seems
to be working well on both the DC and Member Server.
>
> Both smb.fonfs have:
>
>     idmap config *:backend = tdb
>     idmap config *:range = 3000000-4000000
>     idmap config AD:backend = ad
>     idmap config AD:schema_mode = rfc2307
>     idmap config AD:range = 600-2999999
>
>     winbind nss info = rfc2307
>     winbind trusted domains only = no
>     winbind use default domain = yes
>     winbind enum users  = yes
>     winbind enum groups = yes
>     winbind refresh tickets = Yes
>
>
> On the DC I've changed winbind to winbindd in the "server
services"
> line, and winbindd starts up as expected.
>
> Can anyone tell me why I get slightly different answers from 'getent
passwd [username]' from a DC and a Member Server.
>
> eg: getent passwd fred
>
> DC:
>
> fred:*:4999:1001:Fred Nerks:/home/AD/fred:/bin/false
>
> On a Member Server:
>
> fred:*:4999:1001:Fred Nerks:/home/fred:/bin/tcsh
>
>
> On the DC the HomeDirectory and Shell Fields are not what I defined for
user Fred.
>
> On the Member Server, Homedirectory and Shell are what I defined for user
Fred.
>
> Why is there a difference?
>
>
>
> --
> This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>
-- 

Cheers,
David Minard.
Ph:    0247 360 155
Fax:    0247 360 770

School of Computing, Engineering, and Mathematics
Building Y - Penrith Campus (Kingswood)
Locked bag 1797
Penrith South DC
NSW 1797

[Sometimes waking up just isn't worth the insult of the day to come.]


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.