2016-06-13 18:27 GMT+02:00 Rowland penny <rpenny at samba.org>:> On 13/06/16 13:13, mathias dufresne wrote: > >> I loved to find out how to achieve that. >> >> I did looked for information, all I found was that: >> >> https://social.technet.microsoft.com/Forums/en-US/3e184d10-09e3-4eab-9131-6694b86879f8/modify-default-value-of-loginshell-attribute?forum=winserverDS >> >> Unfortunately it seems to list all users (I don't know these MS commands >> but "Get-AdUser -Filter"...) then sending that list to something to modify >> received users list ("Set-AdObject -Replace >> @{unixhomedirectory='/bin/sh','bin/bash'}" and >> https://technet.microsoft.com/en-us/library/ee617215.aspx). >> > > You could always use ldbmodify on the Samba4 DC and the attribute you need > to change for the users login shell is 'loginShell' :-) >Yep, MS doc, the dude who wrote that made a mistake, he tried to help at least.> > >> I would have looked into AD schema and configuration DIT (or naming >> context?) but first I did a grep on Samba's source tree looking for >> "/bin/sh" string but that strnig seems to be used for running commands and >> shebangs only, I could easily have missed something anyway. >> > > Try reading > /usr/local/samba/share/setup/ad-schema/MS-AD_Schema_2K8_R2_Attributes.txt > Note: the path to your copy may vary. >I thought schemas were descriptions of attributes and classes, not places to set values. As I could be wrong, I used grep to read that file: cat `locate MS-AD_Schema_2K8_R2_Attributes.txt` | grep sh -w -> no answer, "sh" (as word) is not present in that file. There is still a chance it is written in configuration DIT but as the same grep was done during the week-end on the whole Samba 4.4.4 source tree without findind more relevant traces of "sh" word, I'm now suspecting the client is the one managing that. If I found time I'll have a look into that DIT...> > Rowland > > >> A cheating method is to give that task (user creation) to another team or >> to use LDIF to create user, but you already thought about these options I >> expect : ) >> >> Cheers, >> >> mathias >> >> >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 14/06/16 09:50, mathias dufresne wrote:> > > 2016-06-13 18:27 GMT+02:00 Rowland penny <rpenny at samba.org > <mailto:rpenny at samba.org>>: > > On 13/06/16 13:13, mathias dufresne wrote: > > I loved to find out how to achieve that. > > I did looked for information, all I found was that: > https://social.technet.microsoft.com/Forums/en-US/3e184d10-09e3-4eab-9131-6694b86879f8/modify-default-value-of-loginshell-attribute?forum=winserverDS > > Unfortunately it seems to list all users (I don't know these > MS commands > but "Get-AdUser -Filter"...) then sending that list to > something to modify > received users list ("Set-AdObject -Replace > @{unixhomedirectory='/bin/sh','bin/bash'}" and > https://technet.microsoft.com/en-us/library/ee617215.aspx). > > > You could always use ldbmodify on the Samba4 DC and the attribute > you need to change for the users login shell is 'loginShell' :-) > > > Yep, MS doc, the dude who wrote that made a mistake, he tried to help > at least.And you passed the mistake on Mathias ! I was trying to help by pointing this out and giving a known working way of changing the contents of the 'loginShell' attribute.> > > I would have looked into AD schema and configuration DIT (or > naming > context?) but first I did a grep on Samba's source tree > looking for > "/bin/sh" string but that strnig seems to be used for running > commands and > shebangs only, I could easily have missed something anyway. > > > Try reading > /usr/local/samba/share/setup/ad-schema/MS-AD_Schema_2K8_R2_Attributes.txt > Note: the path to your copy may vary. > > > I thought schemas were descriptions of attributes and classes, not > places to set values. As I could be wrong, I used grep to read that file: > cat `locate MS-AD_Schema_2K8_R2_Attributes.txt` | grep sh -w -> no > answer, "sh" (as word) is not present in that file. > There is still a chance it is written in configuration DIT but as the > same grep was done during the week-end on the whole Samba 4.4.4 source > tree without findind more relevant traces of "sh" word, I'm now > suspecting the client is the one managing that.So you think you will find the content of something that is set on windows in the Samba source code ? Windows ADUC default content for the 'loginShell' attribute is '/bin/sh'. The Samba default content for the 'loginShell' attribute is ' ' , yes that's right, there isn't one! You are also correct, 'sh' isn't in the the list of Attributes, because it is the content of an attribute, not an attribute. The file I pointed you to, is a list of all the attributes you can use on a Samba 4 AD DC, there is a similar file that contains all the objectclasses. Rowland
2016-06-14 11:18 GMT+02:00 Rowland penny <rpenny at samba.org>:> On 14/06/16 09:50, mathias dufresne wrote: > >> >> >> 2016-06-13 18:27 GMT+02:00 Rowland penny <rpenny at samba.org <mailto: >> rpenny at samba.org>>: >> >> On 13/06/16 13:13, mathias dufresne wrote: >> >> I loved to find out how to achieve that. >> >> I did looked for information, all I found was that: >> >> https://social.technet.microsoft.com/Forums/en-US/3e184d10-09e3-4eab-9131-6694b86879f8/modify-default-value-of-loginshell-attribute?forum=winserverDS >> >> Unfortunately it seems to list all users (I don't know these >> MS commands >> but "Get-AdUser -Filter"...) then sending that list to >> something to modify >> received users list ("Set-AdObject -Replace >> @{unixhomedirectory='/bin/sh','bin/bash'}" and >> https://technet.microsoft.com/en-us/library/ee617215.aspx). >> >> >> You could always use ldbmodify on the Samba4 DC and the attribute >> you need to change for the users login shell is 'loginShell' :-) >> >> >> Yep, MS doc, the dude who wrote that made a mistake, he tried to help at >> least. >> > > And you passed the mistake on Mathias ! I was trying to help by pointing > this out and giving a known working way of changing the contents of the > 'loginShell' attribute. >And I knew what I was doing. If strings some reader is not able to notice that "unixhomedirectory" is more certainly related to UNIX Home Directory than to login shell, I can't do anything for him.> > > >> >> I would have looked into AD schema and configuration DIT (or >> naming >> context?) but first I did a grep on Samba's source tree >> looking for >> "/bin/sh" string but that strnig seems to be used for running >> commands and >> shebangs only, I could easily have missed something anyway. >> >> >> Try reading >> >> /usr/local/samba/share/setup/ad-schema/MS-AD_Schema_2K8_R2_Attributes.txt >> Note: the path to your copy may vary. >> >> >> I thought schemas were descriptions of attributes and classes, not places >> to set values. As I could be wrong, I used grep to read that file: >> cat `locate MS-AD_Schema_2K8_R2_Attributes.txt` | grep sh -w -> no >> answer, "sh" (as word) is not present in that file. >> There is still a chance it is written in configuration DIT but as the >> same grep was done during the week-end on the whole Samba 4.4.4 source tree >> without findind more relevant traces of "sh" word, I'm now suspecting the >> client is the one managing that. >> > > So you think you will find the content of something that is set on windows > in the Samba source code ?No. I tried to find out if it was set from client side or from server side.> Windows ADUC default content for the 'loginShell' attribute is '/bin/sh'.How do you know that for sure? Have you a lilnk to pass to us? Anything to share your knowledge?> The Samba default content for the 'loginShell' attribute is ' ' ,Reading that I would understand there is some code to have some default.> yes that's right, there isn't one! >And that the default value is an empty string. Did you really meant that? In any case, what make you affirm that? Again, some link to help us ? To share your knowledge with us?> You are also correct, 'sh' isn't in the the list of Attributes, because it > is the content of an attribute, not an attribute.Useless and obvious, as usual.> The file I pointed you to, is a list of all the attributes you can use on > a Samba 4 AD DC, there is a similar file that contains all the > objectclasses. >Useless and obvious, as usual.> > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Mgr. Peter Tuharsky
2016-Jun-14 10:07 UTC
[Samba] Samba 4.2.10 FS not operational with Samba 4.2.10 DC
Hi, I'm still trying to overcome the april security patches. I have set up testing environment with everything Samba 4.2.10: -client -fileserver -NT4-style DC with OpenLDAP backend. I must make this work in order to figure out the upgrade path to Samba AD. However, connecting from client to the FS fails because FS is unable to perform user password check. I even try to rejoin the FS to domain to no avail - I get weird NT_STATUS_NO_USER_SESSION_KEY error. Strangely enough, connecting client directly to DC's NETLOGON folder works fine, that means, that username/password is being resolved well between Samba DC and OpenLDAP. It seems that the whole problem is between FS and DC. Please, is there anybody who has NT4-style Samba 4 DC running and not ruined with april security patches? What I must do in order to make it work? Peter