I have CentOS 7 servers with samba-winbind talking to an AD. We use rfc2307 to override the default shell for certain (power) users. One such server is still running an older version of samba-winbind, v.4.4.4-14.el7_3; this works as expected.
From smb.conf there:
#--authconfig--start-line--
# Generated by authconfig on 2016/09/06 08:59:23
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future
workgroup = MYDOMAIN
realm = MYDOMAIN.COM
security = ads
idmap config * : range = 16777216-33554431
template homedir = /home/%U
template shell = /sbin/nologin
kerberos method = secrets only
winbind use default domain = true
winbind offline logon = false
#--authconfig--end-line--
idmap_ldb:use rfc2307 = yes
winbind nss info = rfc2307
From this server, I can query a non-power user:
$ wbinfo -i Scott
scott:*:16777255:16777217:Scott - My Company:/home/scott:/sbin/nologin
And I can also query a power user:
$ wbinfo -i tgirsch
tgirsch:*:16777216:16777217::/home/tgirsch:/bin/ksh
The power user has had the shell overridden.
But on most servers, we've updated, and samba-winbind is either at 4.6 or 4.7; on these servers, the "power" user isn't picking up the override shell:
$ wbinfo -i tgirsch
tgirsch:*:16777218:16777219:Tom Girsch - My Company:/home/tgirsch:/sbin/nologin
Some initial searching suggested that the smb.conf file needed to be updated, to replace some deprecated parameters with some new ones. I've done that, but I'm still seeing exactly the same behavior. Here's what the relevant smb.conf section looks like on a machine with samba-winbind 4.7.1-9.el7_5:
#--authconfig--start-line--
# Generated by authconfig on 2019/03/14 16:23:41
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future
workgroup = MYDOMAIN
realm = MYDOMAIN.COM
security = ads
idmap config * : range = 16777216-33554431
template homedir = /home/%U
template shell = /sbin/nologin
kerberos method = secrets only
winbind use default domain = true
winbind offline logon = false
#--authconfig--end-line--
idmap_ldb:rfc2307
idmap config * : backend = tdb
idmap config MYDOMAIN:backend = ad
idmap config MYDOMAIN:schmea_mode = rfc2307
idmap config MYDOMAIN:unix_nss_info = yes
I've tried commenting out the idmap_ldb line and rebooting, no difference there.
Note that both the "Scott" user (non-power/default shell) and the "tgirsch" user (power-user/overridden shell) are AD-only.
I'm stumped. Any help would be greatly appreciated.