samba - May 2022 - Controlling [homes] path to obey /etc/passwd while using winbind

On Tue, 2022-05-24 at 15:12 -0300, frank picabia via samba
wrote:
> Using winbind, security of ADS, I'm finding my path in [homes]
> wants to be /home/MYDOMAIN/username
> according to what is logged.
> 
> When I run 'getent passwd | grep username'
> it returns the proper local passwd entry with the local home
> directory.
That is your problem there, you do not have the same username in
/etc/passwd and AD, you just have them in AD.
if 'fred' is in /etc/passwd and there is a user called 'fred' in
AD,
they are NOT the same user and the user in /etc/passwd will be use
before the user in AD.

The default for the user home path in smb.conf is /home/%D/%U, where
'%D' is the DOMAIN and '%U' is the
username
> 
> In older samba, %H was working for me, but in Debian Bullseye
> I'm having difficulty.  Omitting path from homes isn't a solution
> either.
If you are using '[homes]' then you must not set the path parameter.
> 
> I really need the home directory from local Linux passwd file
> because my home directories are not as simple as /home/%U
No, you don't, you need to delete all your users from /etc/passwd and
ensure they are created in AD.
> 
> Any ideas?
Please post the output of 'testparm -s'

Rowland

On Tue, May 24, 2022 at 4:29 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Tue, 2022-05-24 at 15:12 -0300, frank picabia via samba wrote:
> > Using winbind, security of ADS, I'm finding my path in [homes]
> > wants to be /home/MYDOMAIN/username
> > according to what is logged.
> >
> > When I run 'getent passwd | grep username'
> > it returns the proper local passwd entry with the local home
> > directory.
>
> That is your problem there, you do not have the same username in
> /etc/passwd and AD, you just have them in AD.
> if 'fred' is in /etc/passwd and there is a user called
'fred' in AD,
> they are NOT the same user and the user in /etc/passwd will be use
> before the user in AD.
>
> The default for the user home path in smb.conf is /home/%D/%U, where
> '%D' is the DOMAIN and '%U' is the username
> >
> > In older samba, %H was working for me, but in Debian Bullseye
> > I'm having difficulty.  Omitting path from homes isn't a
solution
> > either.
>
> If you are using '[homes]' then you must not set the path
parameter.
>
> >
> > I really need the home directory from local Linux passwd file
> > because my home directories are not as simple as /home/%U
>
> No, you don't, you need to delete all your users from /etc/passwd and
> ensure they are created in AD.
>
>
This makes no sense in our environment.  We have over 20,000 users in AD.
Only a handful of them use our Linux servers, but it's always changing
since it's an academic setting.  We also have different Linux servers
that do completely different things, like running a CMS vs
providing a home dir to Comp Sci students.  Setting their home directory,
shell, and so on should happen on the local level, not in AD.

This has worked before using the local path information in /etc/passwd.
Samba in this new environment is 4.13.13

All we really want to do with AD is authenticate.  That's how this
configuration has worked for decades.
We have to tweak once in awhile as new versions require, but eventually we
get
it running with our homedir being left defined on each server.

> Any ideas?
>
> Please post the output of 'testparm -s'
>
>
Sure, it's fairly basic.  Someone here, perhaps you, had
helped get a config running for another Debian system
a few weeks back.


Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed
Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
        bind interfaces only = Yes
        disable spoolss = Yes
        dns proxy = No
        interfaces = eno1
        load printers = No
        log file = /var/log/samba/%m.log
        logging = file
        max log size = 100
        panic action = /usr/share/samba/panic-action %d
        printcap name = /dev/null
        realm = AD.MYDOMAIN.CA
        security = ADS
        server string = %h server
        template shell = /bin/bash
        winbind expand groups = 2
        winbind refresh tickets = Yes
        winbind use default domain = Yes
        workgroup = MYDOMAIN
        idmap config mydomain : range = 70000-9999999999
        idmap config mydomain : backend = rid
        idmap config * : range = 69998-69999
        idmap config * : backend = tdb
        hosts allow = 111.222.
        printing = bsd

[homes]
        comment = Home Directories
        create mask = 0700
        directory mask = 0700
        read only = No
        valid users = %U