samba - Jan 2021 - RFC2307: login shell is always /bin/false

Hello List,

I'm trying to connect a Linux based Terminal server to my Samba AD DC. 
The Domain was provisioned with samba 4.3 with the --use-rfc2307 command 
line attribute.

In Windows, I configured a login shell for my users, but when doing 
"getent passwd DOMAIN\\arne", I get /bin/false as a login shell:
arne:*:10001:10000:Arne Zachlod:/home/DOMAIN/arne:/bin/false

I double checked everything from the wiki, but maybe I missed womething? 
Is this even how it's supposed to work?

I also attached my smb.conf of my DC, as you will probably ask for it 
anyway, as well as the smb.conf form the terminalserver (samba domain 
member).

Thanks
Arne

smb.conf DC:
=======================# Global parameters
[global]
	workgroup = DOMAIN
	realm = int.domain.de
	netbios name = ADDC01
	server role = active directory domain controller
	dns forwarder = 10.1.1.1
	idmap_ldb:use rfc2307 = yes
	server signing = Auto

[netlogon]
	path = /var/lib/samba/sysvol/int.domain.de/scripts
	read only = No

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No


smd.conf terminalserver:
=======================[global]
	netbios name = TS01
	security = ADS
	workgroup = DOMAIN
	realm = INT.DOMAIN.DE

	logfile = /var/log/samba/%m.log
	log level = 1

	# Default idmap config used for BUILTIN and local windows accounts/groups
	idmap config *:backend = tdb
	idmap config *:range = 2000-9999

	# idmap config for domain DOMAIN
	idmap config DOMAIN:backend = ad
	idmap config DOMAIN:schema_mode = rfc2307
	idmap config DOMAIN:range = 10000-99999

	# Use settings from AD for login shell and home directory
	winbind nss info = rfc2307
	
	winbind enum users = yes
	winbind enum groups = yes
	winbind use default domain = yes
	winbind refresh tickets = yes

	# disable printing
	load printers = no
	printing = bsd
	printcap name = /dev/null
	disable spoolss = yes

Hello List,

for anyone interested, I just solved it. My smb.conf of the 
terminalserver was missing a crucial line:

template shell = /bin/sh

Once again, reading the manual saved the day.

- Arne

On 1/14/21 1:19 PM, Arne Zachlod via samba wrote:
> Hello List,
> 
> I'm trying to connect a Linux based Terminal server to my Samba AD DC. 
> The Domain was provisioned with samba 4.3 with the --use-rfc2307 command 
> line attribute.
> 
> In Windows, I configured a login shell for my users, but when doing 
> "getent passwd DOMAIN\\arne", I get /bin/false as a login shell:
> arne:*:10001:10000:Arne Zachlod:/home/DOMAIN/arne:/bin/false
> 
> I double checked everything from the wiki, but maybe I missed womething? 
> Is this even how it's supposed to work?
> 
> I also attached my smb.conf of my DC, as you will probably ask for it 
> anyway, as well as the smb.conf form the terminalserver (samba domain 
> member).
> 
> Thanks
> Arne
> 
> smb.conf DC:
> =======================> # Global parameters
> [global]
>  ????workgroup = DOMAIN
>  ????realm = int.domain.de
>  ????netbios name = ADDC01
>  ????server role = active directory domain controller
>  ????dns forwarder = 10.1.1.1
>  ????idmap_ldb:use rfc2307 = yes
>  ????server signing = Auto
> 
> [netlogon]
>  ????path = /var/lib/samba/sysvol/int.domain.de/scripts
>  ????read only = No
> 
> [sysvol]
>  ????path = /var/lib/samba/sysvol
>  ????read only = No
> 
> 
> smd.conf terminalserver:
> =======================> [global]
>  ????netbios name = TS01
>  ????security = ADS
>  ????workgroup = DOMAIN
>  ????realm = INT.DOMAIN.DE
> 
>  ????logfile = /var/log/samba/%m.log
>  ????log level = 1
> 
>  ????# Default idmap config used for BUILTIN and local windows 
> accounts/groups
>  ????idmap config *:backend = tdb
>  ????idmap config *:range = 2000-9999
> 
>  ????# idmap config for domain DOMAIN
>  ????idmap config DOMAIN:backend = ad
>  ????idmap config DOMAIN:schema_mode = rfc2307
>  ????idmap config DOMAIN:range = 10000-99999
> 
>  ????# Use settings from AD for login shell and home directory
>  ????winbind nss info = rfc2307
> 
>  ????winbind enum users = yes
>  ????winbind enum groups = yes
>  ????winbind use default domain = yes
>  ????winbind refresh tickets = yes
> 
>  ????# disable printing
>  ????load printers = no
>  ????printing = bsd
>  ????printcap name = /dev/null
>  ????disable spoolss = yes
>