We use power broker here at work and where wondering why we need it. I was able to setup a new linux server using samba and am able to login with my active directory accounts but I couldn't figure out how to set the login shells. I have a work around but would like feedback in my /etc/samba/smb.conf I have the following security = ads realm = DOMAIN.LONG workgroup = DOMAIN idmap config DOMAIN : backend = ad idmap config DOMAIN : range = 1000-999999999 #should not get here idmap config * : range = 999999998-999999999 idmap config * :backend =rid template homedir = /nfs/homes/%U template shell = /nfs/homes/%U/.default_shell winbind use default domain = yes restrict anonymous = 2 allowing users to pick their shell using ln -s /bin/bash ~/.default_shell or ln -s /bin/tcsh ~/.default_shell ... It will be easy to create the .default shell for each user using a simple script I can run on a machine that has power broker but I am wondering what others have done to allow users to pick their shell using samba to authenticate? What are the downsides of doing it the way I did it? is there a way to use the loginShell provided by rfc2307 that I haven't found documented in samba? I'm using samba version 4.1.6 if that makes a difference. I could probably find a way to upgrade if there is support in newer versions.
On 04/12/15 22:43, Jeff Sadowski wrote:> We use power broker here at work and where wondering why we need it. > > I was able to setup a new linux server using samba and am able to login > with my active directory accounts but I couldn't figure out how to set the > login shells. > I have a work around but would like feedback > in my /etc/samba/smb.conf I have the following > > security = ads > realm = DOMAIN.LONG > workgroup = DOMAIN > idmap config DOMAIN : backend = ad > idmap config DOMAIN : range = 1000-999999999 > #should not get here > idmap config * : range = 999999998-999999999 > idmap config * :backend =rid > template homedir = /nfs/homes/%U > template shell = /nfs/homes/%U/.default_shell > winbind use default domain = yes > restrict anonymous = 2 >Have you considered reading the Samba wiki ? Your 'idmap config' block should look similar to this: # Default idmap config used for BUILTIN and local accounts/groups idmap config *:backend = tdb idmap config *:range = 2000-9999 # idmap config for domain SAMDOM idmap config DOMAIN:backend = ad idmap config DOMAIN:schema_mode = rfc2307 idmap config DOMAIN:range = 10000-99999 # Use template settings for login shell and home directory winbind nss info = template template shell = /nfs/homes/%U/.default_shell template homedir = /nfs/homes/%U Though as you seem to be using uidNumber & gidNumber attributes, you could also store the loginShell and unixHomedir in AD as well. Rowland> allowing users to pick their shell using > ln -s /bin/bash ~/.default_shell > or > ln -s /bin/tcsh ~/.default_shell > ... > > It will be easy to create the .default shell for each user using a simple > script I can run on a machine that has power broker but I am wondering what > others have done to allow users to pick their shell using samba to > authenticate? > What are the downsides of doing it the way I did it? > > is there a way to use the loginShell provided by rfc2307 that I haven't > found documented in samba? > > I'm using samba version 4.1.6 if that makes a difference. I could probably > find a way to upgrade if there is support in newer versions.
Thank you Rowland for looking at it. I did read the wiki here https://wiki.samba.org/index.php/Idmap_config_ad that is how I got as far as I did; that and the idmap_ad man page. I could not find how to use the loginShell is there a variable I can use for it in the template or an option to set to use it? loginShell and unixHomedir are not mentioned on the wiki that I could find. I'm good with the templated homedir but curious how to use the unixHomedir. It seems that the schema_mode = rfc2307 is the default as it works fine except for the default shells which I have the workaround for. I think I will move them out of their home directories and set them else ware, where users will need to ask to change the shell. I purposefully set rid as the default backend if one does not exist explicit for the domain as it worked better for me. What I did with the default backend should stop the login if the domain isn't explicitly defined. On Fri, Dec 4, 2015 at 4:00 PM, Rowland penny <rpenny at samba.org> wrote:> On 04/12/15 22:43, Jeff Sadowski wrote: > >> We use power broker here at work and where wondering why we need it. >> >> I was able to setup a new linux server using samba and am able to login >> with my active directory accounts but I couldn't figure out how to set the >> login shells. >> I have a work around but would like feedback >> in my /etc/samba/smb.conf I have the following >> >> security = ads >> realm = DOMAIN.LONG >> workgroup = DOMAIN >> idmap config DOMAIN : backend = ad >> idmap config DOMAIN : range = 1000-999999999 >> #should not get here >> idmap config * : range = 999999998-999999999 >> idmap config * :backend =rid >> template homedir = /nfs/homes/%U >> template shell = /nfs/homes/%U/.default_shell >> winbind use default domain = yes >> restrict anonymous = 2 >> >> > Have you considered reading the Samba wiki ? > Your 'idmap config' block should look similar to this: > > # Default idmap config used for BUILTIN and local accounts/groups > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > # idmap config for domain SAMDOM > idmap config DOMAIN:backend = ad > idmap config DOMAIN:schema_mode = rfc2307 > idmap config DOMAIN:range = 10000-99999 > > # Use template settings for login shell and home directory > winbind nss info = template > template shell = /nfs/homes/%U/.default_shell > template homedir = /nfs/homes/%U > > Though as you seem to be using uidNumber & gidNumber attributes, you could > also store the loginShell and unixHomedir in AD as well. > > Rowland > > > allowing users to pick their shell using >> ln -s /bin/bash ~/.default_shell >> or >> ln -s /bin/tcsh ~/.default_shell >> ... >> >> It will be easy to create the .default shell for each user using a simple >> script I can run on a machine that has power broker but I am wondering >> what >> others have done to allow users to pick their shell using samba to >> authenticate? >> What are the downsides of doing it the way I did it? >> >> is there a way to use the loginShell provided by rfc2307 that I haven't >> found documented in samba? >> >> I'm using samba version 4.1.6 if that makes a difference. I could probably >> find a way to upgrade if there is support in newer versions. >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >