0

I have CentOS 7 servers with samba-winbind talking to an AD. We use rfc2307 to override the default shell for certain (power) users. One such server is still running an older version of samba-winbind, v.4.4.4-14.el7_3; this works as expected.

From smb.conf there:

#--authconfig--start-line--

# Generated by authconfig on 2016/09/06 08:59:23
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

   workgroup = MYDOMAIN
   realm = MYDOMAIN.COM
   security = ads
   idmap config * : range = 16777216-33554431
   template homedir = /home/%U
   template shell = /sbin/nologin
   kerberos method = secrets only
   winbind use default domain = true
   winbind offline logon = false

#--authconfig--end-line--
idmap_ldb:use rfc2307 = yes
winbind nss info = rfc2307

From this server, I can query a non-power user:

$ wbinfo -i Scott
scott:*:16777255:16777217:Scott - My Company:/home/scott:/sbin/nologin

And I can also query a power user:

$ wbinfo -i tgirsch
tgirsch:*:16777216:16777217::/home/tgirsch:/bin/ksh

The power user has had the shell overridden.

But on most servers, we've updated, and samba-winbind is either at 4.6 or 4.7; on these servers, the "power" user isn't picking up the override shell:

$ wbinfo -i tgirsch
tgirsch:*:16777218:16777219:Tom Girsch - My Company:/home/tgirsch:/sbin/nologin

Some initial searching suggested that the smb.conf file needed to be updated, to replace some deprecated parameters with some new ones. I've done that, but I'm still seeing exactly the same behavior. Here's what the relevant smb.conf section looks like on a machine with samba-winbind 4.7.1-9.el7_5:

#--authconfig--start-line--

# Generated by authconfig on 2019/03/14 16:23:41
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

   workgroup = MYDOMAIN
   realm = MYDOMAIN.COM
   security = ads
   idmap config * : range = 16777216-33554431
   template homedir = /home/%U
   template shell = /sbin/nologin
   kerberos method = secrets only
   winbind use default domain = true
   winbind offline logon = false

#--authconfig--end-line--
   idmap_ldb:rfc2307
   idmap config * : backend = tdb
   idmap config MYDOMAIN:backend = ad
   idmap config MYDOMAIN:schmea_mode = rfc2307
   idmap config MYDOMAIN:unix_nss_info = yes

I've tried commenting out the idmap_ldb line and rebooting, no difference there.

Note that both the "Scott" user (non-power/default shell) and the "tgirsch" user (power-user/overridden shell) are AD-only.

I'm stumped. Any help would be greatly appreciated.

Thomas J. Girsch
  • 51
  • 1
  • 6

1 Answers1

0

Answered my own question. Each defined domain requires its own range which does NOT overlap with the * range. So the following changes cleared things up:

   ; The following line is deprecated, replaced by the schema_mode line below
   ;idmap_ldb:rfc2307
   idmap config * : backend = tdb
   idmap config MYDOMAIN:backend = ad
   idmap config MYDOMAIN:schmea_mode = rfc2307
   ; Added the following to define custom non-overlapping range
   idmap config MYDOMAIN:range = 10000-19999
   idmap config MYDOMAIN:unix_primary_group = yes
   idmap config MYDOMAIN:unix_nss_info = yes

The "idmap config MYDOMAIN:range" line fixed it. I also needed to add the "idmap config MYDOMAIN:unix_primary_group = yes" line

Important note: If you set this up, AD users in MYDOMAIN must have the "Unix Attributes" tab populated in AD, or they'll be rejected.

Thomas J. Girsch
  • 51
  • 1
  • 6