Chris Hastie
2016-Feb-16 14:07 UTC
[Samba] Password changes and syncing passwords with Linux accounts
On 16/02/2016 13:06, Rowland penny wrote:> This is one of the reasons why it is not recommended to use the DC as a > fileserver. On a Unix domain member you can use the unixHomeDirectory > and loginShell attributes, but on a DC these are ignored, so you need to > set the 'template' lines in smb.conf. The only problem is that you > cannot have different settings per user.That's a shame. Perhaps I'll get around to migrating the DC elsewhere one day, but for now it's going to have to stay.> Try: template homedir = /home/%ACCOUNTNAME%That's done the trick, thanks.> If wbinfo and getent are showing duplicate users (note: > 'MYDOMAIN\chris' and 'chris' will be treated as the same user), check if > the user exists in /etc/passwd and if it does, remove it from /etc/passwd. >Even after removing the users from /etc/passwd I still see two MYDOMAIN\chris entries. What's more there is an LDAP entry with CN=chris and another with CN=MYDOMAINchris. If I delete the latter getent returns only one user MYDOMAIN\chris. But as soon as I log in again on a terminal the duplicate user reappears, as does the cn=MYDOMAINchris in LDAP. Another issue is that having now successfully logged in using the credentials for chris I seem to be viewed as being MYDOMAIN\chris. This is a problem at the very least because MYDOMAIN\chris is not in all the groups that chris is. As he is not in admin, I can't sudo. Cheers Chris
Rowland penny
2016-Feb-16 14:55 UTC
[Samba] Password changes and syncing passwords with Linux accounts
On 16/02/16 14:07, Chris Hastie wrote:> On 16/02/2016 13:06, Rowland penny wrote: >> This is one of the reasons why it is not recommended to use the DC as a >> fileserver. On a Unix domain member you can use the unixHomeDirectory >> and loginShell attributes, but on a DC these are ignored, so you need to >> set the 'template' lines in smb.conf. The only problem is that you >> cannot have different settings per user. > > That's a shame. Perhaps I'll get around to migrating the DC elsewhere > one day, but for now it's going to have to stay. > >> Try: template homedir = /home/%ACCOUNTNAME% > > That's done the trick, thanks. >> If wbinfo and getent are showing duplicate users (note: >> 'MYDOMAIN\chris' and 'chris' will be treated as the same user), check if >> the user exists in /etc/passwd and if it does, remove it from >> /etc/passwd. >> > Even after removing the users from /etc/passwd I still see two > MYDOMAIN\chris entries. What's more there is an LDAP entry with > CN=chris and another with CN=MYDOMAINchris. If I delete the latter > getent returns only one user MYDOMAIN\chris. But as soon as I log in > again on a terminal the duplicate user reappears, as does the > cn=MYDOMAINchris in LDAP.This is strange, just logging in shouldn't create a user in AD and when you see MYDOMAIN\chris this is just winbind i.e. This is on a DC: root at dc1:~# getent passwd rowland SAMDOM\rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash and this is on a domain member: rowland at debnet:~$ getent passwd rowland rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash> Another issue is that having now successfully logged in using the > credentials for chris I seem to be viewed as being MYDOMAIN\chris. > This is a problem at the very least because MYDOMAIN\chris is not in > all the groups that chris is. As he is not in admin, I can't sudo. >You need to sort out the user problem before worrying about sudo, but if you are interested, you can store the sudo rules in AD. How are you logging into the DC that causes the creation of a user in AD ? Rowland
Chris Hastie
2016-Feb-16 15:32 UTC
[Samba] Password changes and syncing passwords with Linux accounts
On 16/02/2016 14:55, Rowland penny wrote:> This is strange, just logging in shouldn't create a user in AD and when > you see MYDOMAIN\chris this is just winbind i.e. > > How are you logging into the DC that causes the creation of a user in AD ?From another machine, in an Ubuntu terminal ssh chris at dc.domain No keys, just typing the password when prompted. The only odd thing is that I'm doing it from root, just to avoid ssh using a key if I do it from my own account, since this whole saga started with passwords.