Thank you Felix. On 02/07/15 16:18, Felix Matouschek wrote:> Hi David, > > I experienced this issue as well, it's currently a limitation of Samba 4.2.2. > Samba 4.2.2 DCs do not support pulling home directories and login shells from AD via rfc2307. > > I solved this issue with the "template homedir" and "template shell" directives. > You lose some flexibility but at least it works.Lack of flexibility is my main problem. Unfortunately without restructuring how our home directories are set up, I need the flexibility. I need HomeDirectories etc to be pulled from the AD if I'm to retire our current LDAP servers and use Samba4 as a replacement.> > Excerpt from my DC smb.conf: > > winbind nss info = rfc2307:MYDOMAIN, template > template shell = /bin/bash > template homedir = /home/users/%U > > Greetings, > FelixJust to clarify, is it only the DC that doesn't return desired values of HomeDirectory and Shell? I ask because my member server is returning the desired values, but I get the impression that it should not be from comments on the list. Rowland was helping me with winbindd over the last few weeks and I got the impression that my Member Server should not be returning correct HomeDirectory and Shell - but it is - that is why I mentioned that I don't have SSSD installed - nor any other nsswitch back to our current LDAP. I need to know if what I am seeing is a freak of computing, or expected behaviour.> -----Urspr?ngliche Nachricht----- > Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von David Minard > Gesendet: Donnerstag, 2. Juli 2015 06:18 > An: samba at lists.samba.org > Betreff: [Samba] Getent Differences on a DC and a Member Server > > G'day All, > > I'm running Centos 7, Samba4.2.2. (SSSD is NOT running (not even installed on the Member Server)) > > /etc/nsswitch on both: > > passwd: files winbind > group: files winbind > > the winbind libs have been sym-linked as described in the tiki. All seems to be working well on both the DC and Member Server. > > Both smb.fonfs have: > > idmap config *:backend = tdb > idmap config *:range = 3000000-4000000 > idmap config AD:backend = ad > idmap config AD:schema_mode = rfc2307 > idmap config AD:range = 600-2999999 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = Yes > > > On the DC I've changed winbind to winbindd in the "server services" > line, and winbindd starts up as expected. > > Can anyone tell me why I get slightly different answers from 'getent passwd [username]' from a DC and a Member Server. > > eg: getent passwd fred > > DC: > > fred:*:4999:1001:Fred Nerks:/home/AD/fred:/bin/false > > On a Member Server: > > fred:*:4999:1001:Fred Nerks:/home/fred:/bin/tcsh > > > On the DC the HomeDirectory and Shell Fields are not what I defined for user Fred. > > On the Member Server, Homedirectory and Shell are what I defined for user Fred. > > Why is there a difference? > > > > -- > This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >-- Cheers, David Minard. Ph: 0247 360 155 Fax: 0247 360 770 School of Computing, Engineering, and Mathematics Building Y - Penrith Campus (Kingswood) Locked bag 1797 Penrith South DC NSW 1797 [Sometimes waking up just isn't worth the insult of the day to come.] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Rowland Penny
2015-Jul-03 08:25 UTC
[Samba] Getent Differences on a DC and a Member Server
On 03/07/15 02:28, David Minard wrote:> Thank you Felix. > On 02/07/15 16:18, Felix Matouschek wrote: >> Hi David, >> >> I experienced this issue as well, it's currently a limitation of >> Samba 4.2.2. >> Samba 4.2.2 DCs do not support pulling home directories and login >> shells from AD via rfc2307. >> >> I solved this issue with the "template homedir" and "template shell" >> directives. >> You lose some flexibility but at least it works. > > Lack of flexibility is my main problem. Unfortunately without > restructuring how our home directories are set up, I need the > flexibility. I need HomeDirectories etc to be pulled from the AD if > I'm to retire our current LDAP servers and use Samba4 as a replacement. >> >> Excerpt from my DC smb.conf: >> >> winbind nss info = rfc2307:MYDOMAIN, template >> template shell = /bin/bash >> template homedir = /home/users/%U >> >> Greetings, >> Felix > > Just to clarify, is it only the DC that doesn't return desired > values of HomeDirectory and Shell?Yes, unfortunately The DC does not return anything for HomeDirectory or loginShell, this is still true even if you use a version from 4.2.0 which uses 'winbindd' instead of 'winbind'. The only only way to use all the RFC2307 attributes is to use member servers & Unix clients, they do not suffer from this problem. Rowland> > I ask because my member server is returning the desired values, > but I get the impression that it should not be from comments on the > list. Rowland was helping me with winbindd over the last few weeks > and I got the impression that my Member Server should not be returning > correct HomeDirectory and Shell - but it is - that is why I mentioned > that I don't have SSSD installed - nor any other nsswitch back to our > current LDAP. I need to know if what I am seeing is a freak of > computing, or expected behaviour. >
Felix Matouschek
2015-Jul-03 08:30 UTC
[Samba] Getent Differences on a DC and a Member Server
Hi David,> Just to clarify, is it only the DC that doesn't return desired values of HomeDirectory and Shell?Yes, it is only the DC that doesn't pull HomeDirectory and Shell via rfc2307. (when using winbindd) Member servers with winbindd do pull the desired values without problems, I have it setup like this and it works without problems. I have only two ideas to solve your problem: either you don't allow logins from users on the DC or you switch over to sssd on the DC. I suppose sssd should be suitable to achieve your desired results on the DC.> that is why I mentioned that I don't have SSSD installed - nor any > other nsswitch back to our current LDAPBut you do have winbind in your nsswitch? Greetings, Felix -----Urspr?ngliche Nachricht----- Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von David Minard Gesendet: Freitag, 3. Juli 2015 03:28 An: samba at lists.samba.org Betreff: Re: [Samba] Getent Differences on a DC and a Member Server Thank you Felix. On 02/07/15 16:18, Felix Matouschek wrote:> Hi David, > > I experienced this issue as well, it's currently a limitation of Samba 4.2.2. > Samba 4.2.2 DCs do not support pulling home directories and login shells from AD via rfc2307. > > I solved this issue with the "template homedir" and "template shell" directives. > You lose some flexibility but at least it works.Lack of flexibility is my main problem. Unfortunately without restructuring how our home directories are set up, I need the flexibility. I need HomeDirectories etc to be pulled from the AD if I'm to retire our current LDAP servers and use Samba4 as a replacement.> > Excerpt from my DC smb.conf: > > winbind nss info = rfc2307:MYDOMAIN, template template shell = > /bin/bash template homedir = /home/users/%U > > Greetings, > FelixJust to clarify, is it only the DC that doesn't return desired values of HomeDirectory and Shell? I ask because my member server is returning the desired values, but I get the impression that it should not be from comments on the list. Rowland was helping me with winbindd over the last few weeks and I got the impression that my Member Server should not be returning correct HomeDirectory and Shell - but it is - that is why I mentioned that I don't have SSSD installed - nor any other nsswitch back to our current LDAP. I need to know if what I am seeing is a freak of computing, or expected behaviour.> -----Urspr?ngliche Nachricht----- > Von: samba-bounces at lists.samba.org > [mailto:samba-bounces at lists.samba.org] Im Auftrag von David Minard > Gesendet: Donnerstag, 2. Juli 2015 06:18 > An: samba at lists.samba.org > Betreff: [Samba] Getent Differences on a DC and a Member Server > > G'day All, > > I'm running Centos 7, Samba4.2.2. (SSSD is NOT running (not > even installed on the Member Server)) > > /etc/nsswitch on both: > > passwd: files winbind > group: files winbind > > the winbind libs have been sym-linked as described in the tiki. All seems to be working well on both the DC and Member Server. > > Both smb.fonfs have: > > idmap config *:backend = tdb > idmap config *:range = 3000000-4000000 > idmap config AD:backend = ad > idmap config AD:schema_mode = rfc2307 > idmap config AD:range = 600-2999999 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = Yes > > > On the DC I've changed winbind to winbindd in the "server services" > line, and winbindd starts up as expected. > > Can anyone tell me why I get slightly different answers from 'getent passwd [username]' from a DC and a Member Server. > > eg: getent passwd fred > > DC: > > fred:*:4999:1001:Fred Nerks:/home/AD/fred:/bin/false > > On a Member Server: > > fred:*:4999:1001:Fred Nerks:/home/fred:/bin/tcsh > > > On the DC the HomeDirectory and Shell Fields are not what I defined for user Fred. > > On the Member Server, Homedirectory and Shell are what I defined for user Fred. > > Why is there a difference? > > > > -- > This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >-- Cheers, David Minard. Ph: 0247 360 155 Fax: 0247 360 770 School of Computing, Engineering, and Mathematics Building Y - Penrith Campus (Kingswood) Locked bag 1797 Penrith South DC NSW 1797 [Sometimes waking up just isn't worth the insult of the day to come.] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On 03/07/15 03:28, David Minard wrote:> > Just to clarify, is it only the DC that doesn't return desired > values of HomeDirectory and Shell?Uness you are going to change your whole data structure for user home folders, then forget winbind. SSSD works perfectly and retrieves the whole set of attributes as specified in rfc2307. The configuration is very simple: http://linuxcostablanca.blogspot.com.es/2014/04/sssd-ad-backend-with-samba4.html Needless to say, SSSD works flawlessly with file servers and Linux clients too. Same configuration, same attribute set. HTH B
Ritter, Marcel (RRZE)
2015-Jul-10 07:05 UTC
[Samba] Getent Differences on a DC and a Member Server
Hi, I know there've been some workarounds on this topic, however I'm missing the reason for winbind to behave differently on a DC and on a member server (I also had to work around that problem and I'd really like it fixed). If there's a technical reason for it, it'd be nice to know about it. If there isn't, then it's just a bug that should be fixed. Could someone of the development team please comment on this? Bye, Marcel -----Ursprüngliche Nachricht----- Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Felix Matouschek Gesendet: Freitag, 3. Juli 2015 10:31 An: 'David Minard'; samba at lists.samba.org Betreff: Re: [Samba] Getent Differences on a DC and a Member Server Hi David,> Just to clarify, is it only the DC that doesn't return desired values of HomeDirectory and Shell?Yes, it is only the DC that doesn't pull HomeDirectory and Shell via rfc2307. (when using winbindd) Member servers with winbindd do pull the desired values without problems, I have it setup like this and it works without problems. I have only two ideas to solve your problem: either you don't allow logins from users on the DC or you switch over to sssd on the DC. I suppose sssd should be suitable to achieve your desired results on the DC.> that is why I mentioned that I don't have SSSD installed - nor any > other nsswitch back to our current LDAPBut you do have winbind in your nsswitch? Greetings, Felix -----Ursprüngliche Nachricht----- Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von David Minard Gesendet: Freitag, 3. Juli 2015 03:28 An: samba at lists.samba.org Betreff: Re: [Samba] Getent Differences on a DC and a Member Server Thank you Felix. On 02/07/15 16:18, Felix Matouschek wrote:> Hi David, > > I experienced this issue as well, it's currently a limitation of Samba 4.2.2. > Samba 4.2.2 DCs do not support pulling home directories and login shells from AD via rfc2307. > > I solved this issue with the "template homedir" and "template shell" directives. > You lose some flexibility but at least it works.Lack of flexibility is my main problem. Unfortunately without restructuring how our home directories are set up, I need the flexibility. I need HomeDirectories etc to be pulled from the AD if I'm to retire our current LDAP servers and use Samba4 as a replacement.> > Excerpt from my DC smb.conf: > > winbind nss info = rfc2307:MYDOMAIN, template template shell = > /bin/bash template homedir = /home/users/%U > > Greetings, > FelixJust to clarify, is it only the DC that doesn't return desired values of HomeDirectory and Shell? I ask because my member server is returning the desired values, but I get the impression that it should not be from comments on the list. Rowland was helping me with winbindd over the last few weeks and I got the impression that my Member Server should not be returning correct HomeDirectory and Shell - but it is - that is why I mentioned that I don't have SSSD installed - nor any other nsswitch back to our current LDAP. I need to know if what I am seeing is a freak of computing, or expected behaviour.> -----Ursprüngliche Nachricht----- > Von: samba-bounces at lists.samba.org > [mailto:samba-bounces at lists.samba.org] Im Auftrag von David Minard > Gesendet: Donnerstag, 2. Juli 2015 06:18 > An: samba at lists.samba.org > Betreff: [Samba] Getent Differences on a DC and a Member Server > > G'day All, > > I'm running Centos 7, Samba4.2.2. (SSSD is NOT running (not > even installed on the Member Server)) > > /etc/nsswitch on both: > > passwd: files winbind > group: files winbind > > the winbind libs have been sym-linked as described in the tiki. All seems to be working well on both the DC and Member Server. > > Both smb.fonfs have: > > idmap config *:backend = tdb > idmap config *:range = 3000000-4000000 > idmap config AD:backend = ad > idmap config AD:schema_mode = rfc2307 > idmap config AD:range = 600-2999999 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = Yes > > > On the DC I've changed winbind to winbindd in the "server services" > line, and winbindd starts up as expected. > > Can anyone tell me why I get slightly different answers from 'getent passwd [username]' from a DC and a Member Server. > > eg: getent passwd fred > > DC: > > fred:*:4999:1001:Fred Nerks:/home/AD/fred:/bin/false > > On a Member Server: > > fred:*:4999:1001:Fred Nerks:/home/fred:/bin/tcsh > > > On the DC the HomeDirectory and Shell Fields are not what I defined for user Fred. > > On the Member Server, Homedirectory and Shell are what I defined for user Fred. > > Why is there a difference? > > > > -- > This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >-- Cheers, David Minard. Ph: 0247 360 155 Fax: 0247 360 770 School of Computing, Engineering, and Mathematics Building Y - Penrith Campus (Kingswood) Locked bag 1797 Penrith South DC NSW 1797 [Sometimes waking up just isn't worth the insult of the day to come.] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba