[Samba] Changing default UID/GID beginning for AD

Discussion:

Daniel Thielking

2016-06-10 13:45:09 UTC

Dear Colleagues,

we have a Samba4 DC in our environment. We are storing unix Information
in samba's AD.
Our Problem is:

The default values are not fitting for our environment.
We want to store a different Shell e.g /bin/tcsh. But the default Value
is /bin/sh.

Is it possible, to change those default values so that it fits direct at
the creation of a user?

Regards and thanks
Daniel
--
____________________________________________

Fachinformatiker für Systemintegration
RWTH Aachen
Lehrstuhl für Integrierte Analogschaltungen
Raum 238
ICT Cubes
Kopernikusstrasse 16
52074 Aachen

www.ias.rwth-aachen.de

E-mail: ***@ias.rwth-aachen.de
Telefon: 0241-8020647
_____________________________________________

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

mathias dufresne

2016-06-10 14:37:07 UTC

Permalink

In short, when Samba joined to AD:
On DC:
winbind[d] is designed to refuse AD users on DC, to do that all users from
AD get shell=/bin/false for their connection tries are refused by DC

On Members:
You just have to set a shell in AD LDAP tree using RFC2307 attributes, for
sheel it is "loginShell". Then winbind will give your users the shell you
defined. No sheel defined and you fallbck on "template shell" which by
default is set to /bin/false.

Post by Daniel Thielking
Dear Colleagues,
we have a Samba4 DC in our environment. We are storing unix Information
in samba's AD.
The default values are not fitting for our environment.
We want to store a different Shell e.g /bin/tcsh. But the default Value
is /bin/sh.
Is it possible, to change those default values so that it fits direct at
the creation of a user?
Regards and thanks
Daniel

Yes, it may be possible to change the shell (and other things), but you
are going to have to give us a bit more info. Do your users log into the DC
? or are they logging into a domain member, perhaps if you were to post
your smb.conf.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Daniel Thielking

2016-06-13 06:27:19 UTC

Permalink

Yes of course. We use Samba4 ADDC with winbind to get unix attributes
from the DC to the clients. But every time we creating a new member in
the AD we have to change the default shell what is /bin/sh to /bin/tcsh.
So we want to change the default value of the field in the AD that we
don't have to change it every time.

The users logging in on a unix domain member. No login on DC themselves.

Samba Version is 4.4.4 compiled from source no extra options chosen.

____________________________________________ Fachinformatiker für
Systemintegration RWTH Aachen Lehrstuhl für Integrierte
Analogschaltungen Raum 238 ICT Cubes Kopernikusstrasse 16 52074 Aachen
www.ias.rwth-aachen.de E-mail: ***@ias.rwth-aachen.de
Telefon: 0241-8020647 _____________________________________________

In short, when Samba joined to AD: On DC: winbind[d] is designed to
refuse AD users on DC, to do that all users from AD get shell=/bin/false
for their connection tries are refused by DC On Members: You just have
to set a shell in AD LDAP tree using RFC2307 attributes, for sheel it is
"loginShell". Then winbind will give your users the shell you defined.
No sheel defined and you fallbck on "template shell" which by default is
set to /bin/false.

Post by Daniel Thielking
Dear Colleagues,
we have a Samba4 DC in our environment. We are storing unix
Information in samba's AD.
The default values are not fitting for our environment.
We want to store a different Shell e.g /bin/tcsh. But the default
Value is /bin/sh.
Is it possible, to change those default values so that it fits direct
at the creation of a user?
Regards and thanks
Daniel

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Daniel Thielking

2016-06-13 07:22:09 UTC

Permalink

That already works and we use RFC2307. We also create user account with
ADUC. But every time we create a user with ADUC we have to change the
attribute /bin/sh to /bin/tcsh because /bin/sh seems to be the default
value for this attribute. I want to know how to change this default
value to /bin/tcsh so that we don't need to change it every time when we
create new users via ADUC.

Post by Daniel Thielking
Yes of course. We use Samba4 ADDC with winbind to get unix attributes
from the DC to the clients. But every time we creating a new member
in the AD we have to change the default shell what is /bin/sh to
/bin/tcsh. So we want to change the default value of the field in the
AD that we don't have to change it every time.
The users logging in on a unix domain member. No login on DC themselves.
Samba Version is 4.4.4 compiled from source no extra options chosen.

OK, if you are logging into a domain member, then you need to use
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
I take it you are creating the users with ADUC, if you use samba-tool
on the DC, you can add the required attributes when you create a new
user, type 'samba-tool user create --help' in a terminal on the DC for
more info.
Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

lists

2016-06-13 10:12:18 UTC

Permalink

Hi Rowland,

Use ADUC and change the shell every time you add Unix attributes to a
user (note: the latest ADUC doesn't have the Unix attributes tabs)

Latest ADUC does not have this? So, are you saying that in the future we
will no longer be able to use ADUC like we currently do?

We'd all have to start using something like
https://www.ldap-account-manager.org/lamcms/ or so..? Or is there some
other option we're perhaps overlooking..?

MJ

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Data Control Systems - Mike Elkevizth

2016-06-13 11:48:44 UTC

Permalink

I'm afraid Rowland is correct. See
https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/
for details of UNIX RFC2307 attributes on Windows Server going forward.

Mike E.

Post by lists
Hi Rowland,

Use ADUC and change the shell every time you add Unix attributes to a
user (note: the latest ADUC doesn't have the Unix attributes tabs)

Latest ADUC does not have this? So, are you saying that in the future
we will no longer be able to use ADUC like we currently do?

From what I have read this is the case, ADUC on windows 10 doesn't have
the Unix attributes tabs

Post by lists
We'd all have to start using something like
https://www.ldap-account-manager.org/lamcms/ or so..? Or is there some
other option we're perhaps overlooking..?
MJ

If you cannot or do not want to use the command line, then you will need
to use something like LAM.
Of course, I could be totally wrong and if so, I am sure someone will be
along to point this out.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

mathias dufresne

2016-06-13 12:13:05 UTC

Permalink

I loved to find out how to achieve that.

I did looked for information, all I found was that:
https://social.technet.microsoft.com/Forums/en-US/3e184d10-09e3-4eab-9131-6694b86879f8/modify-default-value-of-loginshell-attribute?forum=winserverDS

Unfortunately it seems to list all users (I don't know these MS commands
but "Get-AdUser -Filter"...) then sending that list to something to modify
received users list ("Set-AdObject -Replace
@{unixhomedirectory='/bin/sh','bin/bash'}" and
https://technet.microsoft.com/en-us/library/ee617215.aspx).

I would have looked into AD schema and configuration DIT (or naming
context?) but first I did a grep on Samba's source tree looking for
"/bin/sh" string but that strnig seems to be used for running commands and
shebangs only, I could easily have missed something anyway.

A cheating method is to give that task (user creation) to another team or
to use LDIF to create user, but you already thought about these options I
expect : )

Cheers,

mathias

2016-06-13 9:22 GMT+02:00 Daniel Thielking <

Post by Daniel Thielking
That already works and we use RFC2307. We also create user account with
ADUC. But every time we create a user with ADUC we have to change the
attribute /bin/sh to /bin/tcsh because /bin/sh seems to be the default
value for this attribute. I want to know how to change this default value
to /bin/tcsh so that we don't need to change it every time when we create
new users via ADUC.

Post by Daniel Thielking
Yes of course. We use Samba4 ADDC with winbind to get unix attributes
from the DC to the clients. But every time we creating a new member in the
AD we have to change the default shell what is /bin/sh to /bin/tcsh. So we
want to change the default value of the field in the AD that we don't have
to change it every time.
The users logging in on a unix domain member. No login on DC themselves.
Samba Version is 4.4.4 compiled from source no extra options chosen.

OK, if you are logging into a domain member, then you need to use RFC2307
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
I take it you are creating the users with ADUC, if you use samba-tool on
the DC, you can add the required attributes when you create a new user,
type 'samba-tool user create --help' in a terminal on the DC for more info.
Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

mathias dufresne

2016-06-14 08:50:14 UTC

Permalink

Post by mathias dufresne
I loved to find out how to achieve that.
https://social.technet.microsoft.com/Forums/en-US/3e184d10-09e3-4eab-9131-6694b86879f8/modify-default-value-of-loginshell-attribute?forum=winserverDS
Unfortunately it seems to list all users (I don't know these MS commands
but "Get-AdUser -Filter"...) then sending that list to something to modify
received users list ("Set-AdObject -Replace
@{unixhomedirectory='/bin/sh','bin/bash'}" and
https://technet.microsoft.com/en-us/library/ee617215.aspx).

You could always use ldbmodify on the Samba4 DC and the attribute you need
to change for the users login shell is 'loginShell' :-)

Yep, MS doc, the dude who wrote that made a mistake, he tried to help at
least.

Try reading
/usr/local/samba/share/setup/ad-schema/MS-AD_Schema_2K8_R2_Attributes.txt
Note: the path to your copy may vary.

I thought schemas were descriptions of attributes and classes, not places
to set values. As I could be wrong, I used grep to read that file:
cat `locate MS-AD_Schema_2K8_R2_Attributes.txt` | grep sh -w -> no answer,
"sh" (as word) is not present in that file.
There is still a chance it is written in configuration DIT but as the same
grep was done during the week-end on the whole Samba 4.4.4 source tree
without findind more relevant traces of "sh" word, I'm now suspecting the
client is the one managing that.

If I found time I'll have a look into that DIT...

Rowland

Post by mathias dufresne
A cheating method is to give that task (user creation) to another team or
to use LDIF to create user, but you already thought about these options I
expect : )
Cheers,
mathias

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

mathias dufresne

2016-06-14 09:38:40 UTC

Permalink

Post by mathias dufresne
I loved to find out how to achieve that.
https://social.technet.microsoft.com/Forums/en-US/3e184d10-09e3-4eab-9131-6694b86879f8/modify-default-value-of-loginshell-attribute?forum=winserverDS
Unfortunately it seems to list all users (I don't know these MS commands
but "Get-AdUser -Filter"...) then sending that list to
something to modify
received users list ("Set-AdObject -Replace
@{unixhomedirectory='/bin/sh','bin/bash'}" and
https://technet.microsoft.com/en-us/library/ee617215.aspx).
You could always use ldbmodify on the Samba4 DC and the attribute
you need to change for the users login shell is 'loginShell' :-)
Yep, MS doc, the dude who wrote that made a mistake, he tried to help at
least.

And you passed the mistake on Mathias ! I was trying to help by pointing
this out and giving a known working way of changing the contents of the
'loginShell' attribute.

And I knew what I was doing. If strings some reader is not able to notice
that "unixhomedirectory" is more certainly related to UNIX Home Directory
than to login shell, I can't do anything for him.

Post by mathias dufresne
I would have looked into AD schema and configuration DIT (or naming
context?) but first I did a grep on Samba's source tree looking for
"/bin/sh" string but that strnig seems to be used for running
commands and
shebangs only, I could easily have missed something anyway.
Try reading
/usr/local/samba/share/setup/ad-schema/MS-AD_Schema_2K8_R2_Attributes.txt
Note: the path to your copy may vary.
I thought schemas were descriptions of attributes and classes, not places
cat `locate MS-AD_Schema_2K8_R2_Attributes.txt` | grep sh -w -> no
answer, "sh" (as word) is not present in that file.
There is still a chance it is written in configuration DIT but as the
same grep was done during the week-end on the whole Samba 4.4.4 source tree
without findind more relevant traces of "sh" word, I'm now suspecting the
client is the one managing that.

So you think you will find the content of something that is set on windows
in the Samba source code ?

No. I tried to find out if it was set from client side or from server side.

Windows ADUC default content for the 'loginShell' attribute is '/bin/sh'.

How do you know that for sure? Have you a lilnk to pass to us? Anything to
share your knowledge?

The Samba default content for the 'loginShell' attribute is ' ' ,

Reading that I would understand there is some code to have some default.

yes that's right, there isn't one!

And that the default value is an empty string.

Did you really meant that? In any case, what make you affirm that? Again,
some link to help us ? To share your knowledge with us?

You are also correct, 'sh' isn't in the the list of Attributes, because it
is the content of an attribute, not an attribute.

Useless and obvious, as usual.

The file I pointed you to, is a list of all the attributes you can use on
a Samba 4 AD DC, there is a similar file that contains all the
objectclasses.

Useless and obvious, as usual.

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

mathias dufresne

2016-06-15 12:03:06 UTC

Permalink

Jeremy,

You were right.

Rowland, please accept my apologies.

Cheers,

Mathias

Post by mathias dufresne
Useless and obvious, as usual.

The file I pointed you to, is a list of all the attributes you can use

Post by mathias dufresne

a Samba 4 AD DC, there is a similar file that contains all the
objectclasses.

Useless and obvious, as usual.

Mathias,
This kind of comment is inappropriate for a professional
list and in particular samba-technical.
Please don't attack someone who is spending a great deal of
his own free time and energy to try and help others.
Please try and keep your comments professional and directed
only at the problem being discussed. Disagreements are fine,
but please don't make these kind of personal and unpleasant
remarks.
Thanks,
Jeremy.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Mgr. Peter Tuharsky

2016-06-14 10:07:03 UTC

Permalink

Hi,

I'm still trying to overcome the april security patches.

I have set up testing environment with everything Samba 4.2.10:
-client
-fileserver
-NT4-style DC with OpenLDAP backend.

I must make this work in order to figure out the upgrade path to Samba
AD. However, connecting from client to the FS fails because FS is unable
to perform user password check.
I even try to rejoin the FS to domain to no avail - I get weird
NT_STATUS_NO_USER_SESSION_KEY error.

Strangely enough, connecting client directly to DC's NETLOGON folder
works fine, that means, that username/password is being resolved well
between Samba DC and OpenLDAP. It seems that the whole problem is
between FS and DC.

Please, is there anybody who has NT4-style Samba 4 DC running and not
ruined with april security patches? What I must do in order to make it work?

Peter

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Mgr. Peter Tuharsky

2016-07-06 16:51:00 UTC

Permalink

For the record, the problem was related to incorrectly imported LDAP
database (key domain attributes missing).

Post by Mgr. Peter Tuharsky
Hi,
I'm still trying to overcome the april security patches.
-client
-fileserver
-NT4-style DC with OpenLDAP backend.
I must make this work in order to figure out the upgrade path to Samba
AD. However, connecting from client to the FS fails because FS is unable
to perform user password check.
I even try to rejoin the FS to domain to no avail - I get weird
NT_STATUS_NO_USER_SESSION_KEY error.
Strangely enough, connecting client directly to DC's NETLOGON folder
works fine, that means, that username/password is being resolved well
between Samba DC and OpenLDAP. It seems that the whole problem is
between FS and DC.
Please, is there anybody who has NT4-style Samba 4 DC running and not
ruined with april security patches? What I must do in order to make it work?
Peter

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba