samba - Feb 2016 - Password changes and syncing passwords with Linux accounts

On 16/02/16 08:38, Rowland penny wrote:
> You are not going to like this, but I am going to say it anyway:
>
> *Remove* any users that are in AD from /etc/passwd (the same goes for
> groups)
>
> All your users & groups should now only exist in AD, you do not need
> or can have, users & groups in AD *and* /etc/passwd & /etc/group.
>
> Your users will only have one password and this will be stored in AD
> in a hidden attribute.
You're right. I don't like it. I don't like it because it leaves
things
even more broken than before. Specifically, I can no longer log into the 
linux at all. And some, but not all Samba based functionality is lost, 
though I didn't leave it like that long enough to work out exactly what. 
wbinfo -a someuser%somepassword succeeded, I could browse from a Linux 
machine with cifs, but some ownCloud external storage using smb failed.

Presumably if I remove users from /etc/passwd then there is something 
else I need to do to get linux logins to work again?

Cheers

Chris

On 16/02/16 09:21, Chris Hastie wrote:
> On 16/02/16 08:38, Rowland penny wrote:
>> You are not going to like this, but I am going to say it anyway:
>>
>> *Remove* any users that are in AD from /etc/passwd (the same goes for
>> groups)
>>
>> All your users & groups should now only exist in AD, you do not
need
>> or can have, users & groups in AD *and* /etc/passwd &
/etc/group.
>>
>> Your users will only have one password and this will be stored in AD
>> in a hidden attribute.
>
> You're right. I don't like it. I don't like it because it
leaves
> things even more broken than before. Specifically, I can no longer log 
> into the linux at all. And some, but not all Samba based functionality 
> is lost, though I didn't leave it like that long enough to work out 
> exactly what. wbinfo -a someuser%somepassword succeeded, I could 
> browse from a Linux machine with cifs, but some ownCloud external 
> storage using smb failed.
>
> Presumably if I remove users from /etc/passwd then there is something 
> else I need to do to get linux logins to work again?
>
> Cheers
>
> Chris
>
Hi, if you run Samba as an AD DC, this is where your users will exist, 
for instance, this is my linux laptop that is joined to an AD domain:

rowland at debnet:~$ getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

As you can see, I am know to linux, *but*

rowland at debnet:~$ cat /etc/passwd | grep rowland
rowland at debnet:~$

Returns nothing, I do not exist in /etc/passwd

I would suggest that you start here:

https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

Some of the info is also applicable if you use a DC as a fileserver and 
you will have to click on links to get the full info.

Any further questions, please free to ask.

Rowland

On 16/02/16 09:32, Rowland penny wrote:
> I would suggest that you start here:
>
> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>
> Some of the info is also applicable if you use a DC as a fileserver 
> and you will have to click on links to get the full info.
OK. I've done my best to try and understand this. I presume that as the 
machine is the AD-DC it's already a member of the AD. A key point seemed 
to be nsswitch.conf, which I have changed. Now getent passwd does return 
all the domain accounts, but all the login shells are returned as 
/bin/false and home directories as /home/MYDOMAIN/someuser

This is despite the fact that looking directly at the LDAP records my 
own account says loginShell /bin/bash and unixHomeDirectory /home/chris. 
An attempt to login fails because "Could not chdir to home directory 
/home/MYDOMAIN/chris: No such file or directory" (I'm actually
surprised
it wasn't the /bin/false that was the deciding factor)

Using
     template homedir = /home/%U
     template shell = /bin/bash

gets the shell to /bin/bash, but for everyone. But the home directory 
for all users becomes /home/%U, ie no substitution of %U is done. How 
can I get the shells and home directories to be returned as desired?

Also, the username is always preceded by MYDOMAIN\. Oddly as well, 
wbinfo -u includes both a 'chris' and a 'MYDOMAIN\chris', and
getent
passwd returns two separate MYDOMAIN\chris lines. Whether this is a 
problem I don't know, but there doesn't seem much point in going further
until I can at least see sensible shells and home directories.

cheers

Chris

What you have done is correct. 

If the server your talking about is ADDC, then what you did with the templates
is correct the solution.

Only the memberservers use the AD/LDAP to get the shell and homedir. 

So if you have split up you homedir folder in multiple folders, wel, merge it to
one or keep only the users which are allowed to login with ssh
in /home/usersname. 

For this reason i use  the following layout. 
/home/users/MyUsers  for all AD users
/home/Myusers for normal linux users. 


'chris' and a 'MYDOMAIN\chris'
Im guessing you added a user "chris" in /etc/passwd 
and 'MYDOMAIN\chris' is the user in the AD. 

Remove the chris from /etc/passwd, and create for example, admchris as backup
account for logins.


Greetz, 

Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Chris Hastie
> Verzonden: dinsdag 16 februari 2016 13:38
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Password changes and syncing passwords with Linux
> accounts
> 
> On 16/02/16 09:32, Rowland penny wrote:
> > I would suggest that you start here:
> >
> > https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
> >
> > Some of the info is also applicable if you use a DC as a fileserver
> > and you will have to click on links to get the full info.
> 
> OK. I've done my best to try and understand this. I presume that as the
> machine is the AD-DC it's already a member of the AD. A key point
seemed
> to be nsswitch.conf, which I have changed. Now getent passwd does return
> all the domain accounts, but all the login shells are returned as
> /bin/false and home directories as /home/MYDOMAIN/someuser
> 
> This is despite the fact that looking directly at the LDAP records my
> own account says loginShell /bin/bash and unixHomeDirectory /home/chris.
> An attempt to login fails because "Could not chdir to home directory
> /home/MYDOMAIN/chris: No such file or directory" (I'm actually
surprised
> it wasn't the /bin/false that was the deciding factor)
> 
> Using
>      template homedir = /home/%U
>      template shell = /bin/bash
> 
> gets the shell to /bin/bash, but for everyone. But the home directory
> for all users becomes /home/%U, ie no substitution of %U is done. How
> can I get the shells and home directories to be returned as desired?
> 
> Also, the username is always preceded by MYDOMAIN\. Oddly as well,
> wbinfo -u includes both a 'chris' and a 'MYDOMAIN\chris',
and getent
> passwd returns two separate MYDOMAIN\chris lines. Whether this is a
> problem I don't know, but there doesn't seem much point in going
further
> until I can at least see sensible shells and home directories.
> 
> cheers
> 
> Chris
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba