Chris Hastie
2016-Feb-16 12:38 UTC
[Samba] Password changes and syncing passwords with Linux accounts
On 16/02/16 09:32, Rowland penny wrote:> I would suggest that you start here: > > https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member > > Some of the info is also applicable if you use a DC as a fileserver > and you will have to click on links to get the full info.OK. I've done my best to try and understand this. I presume that as the machine is the AD-DC it's already a member of the AD. A key point seemed to be nsswitch.conf, which I have changed. Now getent passwd does return all the domain accounts, but all the login shells are returned as /bin/false and home directories as /home/MYDOMAIN/someuser This is despite the fact that looking directly at the LDAP records my own account says loginShell /bin/bash and unixHomeDirectory /home/chris. An attempt to login fails because "Could not chdir to home directory /home/MYDOMAIN/chris: No such file or directory" (I'm actually surprised it wasn't the /bin/false that was the deciding factor) Using template homedir = /home/%U template shell = /bin/bash gets the shell to /bin/bash, but for everyone. But the home directory for all users becomes /home/%U, ie no substitution of %U is done. How can I get the shells and home directories to be returned as desired? Also, the username is always preceded by MYDOMAIN\. Oddly as well, wbinfo -u includes both a 'chris' and a 'MYDOMAIN\chris', and getent passwd returns two separate MYDOMAIN\chris lines. Whether this is a problem I don't know, but there doesn't seem much point in going further until I can at least see sensible shells and home directories. cheers Chris
Rowland penny
2016-Feb-16 13:06 UTC
[Samba] Password changes and syncing passwords with Linux accounts
On 16/02/16 12:38, Chris Hastie wrote:> On 16/02/16 09:32, Rowland penny wrote: >> I would suggest that you start here: >> >> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member >> >> Some of the info is also applicable if you use a DC as a fileserver >> and you will have to click on links to get the full info. > > OK. I've done my best to try and understand this. I presume that as > the machine is the AD-DC it's already a member of the AD. A key point > seemed to be nsswitch.conf, which I have changed. Now getent passwd > does return all the domain accounts, but all the login shells are > returned as /bin/false and home directories as /home/MYDOMAIN/someuserThis is one of the reasons why it is not recommended to use the DC as a fileserver. On a Unix domain member you can use the unixHomeDirectory and loginShell attributes, but on a DC these are ignored, so you need to set the 'template' lines in smb.conf. The only problem is that you cannot have different settings per user.> > This is despite the fact that looking directly at the LDAP records my > own account says loginShell /bin/bash and unixHomeDirectory > /home/chris. An attempt to login fails because "Could not chdir to > home directory /home/MYDOMAIN/chris: No such file or directory" (I'm > actually surprised it wasn't the /bin/false that was the deciding factor) > > Using > template homedir = /home/%U > template shell = /bin/bash > > gets the shell to /bin/bash, but for everyone. But the home directory > for all users becomes /home/%U, ie no substitution of %U is done. How > can I get the shells and home directories to be returned as desired?Try: template homedir = /home/%ACCOUNTNAME%> > Also, the username is always preceded by MYDOMAIN\. Oddly as well, > wbinfo -u includes both a 'chris' and a 'MYDOMAIN\chris', and getent > passwd returns two separate MYDOMAIN\chris lines. Whether this is a > problem I don't know, but there doesn't seem much point in going > further until I can at least see sensible shells and home directories. >If wbinfo and getent are showing duplicate users (note: 'MYDOMAIN\chris' and 'chris' will be treated as the same user), check if the user exists in /etc/passwd and if it does, remove it from /etc/passwd. Rowland
Chris Hastie
2016-Feb-16 14:07 UTC
[Samba] Password changes and syncing passwords with Linux accounts
On 16/02/2016 13:06, Rowland penny wrote:> This is one of the reasons why it is not recommended to use the DC as a > fileserver. On a Unix domain member you can use the unixHomeDirectory > and loginShell attributes, but on a DC these are ignored, so you need to > set the 'template' lines in smb.conf. The only problem is that you > cannot have different settings per user.That's a shame. Perhaps I'll get around to migrating the DC elsewhere one day, but for now it's going to have to stay.> Try: template homedir = /home/%ACCOUNTNAME%That's done the trick, thanks.> If wbinfo and getent are showing duplicate users (note: > 'MYDOMAIN\chris' and 'chris' will be treated as the same user), check if > the user exists in /etc/passwd and if it does, remove it from /etc/passwd. >Even after removing the users from /etc/passwd I still see two MYDOMAIN\chris entries. What's more there is an LDAP entry with CN=chris and another with CN=MYDOMAINchris. If I delete the latter getent returns only one user MYDOMAIN\chris. But as soon as I log in again on a terminal the duplicate user reappears, as does the cn=MYDOMAINchris in LDAP. Another issue is that having now successfully logged in using the credentials for chris I seem to be viewed as being MYDOMAIN\chris. This is a problem at the very least because MYDOMAIN\chris is not in all the groups that chris is. As he is not in admin, I can't sudo. Cheers Chris
Apparently Analagous Threads
- Password changes and syncing passwords with Linux accounts
- Password changes and syncing passwords with Linux accounts
- Password changes and syncing passwords with Linux accounts
- Password changes and syncing passwords with Linux accounts
- Password changes and syncing passwords with Linux accounts