frank picabia
2022-May-24 19:58 UTC
[Samba] Controlling [homes] path to obey /etc/passwd while using winbind
On Tue, May 24, 2022 at 4:29 PM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Tue, 2022-05-24 at 15:12 -0300, frank picabia via samba wrote: > > Using winbind, security of ADS, I'm finding my path in [homes] > > wants to be /home/MYDOMAIN/username > > according to what is logged. > > > > When I run 'getent passwd | grep username' > > it returns the proper local passwd entry with the local home > > directory. > > That is your problem there, you do not have the same username in > /etc/passwd and AD, you just have them in AD. > if 'fred' is in /etc/passwd and there is a user called 'fred' in AD, > they are NOT the same user and the user in /etc/passwd will be use > before the user in AD. > > The default for the user home path in smb.conf is /home/%D/%U, where > '%D' is the DOMAIN and '%U' is the username > > > > In older samba, %H was working for me, but in Debian Bullseye > > I'm having difficulty. Omitting path from homes isn't a solution > > either. > > If you are using '[homes]' then you must not set the path parameter. > > > > > I really need the home directory from local Linux passwd file > > because my home directories are not as simple as /home/%U > > No, you don't, you need to delete all your users from /etc/passwd and > ensure they are created in AD. > >This makes no sense in our environment. We have over 20,000 users in AD. Only a handful of them use our Linux servers, but it's always changing since it's an academic setting. We also have different Linux servers that do completely different things, like running a CMS vs providing a home dir to Comp Sci students. Setting their home directory, shell, and so on should happen on the local level, not in AD. This has worked before using the local path information in /etc/passwd. Samba in this new environment is 4.13.13 All we really want to do with AD is authenticate. That's how this configuration has worked for decades. We have to tweak once in awhile as new versions require, but eventually we get it running with our homedir being left defined on each server.> Any ideas? > > Please post the output of 'testparm -s' > >Sure, it's fairly basic. Someone here, perhaps you, had helped get a config running for another Debian system a few weeks back. Load smb config files from /etc/samba/smb.conf Loaded services file OK. Weak crypto is allowed Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions # Global parameters [global] bind interfaces only = Yes disable spoolss = Yes dns proxy = No interfaces = eno1 load printers = No log file = /var/log/samba/%m.log logging = file max log size = 100 panic action = /usr/share/samba/panic-action %d printcap name = /dev/null realm = AD.MYDOMAIN.CA security = ADS server string = %h server template shell = /bin/bash winbind expand groups = 2 winbind refresh tickets = Yes winbind use default domain = Yes workgroup = MYDOMAIN idmap config mydomain : range = 70000-9999999999 idmap config mydomain : backend = rid idmap config * : range = 69998-69999 idmap config * : backend = tdb hosts allow = 111.222. printing = bsd [homes] comment = Home Directories create mask = 0700 directory mask = 0700 read only = No valid users = %U
Rowland Penny
2022-May-24 20:22 UTC
[Samba] Controlling [homes] path to obey /etc/passwd while using winbind
On Tue, 2022-05-24 at 16:58 -0300, frank picabia via samba wrote:> On Tue, May 24, 2022 at 4:29 PM Rowland Penny via samba < > samba at lists.samba.org> wrote: > > > On Tue, 2022-05-24 at 15:12 -0300, frank picabia via samba wrote: > > > Using winbind, security of ADS, I'm finding my path in [homes] > > > wants to be /home/MYDOMAIN/username > > > according to what is logged. > > > > > > When I run 'getent passwd | grep username' > > > it returns the proper local passwd entry with the local home > > > directory. > > > > That is your problem there, you do not have the same username in > > /etc/passwd and AD, you just have them in AD. > > if 'fred' is in /etc/passwd and there is a user called 'fred' in > > AD, > > they are NOT the same user and the user in /etc/passwd will be use > > before the user in AD. > > > > The default for the user home path in smb.conf is /home/%D/%U, > > where > > '%D' is the DOMAIN and '%U' is the username > > > In older samba, %H was working for me, but in Debian Bullseye > > > I'm having difficulty. Omitting path from homes isn't a solution > > > either. > > > > If you are using '[homes]' then you must not set the path > > parameter. > > > > > I really need the home directory from local Linux passwd file > > > because my home directories are not as simple as /home/%U > > > > No, you don't, you need to delete all your users from /etc/passwd > > and > > ensure they are created in AD. > > > > > This makes no sense in our environment. We have over 20,000 users in > AD. > Only a handful of them use our Linux servers, but it's always > changing > since it's an academic setting. We also have different Linux servers > that do completely different things, like running a CMS vs > providing a home dir to Comp Sci students. Setting their home > directory, > shell, and so on should happen on the local level, not in AD.I am not saying that it cannot happen at local level, just that you cannot have users in /etc/passwd and AD if you are using 'security ADS'.> > This has worked before using the local path information in > /etc/passwd. > Samba in this new environment is 4.13.13 > > All we really want to do with AD is authenticate.If you just require authentication, then use sssd, but if you require any shares (which includes home directories), then you need Samba with winbind and all that entails, among which is that you do not have users in /etc/passwd and AD.> That's how this > configuration has worked for decades. > We have to tweak once in awhile as new versions require, but > eventually we > get > it running with our homedir being left defined on each server. > > > > Any ideas? > > > > Please post the output of 'testparm -s' > > > > > Sure, it's fairly basic. Someone here, perhaps you, had > helped get a config running for another Debian system > a few weeks back. > > > Load smb config files from /etc/samba/smb.conf > Loaded services file OK. > Weak crypto is allowed > Server role: ROLE_DOMAIN_MEMBER > > Press enter to see a dump of your service definitions > > # Global parameters > [global] > bind interfaces only = Yes > disable spoolss = Yes > dns proxy = No > interfaces = eno1 > load printers = No > log file = /var/log/samba/%m.log > logging = file > max log size = 100 > panic action = /usr/share/samba/panic-action %d > printcap name = /dev/null > realm = AD.MYDOMAIN.CA > security = ADS > server string = %h server > template shell = /bin/bash > winbind expand groups = 2 > winbind refresh tickets = Yes > winbind use default domain = Yes > workgroup = MYDOMAIN > idmap config mydomain : range = 70000-9999999999 > idmap config mydomain : backend = rid > idmap config * : range = 69998-69999 > idmap config * : backend = tdb > hosts allow = 111.222. > printing = bsd > > [homes] > comment = Home Directories > create mask = 0700 > directory mask = 0700 > read only = No > valid users = %UIf all your users that log into this Samba server use the same homedir path, then add 'template homedir = /path/to/users_dir/%U' and change 'valid users = %U' in '[homes]' to 'valid users = %S', this will unsure that only the user will be able to get into their own homedir. Rowland