Bug 10394 - winbind seems to ignore template homedir when used with backend = nss
winbind seems to ignore template homedir when used with backend = nss
Status: RESOLVED INVALID
Product: Samba 3.6
Classification: Unclassified
Component: Winbind
3.6.22
All Linux
: P5 normal
: ---
Assigned To: Michael Adam
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-01-22 10:32 UTC by Klaus Braun
Modified: 2014-02-21 21:26 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Klaus Braun 2014-01-22 10:32:58 UTC
Dear Samba Team,

in my configuration of samba I got a result where I need some help
to understand what's going on.

I use samba in an AD environment and the mapping of users and ids
is done via winbind and ldap.

In the config file I use:

idmap config DOMAIN : backend  = nss
idmap config DOMAIN : range = 1000-999999
winbind nss info = template

template shell = /bin/false
template homedir = /home/%U


"getent passwd username" gives me the entries in the ldap 
which are used for the mapping of the id and an info for
the path to the homedir. The result looks like this:

username:x:****:****:username:/vol/home/username:/sbin/nologin


When I use wbinfo I get the expected result according to the
template shell and template homedir entries. In my case
"wbinfo -i DOMAIN\\username" gives 

DOMAIN\username:*:****:***::/home/username:/bin/false


Up to this point all works like expected. But when I try 
to connect to the homedir of the user username, i.e.
\\server\username, samba tells me, that the connect path 
to the homedir is wrong. Obviously the path for this 
connection is derived from the entry in the ldap, and not 
from the template homedir configuration in smb.conf. In 
the log file I see

canonicalize_connect_path failed for service username, path /vol/home/username
[2014/01/21 23:47:44.421876,  0] smbd/service.c:1055(make_connection_snum)

As far as I unserstand the Samba Docs the connection to the
homedir should use the homedir path given in the template and
*not* the one from the ldap. 

So my questions is what I'm doing wrong in this case?

Thanks for your help.
  
Regards,

Klaus
Comment 1 Björn Jacke 2014-01-28 22:33:57 UTC
idmap nss says that that the nsswitch information, that means also the homedir path already is provided by a nss modude different than winbind. template homedir will only make sense if you use nss winbind. idmap nss for winbind only makes clear for winbind which uid ranges it has to use and that it can expect the users to "be there in nss" already.
Comment 2 Klaus Braun 2014-01-29 08:08:03 UTC
(In reply to comment #1)
> idmap nss says that that the nsswitch information, that means also the homedir
> path already is provided by a nss modude different than winbind. template
> homedir will only make sense if you use nss winbind. idmap nss for winbind only
> makes clear for winbind which uid ranges it has to use and that it can expect
> the users to "be there in nss" already.

Thanks for clarifying this questions. In my case where I use a central ldap
for the ID mapping and without the chance to change the homedir information
it would be helpful if idmap nss would accept the setting of template homedir 
and template shell.

If I would decide to use the entries from ldap it would still be possible to establish this as a default template setting I guess.

In any case it would be helpful to mention this behaviour on the manpages for
smb.conf and idmap_nss, at least for me ...
Comment 3 Björn Jacke 2014-01-29 13:56:28 UTC
I think it's obvious enough that with no winbind/samba stuff in nsswitch.conf there cannot come any information from samba into the output of getent passwd.
Comment 4 Klaus Braun 2014-02-02 11:04:19 UTC
You are right when you say that there cannot come any information from samba into the output of getent passwd. But this is not what I would assume. 

My question is what information samba is using to resolve the homedir of a user
in the [homes] service. In my configuration mentioned above I use idmap nss and

winbind nss info = template

template shell = /bin/false
template homedir = /home/%U

getent passwd username gives /vol/home/username as homedir according to ldap

wbinfo -i DOMAIN\\username" gives /home/username according to the template

If wbinfo gives me /home/username I would expect that samba would use this information to connect to the homedir of a user, and not the information coming from ldap.

Otherwise, if the ldap information is used like it is now the setting of
winbind nss info = template doesn't make sense for me when using idmap nss. 

Regards,

Klaus
Comment 5 Michael Adam 2014-02-21 21:26:42 UTC
(In reply to comment #4)
> You are right when you say that there cannot come any information from samba
> into the output of getent passwd. But this is not what I would assume. 
> 
> My question is what information samba is using to resolve the homedir of a user
> in the [homes] service. In my configuration mentioned above I use idmap nss and
> 
> winbind nss info = template
> 
> template shell = /bin/false
> template homedir = /home/%U
> 
> getent passwd username gives /vol/home/username as homedir according to ldap

which is expected.

> wbinfo -i DOMAIN\\username" gives /home/username according to the template

This is what winbind WOULD return to getent passwd requests,
if it WERE configured in nsswitch.conf.

Winbind offers various calls, some of which are specifically
made for the nsswitch library. If the nsswitch library is
not used (i.e. winbind not entered in nsswitch.conf), then
these calls are never used.

> If wbinfo gives me /home/username I would expect that samba
> would use this information to connect to the homedir of a user,
> and not the information coming from ldap.

It is irrelevant that this comes from ldap in your case.
Samba will use for homedir path for the homes magic share
(unless path is explicitly configured) whatever the
unix system reports as the unix user's home directory.
(And this is NOT necessarily what winbind would return
if winbind were responsible for this...)

And this makes a lot of sense, since this means
a user will see the same homedir when connected
with samba as he will see when logging in e.g. with ssh.

> Otherwise, if the ldap information is used like it is now the setting of
> winbind nss info = template doesn't make sense for me when using idmap nss. 

Correct. When using idmap nss, it is completely useless
to set the "winbind nss info" because this is the configuration
for the nss winbind calls, that are not used when
using idmap backend nss.

Marking the bug invalid, since this works as designed.
If I am missing an important point in my explanations,
please excuse and reopen :-)

Cheers - Michael