My smb.conf file now looks like so [global] #--authconfig--start-line-- # Generated by authconfig on 2017/10/30 10:47:34 # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--) # Any modification may be deleted or altered by authconfig in future workgroup = MIND password server = MIND.UNM.EDU realm = MIND.UNM.EDU security = ads idmap config * : range = 2000-7999 template homedir = /na/homes/%U template shell = /bin/bash kerberos method = secrets only winbind use default domain = true winbind offline logon = false #--authconfig--end-line-- ; security = ads ; realm = MIND.UNM.EDU ; workgroup = MIND idmap config * : backend = tdb idmap config * : range = 2000-7999 idmap config MIND:backend = ad idmap config MIND:schema_mode = rfc2307 idmap config MIND:range = 8000-9999999 winbind nss info = rfc2307 ; winbind use default domain = yes # so that the users show up in getent winbind enum users = yes # so that the groups show up in getent winbind enum groups = yes restrict anonymous = 2 #added the following 2 for the Badlock updates that change the defaults #to no longer work with my domain controllers ldap server require strong auth = no client ldap sasl wrapping = plain ; template homedir=/na/homes/%U ; template shell=/bin/bash On Mon, Oct 30, 2017 at 10:53 AM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:> fedora's authconfig must edit a bunch of files > > On Mon, Oct 30, 2017 at 10:53 AM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote: >> I found what I needed to do >> DOMAIN=MIND.UNM.EDU >> SHORT=MIND >> authconfig --enablekrb5 --krb5kdc=${DOMAIN} >> --krb5adminserver=${DOMAIN} --krb5realm=${DOMAIN} --enablewinbind >> --enablewinbindauth --smbsecurity=ads --smbrealm=${DOMAIN} >> --smbservers=${DOMAIN} --smbworkgroup=${SHORT} >> --winbindtemplatehomedir=/na/homes/%U --winbindtemplateshell=/bin/bash >> --enablemkhomedir --enablewinbindusedefaultdomain --update >> >> this worked >> >> On Mon, Oct 30, 2017 at 10:11 AM, Rowland Penny via samba >> <samba at lists.samba.org> wrote: >>> On Mon, 30 Oct 2017 09:49:24 -0600 >>> Jeff Sadowski via samba <samba at lists.samba.org> wrote: >>> >>>> OS:fedora-26 >>>> SAMBA:4.6.8 >>>> [root at squints ~]# cat /etc/samba/smb.conf >>>> [global] >>>> security = ads >>>> realm = MIND.UNM.EDU >>>> workgroup = MIND >>>> idmap config * : backend = tdb >>>> idmap config * : range = 2000-7999 >>>> idmap config MIND:backend = ad >>>> idmap config MIND:schema_mode = rfc2307 >>>> idmap config MIND:range = 8000-9999999 >>>> winbind nss info = rfc2307 >>>> winbind use default domain = yes >>>> # so that the users show up in getent >>>> winbind enum users = yes >>>> # so that the groups show up in getent >>>> winbind enum groups = yes >>>> restrict anonymous = 2 >>>> #added the following 2 for the Badlock updates that change the >>>> defaults #to no longer work with my domain controllers >>>> ldap server require strong auth = no >>>> client ldap sasl wrapping = plain >>>> >>>> [root at squints ~]# getent passwd jsadowski >>>> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false >>>> >>>> however from an ubuntu machine with the same smb.conf it looks like so >>>> OS:ubuntu-16.04 >>>> SAMBA:4.3.11 >>>> root at daddles:~# getent passwd jsadowski >>>> jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash >>>> >>>> which is how AD shows it as well. >>>> >>>> Did something change in newer versions of samba that I need to add >>>> more config options? >>>> >>> >>> Yes, there have been changes and no, you don't have to use them and >>> they wouldn't cause your problem. >>> >>> Your smb.conf shows you are using the 'ad' backend and you say you are >>> using the same smb.conf on both machines. >>> >>> So, why are there these different: >>> >>> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false >>> jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash >>> >>> Which RFC2307 attributes have you added to AD ? >>> The above user seems to have the same uidNumber, but Domain Users >>> seems to have two different gidNumbers (8513 and 8000), the >>> unixHomeDirectory also has two identities, as does loginShell >>> >>> Rowland >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba
nope that just brute forced homedir and shell. It'll work for what I want this machine for but I'd like to get the homedir and shell from AD On Mon, Oct 30, 2017 at 10:54 AM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:> My smb.conf file now looks like so > [global] > #--authconfig--start-line-- > > # Generated by authconfig on 2017/10/30 10:47:34 > # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--) > # Any modification may be deleted or altered by authconfig in future > > workgroup = MIND > password server = MIND.UNM.EDU > realm = MIND.UNM.EDU > security = ads > idmap config * : range = 2000-7999 > template homedir = /na/homes/%U > template shell = /bin/bash > kerberos method = secrets only > winbind use default domain = true > winbind offline logon = false > > #--authconfig--end-line-- > ; security = ads > ; realm = MIND.UNM.EDU > ; workgroup = MIND > idmap config * : backend = tdb > idmap config * : range = 2000-7999 > idmap config MIND:backend = ad > idmap config MIND:schema_mode = rfc2307 > idmap config MIND:range = 8000-9999999 > winbind nss info = rfc2307 > ; winbind use default domain = yes > # so that the users show up in getent > winbind enum users = yes > # so that the groups show up in getent > winbind enum groups = yes > restrict anonymous = 2 > #added the following 2 for the Badlock updates that change the defaults > #to no longer work with my domain controllers > ldap server require strong auth = no > client ldap sasl wrapping = plain > ; template homedir=/na/homes/%U > ; template shell=/bin/bash > > On Mon, Oct 30, 2017 at 10:53 AM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote: >> fedora's authconfig must edit a bunch of files >> >> On Mon, Oct 30, 2017 at 10:53 AM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote: >>> I found what I needed to do >>> DOMAIN=MIND.UNM.EDU >>> SHORT=MIND >>> authconfig --enablekrb5 --krb5kdc=${DOMAIN} >>> --krb5adminserver=${DOMAIN} --krb5realm=${DOMAIN} --enablewinbind >>> --enablewinbindauth --smbsecurity=ads --smbrealm=${DOMAIN} >>> --smbservers=${DOMAIN} --smbworkgroup=${SHORT} >>> --winbindtemplatehomedir=/na/homes/%U --winbindtemplateshell=/bin/bash >>> --enablemkhomedir --enablewinbindusedefaultdomain --update >>> >>> this worked >>> >>> On Mon, Oct 30, 2017 at 10:11 AM, Rowland Penny via samba >>> <samba at lists.samba.org> wrote: >>>> On Mon, 30 Oct 2017 09:49:24 -0600 >>>> Jeff Sadowski via samba <samba at lists.samba.org> wrote: >>>> >>>>> OS:fedora-26 >>>>> SAMBA:4.6.8 >>>>> [root at squints ~]# cat /etc/samba/smb.conf >>>>> [global] >>>>> security = ads >>>>> realm = MIND.UNM.EDU >>>>> workgroup = MIND >>>>> idmap config * : backend = tdb >>>>> idmap config * : range = 2000-7999 >>>>> idmap config MIND:backend = ad >>>>> idmap config MIND:schema_mode = rfc2307 >>>>> idmap config MIND:range = 8000-9999999 >>>>> winbind nss info = rfc2307 >>>>> winbind use default domain = yes >>>>> # so that the users show up in getent >>>>> winbind enum users = yes >>>>> # so that the groups show up in getent >>>>> winbind enum groups = yes >>>>> restrict anonymous = 2 >>>>> #added the following 2 for the Badlock updates that change the >>>>> defaults #to no longer work with my domain controllers >>>>> ldap server require strong auth = no >>>>> client ldap sasl wrapping = plain >>>>> >>>>> [root at squints ~]# getent passwd jsadowski >>>>> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false >>>>> >>>>> however from an ubuntu machine with the same smb.conf it looks like so >>>>> OS:ubuntu-16.04 >>>>> SAMBA:4.3.11 >>>>> root at daddles:~# getent passwd jsadowski >>>>> jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash >>>>> >>>>> which is how AD shows it as well. >>>>> >>>>> Did something change in newer versions of samba that I need to add >>>>> more config options? >>>>> >>>> >>>> Yes, there have been changes and no, you don't have to use them and >>>> they wouldn't cause your problem. >>>> >>>> Your smb.conf shows you are using the 'ad' backend and you say you are >>>> using the same smb.conf on both machines. >>>> >>>> So, why are there these different: >>>> >>>> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false >>>> jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash >>>> >>>> Which RFC2307 attributes have you added to AD ? >>>> The above user seems to have the same uidNumber, but Domain Users >>>> seems to have two different gidNumbers (8513 and 8000), the >>>> unixHomeDirectory also has two identities, as does loginShell >>>> >>>> Rowland >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba
On Mon, 30 Oct 2017 10:58:01 -0600 Jeff Sadowski <jeff.sadowski at gmail.com> wrote:> nope that just brute forced homedir and shell. It'll work for what I > want this machine for but I'd like to get the homedir and shell from > AD >The only real thing running authconfig did to the smb.conf was to add: password server = MIND.UNM.EDU You shouldn't need this, so I think your dns is up the spout ;-) If you have populated the users uidNumber, loginShell and unixHomeDirectory attributes the winbind 'ad' backend should use them, provided that Domain Users has a gidNumber attribute and all numbers used are inside the DOMAIN range set in smb.conf Can you post your /etc/hosts, /etc/resolv.conf and /etc/krb5.conf files Rowland