Back in the samba-winbind 4.4 days, you could set a default template shell and template directory for AD users, but override these defaults by using rfc2307. This was useful because we could allow ordinary users to access databases with their domain credentials but prevent them from gaining shell access (by setting the template shell to /sbin/nologin) while overriding the template shell with rfc2307 for power users. It was especially useful because I could set the template to /sbin/nologin on production hosts, but set it to /usr/bin/bash on development hosts where it's useful and appropriate for those users (especially developers) to get shell access. A quick summation of how this was accomplished can be found here.
However, under samba-winbind-4.8-3 (and, indeed, anything 4.6 or newer), the smb.conf parameters to support rfc2307 changed significantly (see here), and I'm unable to get the configuration described above to work. It now seems to be all-or-nothing. I can either configure it so that it uses the template for everyone and ignores rfc2307, or so that it uses rfc2307 for anyone in the domain and rejects any users who don't have an rfc2307 profile defined in AD.
Our enterprise is small enough that we could define rfc2307 for everyone, but this prevents us from having users who are allowed to access a shell on some hosts but not others (since the rfc2307 shell applies domain-wide).
Has anyone been able to crack this nut? Is there a way to have my cake and eat it, too? Am I out of overwrought metaphors?
