Alex Wakizashi
2013-Oct-28 11:54 UTC
[Samba] How winbindd is working on DC/member? It ignores rfc2703 on DC, and not showing all users on member server... Where is a error?
Hi all, Still looking for the best way to achieve consistent GID/UID mapping on Linux servers/clients, in heterogeneous environment (Linux, Windows, CIFS, NFS). Current problems with UID/GID resolution prevents from using Samba4 in environment with backups (where data may be restored on another server) and mixed Linux/Windows workstations. Just recently installed fresh Samba 4.1.0 on the server as DC, and completely confused by how winbind is working. DC provisioned as: samba-tool domain provision --use-rfc2307 --domain=SAMBA --realm=samba.local.net --adminpass='<Password>' --dns-backend=BIND9_DLZ --server-role=dc DNS is confirured, kerberos too, kinit/klist working fine. Samba and NSS configuration: --- smb.conf --- # Global parameters [global] workgroup = SAMBA realm = samba.local.net netbios name = NAS server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/samba.local.net/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No --- smb.conf --- --- nsswitch.conf --- passwd: compat winbind group: compat winbind shadow: compat hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis --- nsswitch.conf --- Have created new user: samba-tool user add Wakizashi --use-username-as-cn --given-name=Alex --surname=Wakizashi --uid-number=1001 And modified RFC attributes, result: root at nas:~# ldbsearch -k yes -H ldap://nas "(sAMAccountName=wakizashi)" sAMAccountName uid loginShell unixHomeDirectory # record 1 dn: CN=Wakizashi,CN=Users,DC=samba,DC=local,DC=net sAMAccountName: Wakizashi unixHomeDirectory: /home/wakizashi uid: wakizashi loginShell: /bin/bash Problems: 1. Just after Samba install "id" reports no user "wakizashi", after reboot it started to resolve both "Wakizashi" and "wakizashi", as well as "Administrator", etc. 2. I can see users in the domain, but seems like winbindd ignores the frc2703 attributes: - cut - root at nas:~# getent passwd root:x:0:0:root:/root:/bin/bash .... ntp:x:107:112::/home/ntp:/bin/false nslcd:x:108:113:nslcd name service LDAP connection daemon,,,:/var/run/nslcd/:/bin/false SAMBA\Administrator:*:0:100::/home/SAMBA/Administrator:/bin/false SAMBA\Guest:*:3000011:3000012::/home/SAMBA/Guest:/bin/false SAMBA\krbtgt:*:3000017:100::/home/SAMBA/krbtgt:/bin/false SAMBA\dns-nas:*:3000018:100::/home/SAMBA/dns-nas:/bin/false SAMBA\Wakizashi:*:1001:100:Alex Wakizashi:/home/SAMBA/Wakizashi:/bin/false - cut - So, as you can see, there are rfc2703 attributes: uid, shell and home directory, but winbindd just ignores these, and uses crazy "SAMBA\wakizashi" username, wrong home directory, wrong shell. 3. Still some groups IDs are not resolvable: root at nas:~# ls -la /var/lib/samba/sysvol/ total 20 drwxrwx---+ 3 SAMBA\Administrator 3000000 4096 Oct 28 03:09 . drwxr-xr-x 10 SAMBA\Administrator root 4096 Oct 28 03:09 .. drwxrwx---+ 4 SAMBA\Administrator 3000000 4096 Oct 28 03:09 samba.local.net As I can see, there is GID 3000000. What is it? root at nas:~# wbinfo -s `wbinfo -G 3000000 ` BUILTIN\Administrators 4 So, why this is not resolved by winbindd? Same with ACL: root at nas:~# getfacl /var/lib/samba/sysvol/ getfacl: Removing leading '/' from absolute path names # file: var/lib/samba/sysvol/ # owner: root # group: 3000000 user::rwx user:root:rwx group::rwx group:3000000:rwx group:3000001:r-x group:3000002:rwx group:3000003:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:group::--- default:group:3000000:rwx default:group:3000001:r-x default:group:3000002:rwx default:group:3000003:r-x default:mask::rwx default:other::--- Why there are unresolved GIDs? root at nas:~# wbinfo -s `wbinfo -G 3000001 ` BUILTIN\Server Operators 4 root at nas:~# wbinfo -s `wbinfo -G 3000002 ` NT AUTHORITY\SYSTEM 5 root at nas:~# wbinfo -s `wbinfo -G 3000003 ` NT AUTHORITY\Authenticated Users 5 3. Ok, let's try winbind on member server. Have installed CHEETAH with following config (Just from Wiki): --- smb.conf AD member --- [global] workgroup = SAMBA security = ADS realm = SAMBA.LOCAL.NET encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-80000 idmap config SAMBA:backend = ad idmap config SAMBA:schema_mode = rfc2307 idmap config SAMBA:range = 3000000-4000000 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes [test] path = /home/test read only = no --- smb.conf AD member --- Services has been forcibly restarted - to make sure, that everything has been reloaded. root at cheetah:~# getent passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh ... wakizashi:x:1001:100::/home/wakizashi:/bin/bash gdm:x:110:115:Gnome Display Manager:/var/lib/gdm:/bin/false avahi:x:111:118:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false ntp:x:112:120::/home/ntp:/bin/false libvirt-qemu:x:113:121:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false vde2-net:x:114:124::/var/run/vde2:/bin/false nslcd:x:115:125:nslcd name service LDAP connection daemon,,,:/var/run/nslcd/:/bin/false guest:*:3000011:3000012:Guest:/home/guest:/bin/false Hmmm... Where is "Administrator"? Where is a "krb-tgt"? BTW - Guest have all needed rfc2703 attributes, as well as other users, so supposed to get shell and homedir correctly... But even in this case it's not resolvable by system: root at cheetah:~# id guest id: guest: No such user root at cheetah:~# id administrator id: administrator: No such user root at cheetah:~# id SAMBA\\Guest id: SAMBA\Guest: No such user root at cheetah:~# id SAMBA\\guest id: SAMBA\guest: No such user Even worse - no any user visible, even the "Guest", which is in "getent passwd" And of course, here are issue with denying access to Administrator (and other users too, except "wakizashi," which is available locally from /etc/passwd): [2013/10/28 15:32:44.525754, 3] ../source3/smbd/sesssetup.c:138(reply_sesssetup_and_X_spnego) Doing spnego session setup [2013/10/28 15:32:44.525773, 3] ../source3/smbd/sesssetup.c:179(reply_sesssetup_and_X_spnego) NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[] [2013/10/28 15:32:44.538199, 3] ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac) Found account name from PAC: Wakizashi [Alex Wakizashi] [2013/10/28 15:32:44.538250, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) Kerberos ticket principal name is [wakizashi at SAMBA.LOCAL.NET] [2013/10/28 15:32:44.538419, 3] ../source3/param/loadparm.c:4838(lp_load_ex) lp_load_ex: refreshing parameters [2013/10/28 15:32:44.538489, 3] ../source3/param/loadparm.c:750(init_globals) Initialising global parameters [2013/10/28 15:32:44.538546, 3] ../lib/util/params.c:550(pm_process) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2013/10/28 15:32:44.538563, 3] ../source3/param/loadparm.c:3564(do_section) Processing section "[global]" [2013/10/28 15:32:44.538719, 2] ../source3/param/loadparm.c:3581(do_section) Processing section "[test]" [2013/10/28 15:32:44.538761, 3] ../source3/param/loadparm.c:1773(lp_add_ipc) adding IPC service [2013/10/28 15:32:44.539384, 3] ../source3/smbd/password.c:144(register_homes_share) Adding homes service for user 'wakizashi' using home directory: '/home/wakizashi' [2013/10/28 15:32:44.539627, 3] ../source3/smbd/process.c:1795(process_smb) Transaction 2 of length 84 (0 toread) [2013/10/28 15:32:44.539667, 3] ../source3/smbd/process.c:1398(switch_message) switch message SMBtconX (pid 15953) conn 0x0 [2013/10/28 15:32:44.539796, 3] ../source3/lib/access.c:338(allow_access) Allowed connection from cheetah (127.0.0.1) [2013/10/28 15:32:44.539879, 3] ../source3/smbd/service.c:612(make_connection_snum) Connect path is '/tmp' for service [IPC$] [2013/10/28 15:32:44.539944, 3] ../source3/smbd/vfs.c:113(vfs_init_default) Initialising default vfs hooks [2013/10/28 15:32:44.539987, 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising custom vfs hooks from [/[Default VFS]/] [2013/10/28 15:32:44.540102, 3] ../source3/smbd/service.c:848(make_connection_snum) cheetah (ipv4:127.0.0.1:38217) connect to service IPC$ initially as user wakizashi (uid=1001, gid=100) (pid 15953) ... [2013/10/28 15:35:11.002140, 3] ../source3/smbd/sesssetup.c:138(reply_sesssetup_and_X_spnego) Doing spnego session setup [2013/10/28 15:35:11.002169, 3] ../source3/smbd/sesssetup.c:179(reply_sesssetup_and_X_spnego) NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[] [2013/10/28 15:35:11.014682, 3] ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac) Found account name from PAC: Administrator [] [2013/10/28 15:35:11.014726, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) Kerberos ticket principal name is [administrator at SAMBA.LOCAL.NET] [2013/10/28 15:35:11.032130, 1] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) Username SAMBA\administrator is invalid on this system [2013/10/28 15:35:11.032176, 1] ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac) Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) [2013/10/28 15:35:11.032209, 1] ../source3/smbd/sesssetup.c:276(reply_sesssetup_and_X_spnego) Failed to generate session_info (user and group token) for session setup: NT_STATUS_ACCESS_DENIED [2013/10/28 15:35:11.032288, 3] ../source3/smbd/error.c:82(error_packet_set) NT error packet at ../source3/smbd/sesssetup.c(279) cmd=115 (SMBsesssetupX) NT_STATUS_ACCESS_DENIED [2013/10/28 15:35:11.032927, 3] ../source3/smbd/server_exit.c:212(exit_server_common) Server exit (failed to receive smb request) Could someone, please, explain - how to set up Samba correctly, at least to provide users/groups on the CD and member servers? So far, default installation and documentation does not provide reasonable way to get working environment... I'm completely lost with it. Sometimes it working, sometimes - not. Yes, there is a way with nslcd, but it's just workaround, requiring additional scripts... But how to make SAMBA working just with it's standard services, like winbindd? And of course - if there is anything I can do for the Samba team - will be glad to help. Hope to see SAMBA replacing Windows Server and AD completely :) Issues, mentioned above, are reproducible on my virtual machines (Debian Wheezy), may provide access to these, if needed. Regards, Alex
Rowland Penny
2013-Oct-28 12:27 UTC
[Samba] How winbindd is working on DC/member? It ignores rfc2703 on DC, and not showing all users on member server... Where is a error?
On 28/10/13 11:54, Alex Wakizashi wrote:> Hi all, > > Still looking for the best way to achieve consistent GID/UID mapping > on Linux servers/clients, in heterogeneous environment (Linux, > Windows, CIFS, NFS). > Current problems with UID/GID resolution prevents from using Samba4 in > environment with backups (where data may be restored on another > server) and mixed Linux/Windows workstations. > > Just recently installed fresh Samba 4.1.0 on the server as DC, and > completely confused by how winbind is working. > > DC provisioned as: > > samba-tool domain provision --use-rfc2307 --domain=SAMBA > --realm=samba.local.net --adminpass='<Password>' > --dns-backend=BIND9_DLZ --server-role=dc > > DNS is confirured, kerberos too, kinit/klist working fine. > > Samba and NSS configuration: > > --- smb.conf --- > # Global parameters > [global] > workgroup = SAMBA > realm = samba.local.net > netbios name = NAS > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbind, ntp_signd, kcc, dnsupdate > idmap_ldb:use rfc2307 = yes > > [netlogon] > path = /var/lib/samba/sysvol/samba.local.net/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > --- smb.conf --- > > --- nsswitch.conf --- > passwd: compat winbind > group: compat winbind > shadow: compat > hosts: files dns > networks: files > protocols: db files > services: db files > ethers: db files > rpc: db files > netgroup: nis > --- nsswitch.conf --- > > Have created new user: > > samba-tool user add Wakizashi --use-username-as-cn --given-name=Alex > --surname=Wakizashi --uid-number=1001 > > And modified RFC attributes, result: > > root at nas:~# ldbsearch -k yes -H ldap://nas > "(sAMAccountName=wakizashi)" sAMAccountName uid loginShell > unixHomeDirectory > # record 1 > dn: CN=Wakizashi,CN=Users,DC=samba,DC=local,DC=net > sAMAccountName: Wakizashi > unixHomeDirectory: /home/wakizashi > uid: wakizashi > loginShell: /bin/bash > > Problems: > > 1. Just after Samba install "id" reports no user "wakizashi", after > reboot it started to resolve both "Wakizashi" and "wakizashi", as well > as "Administrator", etc. > > 2. I can see users in the domain, but seems like winbindd ignores the > frc2703 attributes: > - cut - > root at nas:~# getent passwd > root:x:0:0:root:/root:/bin/bash > .... > ntp:x:107:112::/home/ntp:/bin/false > nslcd:x:108:113:nslcd name service LDAP connection > daemon,,,:/var/run/nslcd/:/bin/false > SAMBA\Administrator:*:0:100::/home/SAMBA/Administrator:/bin/false > SAMBA\Guest:*:3000011:3000012::/home/SAMBA/Guest:/bin/false > SAMBA\krbtgt:*:3000017:100::/home/SAMBA/krbtgt:/bin/false > SAMBA\dns-nas:*:3000018:100::/home/SAMBA/dns-nas:/bin/false > SAMBA\Wakizashi:*:1001:100:Alex Wakizashi:/home/SAMBA/Wakizashi:/bin/false > - cut - > > So, as you can see, there are rfc2703 attributes: uid, shell and home > directory, but winbindd just ignores these, and uses crazy > "SAMBA\wakizashi" username, wrong home directory, wrong shell. > > 3. Still some groups IDs are not resolvable: > root at nas:~# ls -la /var/lib/samba/sysvol/ > total 20 > drwxrwx---+ 3 SAMBA\Administrator 3000000 4096 Oct 28 03:09 . > drwxr-xr-x 10 SAMBA\Administrator root 4096 Oct 28 03:09 .. > drwxrwx---+ 4 SAMBA\Administrator 3000000 4096 Oct 28 03:09 samba.local.net > > As I can see, there is GID 3000000. What is it? > > root at nas:~# wbinfo -s `wbinfo -G 3000000 ` > BUILTIN\Administrators 4 > > So, why this is not resolved by winbindd? > > Same with ACL: > > root at nas:~# getfacl /var/lib/samba/sysvol/ > getfacl: Removing leading '/' from absolute path names > # file: var/lib/samba/sysvol/ > # owner: root > # group: 3000000 > user::rwx > user:root:rwx > group::rwx > group:3000000:rwx > group:3000001:r-x > group:3000002:rwx > group:3000003:r-x > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:group::--- > default:group:3000000:rwx > default:group:3000001:r-x > default:group:3000002:rwx > default:group:3000003:r-x > default:mask::rwx > default:other::--- > > Why there are unresolved GIDs? > > root at nas:~# wbinfo -s `wbinfo -G 3000001 ` > BUILTIN\Server Operators 4 > root at nas:~# wbinfo -s `wbinfo -G 3000002 ` > NT AUTHORITY\SYSTEM 5 > root at nas:~# wbinfo -s `wbinfo -G 3000003 ` > NT AUTHORITY\Authenticated Users 5 > > > 3. Ok, let's try winbind on member server. > > Have installed CHEETAH with following config (Just from Wiki): > > --- smb.conf AD member --- > [global] > > workgroup = SAMBA > security = ADS > realm = SAMBA.LOCAL.NET > encrypt passwords = yes > > idmap config *:backend = tdb > idmap config *:range = 70001-80000 > idmap config SAMBA:backend = ad > idmap config SAMBA:schema_mode = rfc2307 > idmap config SAMBA:range = 3000000-4000000 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > [test] > path = /home/test > read only = no > > --- smb.conf AD member --- > > Services has been forcibly restarted - to make sure, that everything > has been reloaded. > > root at cheetah:~# getent passwd > root:x:0:0:root:/root:/bin/bash > daemon:x:1:1:daemon:/usr/sbin:/bin/sh > ... > wakizashi:x:1001:100::/home/wakizashi:/bin/bash > gdm:x:110:115:Gnome Display Manager:/var/lib/gdm:/bin/false > avahi:x:111:118:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false > ntp:x:112:120::/home/ntp:/bin/false > libvirt-qemu:x:113:121:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false > vde2-net:x:114:124::/var/run/vde2:/bin/false > nslcd:x:115:125:nslcd name service LDAP connection > daemon,,,:/var/run/nslcd/:/bin/false > guest:*:3000011:3000012:Guest:/home/guest:/bin/false > > Hmmm... Where is "Administrator"? Where is a "krb-tgt"? > > BTW - Guest have all needed rfc2703 attributes, as well as other > users, so supposed to get shell and homedir correctly... But even in > this case it's not resolvable by system: > > root at cheetah:~# id guest > id: guest: No such user > root at cheetah:~# id administrator > id: administrator: No such user > root at cheetah:~# id SAMBA\\Guest > id: SAMBA\Guest: No such user > root at cheetah:~# id SAMBA\\guest > id: SAMBA\guest: No such user > > Even worse - no any user visible, even the "Guest", which is in "getent passwd" > > And of course, here are issue with denying access to Administrator > (and other users too, except "wakizashi," which is available locally > from /etc/passwd): > > [2013/10/28 15:32:44.525754, 3] > ../source3/smbd/sesssetup.c:138(reply_sesssetup_and_X_spnego) > Doing spnego session setup > [2013/10/28 15:32:44.525773, 3] > ../source3/smbd/sesssetup.c:179(reply_sesssetup_and_X_spnego) > NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[] > [2013/10/28 15:32:44.538199, 3] > ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac) > Found account name from PAC: Wakizashi [Alex Wakizashi] > [2013/10/28 15:32:44.538250, 3] > ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) > Kerberos ticket principal name is [wakizashi at SAMBA.LOCAL.NET] > [2013/10/28 15:32:44.538419, 3] ../source3/param/loadparm.c:4838(lp_load_ex) > lp_load_ex: refreshing parameters > [2013/10/28 15:32:44.538489, 3] ../source3/param/loadparm.c:750(init_globals) > Initialising global parameters > [2013/10/28 15:32:44.538546, 3] ../lib/util/params.c:550(pm_process) > params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" > [2013/10/28 15:32:44.538563, 3] ../source3/param/loadparm.c:3564(do_section) > Processing section "[global]" > [2013/10/28 15:32:44.538719, 2] ../source3/param/loadparm.c:3581(do_section) > Processing section "[test]" > [2013/10/28 15:32:44.538761, 3] ../source3/param/loadparm.c:1773(lp_add_ipc) > adding IPC service > [2013/10/28 15:32:44.539384, 3] > ../source3/smbd/password.c:144(register_homes_share) > Adding homes service for user 'wakizashi' using home directory: > '/home/wakizashi' > [2013/10/28 15:32:44.539627, 3] ../source3/smbd/process.c:1795(process_smb) > Transaction 2 of length 84 (0 toread) > [2013/10/28 15:32:44.539667, 3] ../source3/smbd/process.c:1398(switch_message) > switch message SMBtconX (pid 15953) conn 0x0 > [2013/10/28 15:32:44.539796, 3] ../source3/lib/access.c:338(allow_access) > Allowed connection from cheetah (127.0.0.1) > [2013/10/28 15:32:44.539879, 3] > ../source3/smbd/service.c:612(make_connection_snum) > Connect path is '/tmp' for service [IPC$] > [2013/10/28 15:32:44.539944, 3] ../source3/smbd/vfs.c:113(vfs_init_default) > Initialising default vfs hooks > [2013/10/28 15:32:44.539987, 3] ../source3/smbd/vfs.c:139(vfs_init_custom) > Initialising custom vfs hooks from [/[Default VFS]/] > [2013/10/28 15:32:44.540102, 3] > ../source3/smbd/service.c:848(make_connection_snum) > cheetah (ipv4:127.0.0.1:38217) connect to service IPC$ initially as > user wakizashi (uid=1001, gid=100) (pid 15953) > ... > [2013/10/28 15:35:11.002140, 3] > ../source3/smbd/sesssetup.c:138(reply_sesssetup_and_X_spnego) > Doing spnego session setup > [2013/10/28 15:35:11.002169, 3] > ../source3/smbd/sesssetup.c:179(reply_sesssetup_and_X_spnego) > NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[] > [2013/10/28 15:35:11.014682, 3] > ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac) > Found account name from PAC: Administrator [] > [2013/10/28 15:35:11.014726, 3] > ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) > Kerberos ticket principal name is [administrator at SAMBA.LOCAL.NET] > [2013/10/28 15:35:11.032130, 1] > ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) > Username SAMBA\administrator is invalid on this system > [2013/10/28 15:35:11.032176, 1] > ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac) > Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) > [2013/10/28 15:35:11.032209, 1] > ../source3/smbd/sesssetup.c:276(reply_sesssetup_and_X_spnego) > Failed to generate session_info (user and group token) for session > setup: NT_STATUS_ACCESS_DENIED > [2013/10/28 15:35:11.032288, 3] ../source3/smbd/error.c:82(error_packet_set) > NT error packet at ../source3/smbd/sesssetup.c(279) cmd=115 > (SMBsesssetupX) NT_STATUS_ACCESS_DENIED > [2013/10/28 15:35:11.032927, 3] > ../source3/smbd/server_exit.c:212(exit_server_common) > Server exit (failed to receive smb request) > > Could someone, please, explain - how to set up Samba correctly, at > least to provide users/groups on the CD and member servers? > > So far, default installation and documentation does not provide > reasonable way to get working environment... > > I'm completely lost with it. Sometimes it working, sometimes - not. > > Yes, there is a way with nslcd, but it's just workaround, requiring > additional scripts... But how to make SAMBA working just with it's > standard services, like winbindd? > > And of course - if there is anything I can do for the Samba team - > will be glad to help. Hope to see SAMBA replacing Windows Server and > AD completely :) > Issues, mentioned above, are reproducible on my virtual machines > (Debian Wheezy), may provide access to these, if needed. > > Regards, > AlexHi, the problem is that winbind on the S4 server only knows about the uidNumber & gidnumber, you can change the shell by putting 'template shell = /bin/bash' into smb.conf but you are stuck with /home/DOMAIN/USER as it is hard coded into winbind. The devs say that they will replace S4 winbind with the winbind from S3 which is a much different beast, but I do not know when this will happen. If you want your Linux users to log into the S4 server, then my advice is to take a look at sssd, you will then get consistent UID/GID's. Rowland