On Wed, August 10, 2016 03:59, Rowland Penny wrote:> On Tue, 9 Aug 2016 22:22:55 -0400 > "James B. Byrne via samba" <samba at lists.samba.org> wrote: >> >> I have zero experience with this so my question may appear fairly >> naive. What about user home directories and shells on *NIX hosts >> other than the AD-DC? I read somewhere that user UNIX Attributes >> other than UID and GID are not implemented in Samba. >> >> >> My use-case would be sshd session authentication on a remote host >> using an AD-DC PAM module. >> >> > > I think you have misunderstood this, if you use a Samba AD DC as a > fileserver, then winbindd only uses the uidNumber & gidNumber > attributes. On a Unix domain member, winbindd will use all available > RFC2307 attributes, including loginShell & unixHomeDirectory. >You are correct. I did not know this. So that I can get this clear in my own head let me restate this case by case: 1. Logon to AD from a Windows OS domain member. User obtains UID, GID from LDAP but ignores shell (there is no alternative to MS-Windows on the client) and the home directory (which is the USERS home drive share or local drive in any case). 2. Logon to AD from a *NIX OS domain member. User obtains UID, GID, shell, and home directory path from AD. Is this correct? Is there a reference as to how UNIX hosts are added to the Domain (SSSD?) or is that unnecessary? I ask because one of my goals is to implement a single sign-on for our Unix host users via the Samba AD. These machines come and go but not with any great frequency. Many are themselves virtualised. Most are accessed via ssh or using OPENVPN (which will be certificate based anyway). I am hoping that adding the PAM AD authentication will alleviate some of the tediousness of setting up temporary hosts for an unknown number of users. Respecting which, are there references to any scripts that can be run to automatically set-up a user's home directory upon first login to an AD authenticated *NIX host? Sincerely, -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
On Wed, 10 Aug 2016 11:16:36 -0400 "James B. Byrne via samba" <samba at lists.samba.org> wrote:> > You are correct. I did not know this. So that I can get this clear in > my own head let me restate this case by case: > > 1. Logon to AD from a Windows OS domain member. User obtains UID, > GID from LDAP but ignores shell (there is no alternative to MS-Windows > on the client) and the home directory (which is the USERS home drive > share or local drive in any case).No, it is only if you log into the DC that you only get the IDs, anywhere else and you can use the RFC2307 attributes if they are set.> > 2. Logon to AD from a *NIX OS domain member. User obtains UID, GID, > shell, and home directory path from AD.Sort of, it all depends on how smb.conf on the domain member is set up. If you want to obtain the info from AD, it must be in AD and Samba must be set up to get it. Try reading this wiki page: https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member> > Is there a reference as to how UNIX hosts are added to the DomainThat is on the wiki page, but it fairly simple, set up the host correctly including smb.conf and then run: net ads join -U Administrator> (SSSD?) or is that unnecessary?The only place where you may need sssd, is on a DC and then only if you want to use it as a fileserver along with using the RFC2307 attributes stored in AD.> I ask because one of my goals is to > implement a single sign-on for our Unix host users via the Samba AD.If you mean storing your Unix users in AD and then allowing them to login to Unix machines that are joined to the domain, then this is very possible. The users home directories don't have to exist, you can set PAM to create these at login.> These machines come and go but not with any great frequency. Many are > themselves virtualised. Most are accessed via ssh or using OPENVPN > (which will be certificate based anyway). > > I am hoping that adding the PAM AD authentication will alleviate some > of the tediousness of setting up temporary hosts for an unknown number > of users. Respecting which, are there references to any scripts that > can be run to automatically set-up a user's home directory upon first > login to an AD authenticated *NIX host?You do this by adding this line to /etc/pam.d/common-account session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" Rowland