Adam Cook
2018-Nov-06 21:28 UTC
[Samba] Fwd: Login shell always /bin/false or whatever template is set in smb.conf
Hi all, I have just set up a Samba AD DC, my first time. Ubuntu Server 16.04.5 LTS running Samba 4.3.11-Ubuntu. If I add the below to */etc/samba/smb.conf* then the /bin/bash shell is applied to all users: template shell = /bin/bash With *samba-tool user add* I am able to specify --login-shell parameter however whatever value I pass here does not seem to apply correctly, as confirmed by looking at result of *getent passwd <user>*. For example, I remove the template shell option from smb.conf, restart samba-ad-dc.service and run the below command: samba-tool user add adam --given-name=Adam --surname=Cook> --login-shell=/bin/bashThen observe the below: root at DC:~# getent passwd adam> LAB\adam:*:3000048:100:Adam Cook:/home/LAB/adam:/bin/falseAm I missing something? I'm conscious of giving all domain users by default a shell. I know I can limit SSH access by AD group but my train of thought is that if the --login-shell parameter exists in samba-tool then it could work somehow. Best, Adam
Rowland Penny
2018-Nov-06 21:48 UTC
[Samba] Fwd: Login shell always /bin/false or whatever template is set in smb.conf
On Tue, 6 Nov 2018 21:28:59 +0000 Adam Cook via samba <samba at lists.samba.org> wrote:> Hi all, > > I have just set up a Samba AD DC, my first time. Ubuntu Server > 16.04.5 LTS running Samba 4.3.11-Ubuntu. > > If I add the below to */etc/samba/smb.conf* then the /bin/bash shell > is applied to all users: > > template shell = /bin/bash > > > With *samba-tool user add* I am able to specify --login-shell > parameter however whatever value I pass here does not seem to apply > correctly, as confirmed by looking at result of *getent passwd > <user>*. > > For example, I remove the template shell option from smb.conf, restart > samba-ad-dc.service and run the below command: > > samba-tool user add adam --given-name=Adam --surname=Cook > > --login-shell=/bin/bash > > > Then observe the below: > > root at DC:~# getent passwd adam > > LAB\adam:*:3000048:100:Adam Cook:/home/LAB/adam:/bin/false > > > Am I missing something? I'm conscious of giving all domain users by > default a shell. I know I can limit SSH access by AD group but my > train of thought is that if the --login-shell parameter exists in > samba-tool then it could work somehow. >Yes, you are totally missing the fact that winbind on a DC doesn't use login shell from AD. However, winbind on a Unix domain member does use the login shell, as long as you use the 'ad' backend. Rowland
Rowland Penny
2018-Nov-07 11:14 UTC
[Samba] Fwd: Login shell always /bin/false or whatever template is set in smb.conf
On Wed, 7 Nov 2018 11:00:07 +0000 Adam Cook <adam at cookuop.co.uk> wrote:> Thanks for taking the time to reply. > > If I'm reading correctly, you're suggesting I should look in to > configuring winbind on a Unix domain member to use AD as the > 'backend'. Perhaps you could set me off in the right direction with a > link? >it is the 'ad' backend and yes I can provide a link (two actually): https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member https://wiki.samba.org/index.php/Idmap_config_ad Rowland