samba - Jun 2014 - winbind: homeDirectory being ignored

Something strange here. User created using:

root at dc1:~# samba-tool user add user7 Abcd1234 --uid-number=1007 
--home-directory=/home/user7 --login-shell=/bin/bash
User 'user7' created successfully

I can see the homeDirectory attribute in the entry. But the home 
directory that winbind returns is just the template one:

root at adclient:~# getent passwd user7
user7:*:1007:70001:user7:/home/ADTEST/user7:/bin/bash

Here is /etc/samba/smb.conf on the adclient machine:

--- 8< ---
[global]

    #netbios name = adclient
    workgroup = ADTEST
    security = ADS
    realm = ADTEST.INT.EXAMPLE.NET
    encrypt passwords = yes
    kerberos method = secrets and keytab

    idmap config *:backend = tdb
    idmap config *:range = 70001-80000
    idmap config ADTEST:backend = ad
    idmap config ADTEST:schema_mode = rfc2307
    idmap config ADTEST:range = 500-40000

    winbind nss info = rfc2307
    winbind trusted domains only = no
    winbind use default domain = yes
    winbind enum users  = yes
    winbind enum groups = yes
--- 8< ---

This is based on 
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Set_up_a_basic_smb.conf
(and notice that it includes "winbind nss info = rfc2307")

The full LDAP record is below. Both machines are ubuntu 14.04, Samba 4.1.6.

Any ideas what I'm doing wrong?

Thanks,

Brian.

------------
root at dc1:~# ldapsearch -b 
CN=user7,CN=users,DC=adtest,DC=int,DC=example,DC=net
SASL/GSSAPI authentication started
SASL username: user at ADTEST.INT.EXAMPLE.NET
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <CN=user7,CN=users,DC=adtest,DC=int,DC=example,DC=net> with scope 
subtree
# filter: (objectclass=*)
# requesting: ALL
#

# user7, Users, adtest.int.example.net
dn: CN=user7,CN=Users,DC=adtest,DC=int,DC=example,DC=net
cn: user7
instanceType: 4
whenCreated: 20140624123352.0Z
whenChanged: 20140624123352.0Z
uSNCreated: 4281
name: user7
objectGUID:: XX+EJB9AHk+JuLSU5PkJDA=badPwdCount: 0
codePage: 0
countryCode: 0
homeDirectory: /home/user7
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAZ5nUF79P8gY2aC90ZAQAAA=accountExpires:
9223372036854775807
logonCount: 0
sAMAccountName: user7
sAMAccountType: 805306368
userPrincipalName: user7 at adtest.int.example.net
objectCategory: 
CN=Person,CN=Schema,CN=Configuration,DC=adtest,DC=int,DC=examp
  le,DC=net
uidNumber: 1007
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
pwdLastSet: 130480868320000000
userAccountControl: 512
uSNChanged: 4285
distinguishedName: CN=user7,CN=Users,DC=adtest,DC=int,DC=example,DC=net

# search result
search: 5
result: 0 Success

# numResponses: 2
# numEntries: 1

On 24/06/14 13:41, Brian Candler wrote:
> Something strange here. User created using:
>
> root at dc1:~# samba-tool user add user7 Abcd1234 --uid-number=1007 
> --home-directory=/home/user7 --login-shell=/bin/bash
> User 'user7' created successfully
>
> I can see the homeDirectory attribute in the entry. But the home 
> directory that winbind returns is just the template one:
>
> root at adclient:~# getent passwd user7
> user7:*:1007:70001:user7:/home/ADTEST/user7:/bin/bash
>
> Here is /etc/samba/smb.conf on the adclient machine:
>
> --- 8< ---
> [global]
>
>    #netbios name = adclient
>    workgroup = ADTEST
>    security = ADS
>    realm = ADTEST.INT.EXAMPLE.NET
>    encrypt passwords = yes
>    kerberos method = secrets and keytab
>
>    idmap config *:backend = tdb
>    idmap config *:range = 70001-80000
>    idmap config ADTEST:backend = ad
>    idmap config ADTEST:schema_mode = rfc2307
>    idmap config ADTEST:range = 500-40000
>
>    winbind nss info = rfc2307
>    winbind trusted domains only = no
>    winbind use default domain = yes
>    winbind enum users  = yes
>    winbind enum groups = yes
> --- 8< ---
>
> This is based on 
>
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Set_up_a_basic_smb.conf
> (and notice that it includes "winbind nss info = rfc2307")
>
> The full LDAP record is below. Both machines are ubuntu 14.04, Samba 
> 4.1.6.
>
> Any ideas what I'm doing wrong?
>
> Thanks,
>
> Brian.
>
> ------------
> root at dc1:~# ldapsearch -b 
> CN=user7,CN=users,DC=adtest,DC=int,DC=example,DC=net
> SASL/GSSAPI authentication started
> SASL username: user at ADTEST.INT.EXAMPLE.NET
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <CN=user7,CN=users,DC=adtest,DC=int,DC=example,DC=net> with 
> scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # user7, Users, adtest.int.example.net
> dn: CN=user7,CN=Users,DC=adtest,DC=int,DC=example,DC=net
> cn: user7
> instanceType: 4
> whenCreated: 20140624123352.0Z
> whenChanged: 20140624123352.0Z
> uSNCreated: 4281
> name: user7
> objectGUID:: XX+EJB9AHk+JuLSU5PkJDA=> badPwdCount: 0
> codePage: 0
> countryCode: 0
> homeDirectory: /home/user7
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> primaryGroupID: 513
> objectSid:: AQUAAAAAAAUVAAAAZ5nUF79P8gY2aC90ZAQAAA=> accountExpires:
9223372036854775807
> logonCount: 0
> sAMAccountName: user7
> sAMAccountType: 805306368
> userPrincipalName: user7 at adtest.int.example.net
> objectCategory: 
> CN=Person,CN=Schema,CN=Configuration,DC=adtest,DC=int,DC=examp
>  le,DC=net
> uidNumber: 1007
> loginShell: /bin/bash
> objectClass: top
> objectClass: posixAccount
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> pwdLastSet: 130480868320000000
> userAccountControl: 512
> uSNChanged: 4285
> distinguishedName: CN=user7,CN=Users,DC=adtest,DC=int,DC=example,DC=net
>
> # search result
> search: 5
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
Your user doesn't have a 'gidNumber'
winbind seems to need the 'gidNumber' attribute before it extracts all 
the users info from AD.

Rowland

> Your user doesn't have a 'gidNumber' winbind seems to need the 
'gidNumber' attribute before it extracts all the users info from AD.

gitNumber seems to be ignored:

root at dc1:~# samba-tool user add user8 Abcd1234 --uid-number=1008 
--home-directory=/home/user8 --login-shell=/bin/bash --gid-number=1008

root at adclient:~# getent passwd user8
user8:*:1008:70001:user8:/home/ADTEST/user8:/bin/bash

ldapsearch shows:
...
uidNumber: 1008
gidNumber: 1008
loginShell: /bin/bash
...

Maybe gidNumber has to correspond to a real group object?

The "domain users" group is this object:

# Domain Users, Users, adtest.int.example.net
dn: CN=Domain Users,CN=Users,DC=adtest,DC=int,DC=example,DC=net
objectClass: top
objectClass: group
cn: Domain Users
description: All domain users
instanceType: 4
whenCreated: 20140618075445.0Z
whenChanged: 20140618075445.0Z
uSNCreated: 3541
uSNChanged: 3541
name: Domain Users
objectGUID:: tY04KF2fXEyFT/9qBdevHw=objectSid::
AQUAAAAAAAUVAAAAZ5nUF79P8gY2aC90AQIAAA=sAMAccountName: Domain Users
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: 
CN=Group,CN=Schema,CN=Configuration,DC=adtest,DC=int,DC=exampl
  e,DC=net
isCriticalSystemObject: TRUE
memberOf: CN=Users,CN=Builtin,DC=adtest,DC=int,DC=example,DC=net
distinguishedName: CN=Domain 
Users,CN=Users,DC=adtest,DC=int,DC=example,DC=net

So do I need to add a gidNumber attribute to this entry? Or create a new 
group?

Unfortunately I'm doing this without any Windows tools, and "samba-tool
group add" doesn't have a --gid-number flag.

So I tried adding gidNumber to the group:

root at dc1:~# cat mod.ldif
dn: CN=Domain Users,CN=Users,DC=adtest,DC=int,DC=example,DC=net
changetype: modify
add: gidNumber
gidNumber: 1008
-

root at dc1:~# ldapmodify -f mod.ldif

ldapsearch confirms it's there, but no difference to the result. I also 
tried adding objectClass: posixGroup to this, still no effect.

Any more suggestions?

Regards,

Brian.

I don't retrieve the source and solution n samba wiki page, but I know 
that there are a trick about home directory management and winbind
Maybe check template homedir (G) in smb.conf

-----------------------------------
St?phane PURNELLE                         Admin. Syst?mes et R?seaux 
Service Informatique       Corman S.A.           Tel : 00 32 (0)87/342467

samba-bounces at lists.samba.org wrote on 24/06/2014 14:41:35:
> De : Brian Candler <b.candler at pobox.com>
> A : samba at lists.samba.org, 
> Date : 24/06/2014 14:42
> Objet : [Samba] winbind: homeDirectory being ignored
> Envoy? par : samba-bounces at lists.samba.org
> 
> Something strange here. User created using:
> 
> root at dc1:~# samba-tool user add user7 Abcd1234 --uid-number=1007 
> --home-directory=/home/user7 --login-shell=/bin/bash
> User 'user7' created successfully
> 
> I can see the homeDirectory attribute in the entry. But the home 
> directory that winbind returns is just the template one:
> 
> root at adclient:~# getent passwd user7
> user7:*:1007:70001:user7:/home/ADTEST/user7:/bin/bash
> 
> Here is /etc/samba/smb.conf on the adclient machine:
> 
> --- 8< ---
> [global]
> 
>     #netbios name = adclient
>     workgroup = ADTEST
>     security = ADS
>     realm = ADTEST.INT.EXAMPLE.NET
>     encrypt passwords = yes
>     kerberos method = secrets and keytab
> 
>     idmap config *:backend = tdb
>     idmap config *:range = 70001-80000
>     idmap config ADTEST:backend = ad
>     idmap config ADTEST:schema_mode = rfc2307
>     idmap config ADTEST:range = 500-40000
> 
>     winbind nss info = rfc2307
>     winbind trusted domains only = no
>     winbind use default domain = yes
>     winbind enum users  = yes
>     winbind enum groups = yes
> --- 8< ---
> 
> This is based on 
> https://wiki.samba.org/index.php/
> Setup_a_Samba_AD_Member_Server#Set_up_a_basic_smb.conf 
> (and notice that it includes "winbind nss info = rfc2307")
> 
> The full LDAP record is below. Both machines are ubuntu 14.04, Samba 
4.1.6.
> 
> Any ideas what I'm doing wrong?
> 
> Thanks,
> 
> Brian.
> 
> ------------
> root at dc1:~# ldapsearch -b 
> CN=user7,CN=users,DC=adtest,DC=int,DC=example,DC=net
> SASL/GSSAPI authentication started
> SASL username: user at ADTEST.INT.EXAMPLE.NET
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <CN=user7,CN=users,DC=adtest,DC=int,DC=example,DC=net> with
scope
> subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
> 
> # user7, Users, adtest.int.example.net
> dn: CN=user7,CN=Users,DC=adtest,DC=int,DC=example,DC=net
> cn: user7
> instanceType: 4
> whenCreated: 20140624123352.0Z
> whenChanged: 20140624123352.0Z
> uSNCreated: 4281
> name: user7
> objectGUID:: XX+EJB9AHk+JuLSU5PkJDA=> badPwdCount: 0
> codePage: 0
> countryCode: 0
> homeDirectory: /home/user7
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> primaryGroupID: 513
> objectSid:: AQUAAAAAAAUVAAAAZ5nUF79P8gY2aC90ZAQAAA=> accountExpires:
9223372036854775807
> logonCount: 0
> sAMAccountName: user7
> sAMAccountType: 805306368
> userPrincipalName: user7 at adtest.int.example.net
> objectCategory: 
> CN=Person,CN=Schema,CN=Configuration,DC=adtest,DC=int,DC=examp
>   le,DC=net
> uidNumber: 1007
> loginShell: /bin/bash
> objectClass: top
> objectClass: posixAccount
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> pwdLastSet: 130480868320000000
> userAccountControl: 512
> uSNChanged: 4285
> distinguishedName: CN=user7,CN=Users,DC=adtest,DC=int,DC=example,DC=net
> 
> # search result
> search: 5
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba