samba - Jun 2015 - WInbindd Home DIrectory and Shell

With the switch to using winbindd on Domain Controllers in 4.2, should a 
getent passwd now be showing the home directory and shell that is in the 
RFC2307 attributes in the directory like a member server does?

I all ways thought that this was a difference between the internal 
winbind and the external winbindd, but my 4.2 DC looks like it is still 
using the templates rather than looking the values up in the directory.

Centos 7.1/Samba 4.2.2 DC configuration

/etc/samba/smb.conf
[global]
         workgroup = SAMBA
         realm = samba.xxxxxxx.xx.xx
         netbios name = DC03
         server role = active directory domain controller

         # Using bind_dlz
         server services = -dns

         idmap config SAMBA:backend = ad
         idmap config SAMBA:schema_mode = rfc2307
         idmap config SAMBA:range = 1000000-5000000

         idmap config *:backend = tdb
         idmap config *:range = 70001-80000

         winbind nss info = rfc2307

         idmap_ldb:use rfc2307 = yes

         winbind trusted domains only = no
         winbind use default domain = no
         winbind enum users = yes
         winbind enum groups = yes

[netlogon]
         path = /var/lib/samba/sysvol/samba.xxxxxxx.xx.xx/scripts
         read only = No

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No

nsswitch.conf has
passwd:     files winbind
group:      files winbind

Thanks

Mike

On 16/06/15 05:03, Brady, Mike wrote:
> With the switch to using winbindd on Domain Controllers in 4.2, should 
> a getent passwd now be showing the home directory and shell that is in 
> the RFC2307 attributes in the directory like a member server does?
No. winbindd works the same as winbind.

On 16/06/15 04:03, Brady, Mike wrote:
> With the switch to using winbindd on Domain Controllers in 4.2, should 
> a getent passwd now be showing the home directory and shell that is in 
> the RFC2307 attributes in the directory like a member server does?
No, the 'winbindd' change hasn't altered anything here.
>
> I all ways thought that this was a difference between the internal 
> winbind and the external winbindd, but my 4.2 DC looks like it is 
> still using the templates rather than looking the values up in the 
> directory.
>
> Centos 7.1/Samba 4.2.2 DC configuration
>
> /etc/samba/smb.conf
> [global]
>         workgroup = SAMBA
>         realm = samba.xxxxxxx.xx.xx
>         netbios name = DC03
>         server role = active directory domain controller
>
>         # Using bind_dlz
>         server services = -dns
>
>         idmap config SAMBA:backend = ad
>         idmap config SAMBA:schema_mode = rfc2307
>         idmap config SAMBA:range = 1000000-5000000
>
>         idmap config *:backend = tdb
>         idmap config *:range = 70001-80000
>         winbind nss info = rfc2307
You might as well remove the above lines, they are not doing anything.
>
>         idmap_ldb:use rfc2307 = yes
>
>         winbind trusted domains only = no
>         winbind use default domain = no
>         winbind enum users = yes
>         winbind enum groups = yes
and the above 4 lines
>
> [netlogon]
>         path = /var/lib/samba/sysvol/samba.xxxxxxx.xx.xx/scripts
>         read only = No
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>
> nsswitch.conf has
> passwd:     files winbind
> group:      files winbind
>
> Thanks
>
> Mike
Rowland

On 2015-06-16 19:39, Rowland Penny wrote:
> On 16/06/15 04:03, Brady, Mike wrote:
>> With the switch to using winbindd on Domain Controllers in 4.2, should 
>> a getent passwd now be showing the home directory and shell that is in 
>> the RFC2307 attributes in the directory like a member server does?
> 
> No, the 'winbindd' change hasn't altered anything here.
> 
>> 
>> I all ways thought that this was a difference between the internal 
>> winbind and the external winbindd, but my 4.2 DC looks like it is 
>> still using the templates rather than looking the values up in the 
>> directory.
>> 
>> Centos 7.1/Samba 4.2.2 DC configuration
>> 
>> /etc/samba/smb.conf
>> [global]
>>         workgroup = SAMBA
>>         realm = samba.xxxxxxx.xx.xx
>>         netbios name = DC03
>>         server role = active directory domain controller
>> 
>>         # Using bind_dlz
>>         server services = -dns
> 
>> 
>>         idmap config SAMBA:backend = ad
>>         idmap config SAMBA:schema_mode = rfc2307
>>         idmap config SAMBA:range = 1000000-5000000
>> 
>>         idmap config *:backend = tdb
>>         idmap config *:range = 70001-80000
>>         winbind nss info = rfc2307
> 
> You might as well remove the above lines, they are not doing anything.
> 
I added these because the wikie page  
https://wiki.samba.org/index.php/RFC2307_backend#Using_Winbindd_on_a_Samba_DC 
specifically states that these settings are needed.

What range is used for uids for
>> 
>>         idmap_ldb:use rfc2307 = yes
>> 
>>         winbind trusted domains only = no
>>         winbind use default domain = no
>>         winbind enum users = yes
>>         winbind enum groups = yes
> 
> and the above 4 lines
> 
>> 
>> [netlogon]
>>         path = /var/lib/samba/sysvol/samba.xxxxxxx.xx.xx/scripts
>>         read only = No
>> 
>> [sysvol]
>>         path = /var/lib/samba/sysvol
>>         read only = No
>> 
>> nsswitch.conf has
>> passwd:     files winbind
>> group:      files winbind
>> 
>> Thanks
>> 
>> Mike
> 
> Rowland