Active Directory – New Custom Home Directory Path Not Recognized

active-directorysamba

The goal is to have a custom home directory, as we need to migrate from /home, to a new volume, /people.

I've created a new test user, bilbo, yet the winbind service keeps assuming their home is at /home/bilbo instead of at /people/bilbo.

I am suspecting that Samba is not even reading the user's home directory path from Active Directory, as the results seem to indicate as such. Is there an smb.conf flag for that?

Steps taken to add new user, with a custom home directory path:

Create new user in AD, 
    with extensions, used home directory path of "/people/bilbo"

On CentOS 7 host, 
    I manually created /people/bilbo and contents, 
    and tagged all files/directories with proper permissions.

However, upon initial login, the system created a new "/home/bilbo" instead of using the existing path!

What else I've tried:

Restart smb and winbind, and flushed cache (deleting *.tdb's too) - no good.
Modified the local smb.conf, removing "template homedir = /home/%U" and restarted smb and winbind.
- it then created a new one in /home/DEVELOPMENT/bilbo upon login, and did not attempt to look in /people at all.

Contents of smb.conf:

[global]
security = ADS
workgroup = DEVELOPMENT
realm = DEVELOPMENT.mycompany.com
client use spnego = yes
server signing = auto
server string = Samba Client
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind separator = +
winbind refresh tickets = yes
winbind offline logon = yes
inherit acls = yes

idmap config * : backend = tdb
idmap config * : range = 10000-20000

template homedir = /home/%U
force group = dev
template shell = /bin/bash

Any suggestions, recommendations?

Best Answer

I found the cause:

I was using pre-4.6.0 settings when using a newer version of samba.
I reworked the smb.conf to allow for some local IDs and a larger AD space, as well as correct my RFC2307 data collection from Windows Active Directory.

##### New smb.conf file #####

    password server = windowsADserver.development.mycompany.com
    passdb backend = tdbsam

# idmap config for local BUILTIN accounts and groups
    idmap config * : backend = tdb
    idmap config * : range = 3000-7999

# idmap config for the DEVELOPMENT domain
    idmap config DEVELOPMENT:backend = ad           <<---- Need AD backend
    idmap config DEVELOPMENT:schema_mode = rfc2307  <<---- plus this one
    idmap config DEVELOPMENT:unix_nss_info = yes    <<---- and this one
    idmap config DEVELOPMENT:range = 10000-40000
    idmap config DEVELOPMENT:unix_primary_group = yes

    template shell = /bin/bash
    template homedir = /home/%U

    winbind use default domain = true
    winbind offline logon = false
    winbind enum users = yes
    winbind enum groups = yes
    encrypt passwords = yes
    log file = /var/log/samba/log.%m
    max log size = 50
    kerberos method = system keytab
    log level = 10

[homes]
    comment = Home Directories
    valid users = %S, %D%w%S
    browseable = No
    read only = No
    inherit acls = Yes

Related Solutions

Samba Permissions – I’m going to throw it!

This might help. I do something similar, but only one share is open to the group's users. Other shares are read-only except for a single maintainer user. The [global] section of my smb.conf is almost identical to yours, except I don't use the force create/directory mode directives (in my case, they'd interfere with the other shares).

Here's the share definition:

[shared stuff]
        comment = blah, blah, etc
        path = /path/to/share
        write list = @sambagroup
        force group = +sambagroup
        read only = yes
        directory mask = 0775
        create mask = 0664
        guest ok = yes
        invalid users = root
        case sensitive = True
        default case = lower
        preserve case = yes
        short preserve case = yes

The important stuff here are these:

read only = yes -- by default, read only.
guest ok = yes -- guests can browse.
write list = @sambagroup -- Authenticated members of sambagroup can write.
force group = +sambagroup -- The + means that the force only applies to existing members of sambagroup. They're already the only ones who can write. I think, without the +, guest is given sambagroup credentials, which is not wanted (particularly with the write list directive above).
directory mask = 0775
create mask = 0664

These do exactly what you want yours to do: "drwxrwxr-x" on directories, "rwxrwxr-x" on files, and newly created files are owned by the user and sambagroup. The maintainers of the other shares get the same permissions as everyone else when working in shared stuff, and permissions & groups are normal when they work in the other shares.

My smb.conf has been working with only minor tweaks through several different versions of Samba, and currently is used with Samba 3.2.5. I never had it running on Ubuntu 8.04, but it ran on Ubuntu 7.04 for a long time before getting migrated to a recent Debian Lenny install.

Ubuntu – Can Samba “security = user” be used for guest share without Windows login prompt

From http://blog.realcomputerguy.com/2010/12/samba-and-guest-shares-with-security.html?spref=tw

In a nutshell you need:

A username map file.
A valid 'nix "guest" user mapped to the Windows guest account ("nobody" in most distros).
Proper smb.conf configuration.

In this example our username map file is /etc/samba/smbusers. It maps a 'nix user to a Windows user.

In /etc/samba/smbusers (many distros include this file, but with the default commented out):

nobody = guest

In /etc/samba/smb.conf:

[global]
   ...
   security = user
   Map to guest = Bad User
   username map = /etc/samba/smbusers
   ...
-- no 'valid users =' line --

[theshare]
   ...
   guest ok = yes
-- no 'valid users =' line --

Best Answer

Related Solutions

Samba Permissions – I’m going to throw it!

Ubuntu – Can Samba “security = user” be used for guest share without Windows login prompt

Related Topic