samba - May 2012 - multi home dir locations

Hi all,

i've got samba 3.6 joined to a ad domain (s4 in this case)
running winbind
all looks ok, but i ran into a problem (for us that is)

i've got 2 groups (students and employes)
who have there home dirs in 2 different places.

/home/students/<user>
/home/employ/<user>

so far so good, but i can't make the [homes] work for both of them (just 
1 group)

in winbind template, i can only use %g, and that gives me an GID of 
domain users (since that's the default with samba 4)
no secondary groups ect.

putting "path = ..." in the [homes] section gives me the same problem.

how can i get the homedir to work, if the location is different per user ??

even a ambiguous attempt with: path = /homes/`id -g %u`/%u
did not work...

cheers, Collen

On 05/23/2012 03:56 PM, Collen wrote:
> Hi all,
>
> i've got samba 3.6 joined to a ad domain (s4 in this case)
> running winbind
> all looks ok, but i ran into a problem (for us that is)
>
> i've got 2 groups (students and employes)
> who have there home dirs in 2 different places.
>
> /home/students/<user>
> /home/employ/<user>
+1
It's not just you:
we have s3 connected to and s4 domain and we want e.g.

/home2/students/year7
/home2/students/year7/year7a/<student>
/home2/students/year7/year7b/<student>
/home2/staff
/home2/staff<teacher>

Under winbind we cannot see how to do it. So we have used the new 
nss-pam-ldapd instead and store the unixHomeDirectory in the directory. 
As it's available in both the 2008 and s4 schema it works quickly and 
efficiently. With the homeDirectory [share] and unixHomeDirectory being 
mapped by ldapd it works fine. Just like under 2008r2. I Really do think 
we should look into this being standard.

Winbind has done a good job since 2000 but unless it can cope with new 
ideas. . . I'm sure it can. It's just not as easy.
Please contact us personally for full details.
Cheers,
Steve.
http://linuxcostablanca.blogspot.com.es/p/s4bind.html

Hmm, i played around with this nss_ldap, also with the rfc2307 from winbind
looks all nice, but samba4 does not have posix scheme loaded
and filled for users by default.

if i make a new user, it will not have the posix attributes.
and the attributes are not auto set (no uid, gid)

so yeh it can go around the problem, but creates a bunch of new ones
to bad we can't do the nss_ldap mapping within winbind.
since it's only the (unix)homedir we're after at.

thx anny way...

Collen

On 24-5-2012 19:11, steve wrote:
> Hi
>
> Making it default is the easy bit. Install nss-pam-ldapd (libnss-ldapd
> and libpam-ldapd under Debian).
>
> Here is our config in /etc/nslcd.conf
>
> uid nslcd
> gid nslcd
> uri ldap://sam4dc.polop.site
> base dc=polop,dc=site
> map passwd uid samAccountName
> map passwd homeDirectory unixHomeDirectory
> #map group uniqueMember member
> sasl_mech GSSAPI
> sasl_realm POLOP.SITE
> krb5_ccname /tmp/nslcd.tkt
>
> Most of this is site dependent but the mappings are all that are
> important. The latest version (0.8.4 up) maps group members too hence
> the commented out line.
>
> We have written scripts to implement this but you can do this from Linux
> using ldbedit to add only the objects and attributes
> you need.
>
> Here is an example of a user called steve2 (samba-tool user add steve2
> or from ADUC in windows) in the directory to which we have added the
> attributes necessary for nss-ldapd mappings:
>
> dn: CN=steve2,CN=Users,DC=polop,DC=site
> cn: steve2
> instanceType: 4
> whenCreated: 20120508141303.0Z
> uSNCreated: 3719
> name: steve2
> objectGUID: 2e73c14e-976e-431e-830e-863494cc4a1c
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> objectSid: S-1-5-21-1196638036-2541980263-511278767-1105
> logonCount: 0
> sAMAccountName: steve2
> sAMAccountType: 805306368
> userPrincipalName: steve2 at polop.site
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=polop,DC=site
> pwdLastSet: 129809599830000000
> uidNumber: 3000008
> unixHomeDirectory: /home2/CACTUS/steve2
> loginShell: /bin/bash
> objectClass: top
> objectClass: posixAccount
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> profilePath: \\sam4dc\profiles\steve2
> homeDrive: Z:
> homeDirectory: \\sam4dc\home\steve2
> memberOf: CN=staff,CN=Users,DC=polop,DC=site
> primaryGroupID: 513
> gidNumber: 20513
> userAccountControl: 66048
> accountExpires: 0
> whenChanged: 20120518160301.0Z
> uSNChanged: 3944
> distinguishedName: CN=steve2,CN=Users,DC=polop,DC=site
>
> You can either add the objects and attributes to taste using ldbedit or
> write scripts to add
> them for you. We have written a suite of well tested scripts called
> 's4bind' which do all this for you. Remember, if the attributes are
> stored in the directory and mapped by something up to date which
> understands AD, then there can never be any confusion as to uid, gid,
> home directory or whatever. m$ have granted us free access to the posix
> attributes necessary to connect Linux machines to 2008r2 and therefore
> Samba4 AD. Let's use them to our advantage.
>
> http://linuxcostablanca.blogspot.com.es/p/s4bind.html
>
> Cheers,
> Steve
>