samba - Apr 2023 - Unix Attributes not working as expected in a member server

On 27/04/2023 10:15, Luis Peromarta via samba wrote:
> Hi there,
> 
> I have a working SAMBA environment mainly for Windows Users. 3xDCs, 1 file
server, 1 print server as member servers. File sharing / printing works
perfectly. AD backend with RFC2307.
> 
> I am trying to get AD users to work in the file server (login to the
server).
> 
> I have populated in ADUC
> 
> LoginShell /bin/bash
> 
> and
> 
> unixHomeDirectory /data/users/otros/luis
> 
> However when I try
> 
> # getent passwd luis
> luis:*:10005:10000:Luis Peromarta:/home/MAD/luis:/bin/false
> 
> None of the parameters are read correctly from AD - maybe they are not read
at all?.
> 
> Relevant portion of the server?s smb.conf:
> 
> [global]
> 	security = ADS
> 	workgroup = MAD
> 	realm = MAD.MATER.INT
> 	netbios name = SERVER
> 	server role = member server
> 	log file = /var/log/samba/%m.log
> #	interfaces = lo enp1s0
> #	bind interfaces only = yes
> 
> 
> # To enable Group Policy application in winbind,
> 	apply group policies = yes
> 
> 
> # Default ID mapping configuration for local BUILTIN accounts
> 
> 	idmap config * : backend = tdb
> 	idmap config * : range = 3000-7999
> 
> # idmap config for the MAD domain
> 
> 	idmap config MAD:backend = ad
> 	idmap config MAD:schema_mode = rfc2307
> 	idmap config MAD:range = 10000-999999
> 
> # winbind config:
> 
> 	winbind nss info = rfc2307
> 
> What am I doing wrong ?
Probably not reading 'man idmap_ad', where you will find:

        unix_nss_info = yes/no
            If set to yes winbind will retrieve the login shell and home
            directory from the LDAP attributes. If set to no or the AD LDAP
            entry lacks the SFU attributes the options template shell and
            template homedir are used.

            Default: no

Which means, replace 'winbind nss info = rfc2307' with 'idmap config
MAD
: unix_nss_info = yes'

Rowland

Thanks Rowland, replaced as per the indication:

# Default ID mapping configuration for local BUILTIN accounts

        idmap config * : backend = tdb
        idmap config * : range = 3000-7999

# idmap config for the MAD domain

        idmap config MAD : backend = ad
        idmap config MAD : schema_mode = rfc2307
        idmap config MAD : range = 10000-999999

# winbind config:

        idmap config MAD : unix_nss_info = yes
#       winbind nss info = rfc2307
        winbind use default domain = yes
#       winbind enum users = yes
#       winbind enum groups = yes

But still no luck.

getent passwd luis
luis:*:10005:10000:Luis Peromarta:/home/MAD/luis:/bin/false

Anything else I can try?

Thanks,
> On 27 Apr 2023, at 11:28, Rowland Penny via samba <samba at
lists.samba.org> wrote:
> 
> Which means, replace 'winbind nss info = rfc2307' with 'idmap
config MAD : unix_nss_info = yes'