Dear Samba Team, in my configuration of samba I got a result where I need some help to understand what's going on. I use samba in an AD environment and the mapping of users and ids is done via winbind and ldap. In the config file I use: idmap config DOMAIN : backend = nss idmap config DOMAIN : range = 1000-999999 winbind nss info = template template shell = /bin/false template homedir = /home/%U "getent passwd username" gives me the entries in the ldap which are used for the mapping of the id and an info for the path to the homedir. The result looks like this: username:x:****:****:username:/vol/home/username:/sbin/nologin When I use wbinfo I get the expected result according to the template shell and template homedir entries. In my case "wbinfo -i DOMAIN\\username" gives DOMAIN\username:*:****:***::/home/username:/bin/false Up to this point all works like expected. But when I try to connect to the homedir of the user username, i.e. \\server\username, samba tells me, that the connect path to the homedir is wrong. Obviously the path for this connection is derived from the entry in the ldap, and not from the template homedir configuration in smb.conf. In the log file I see canonicalize_connect_path failed for service username, path /vol/home/username [2014/01/21 23:47:44.421876, 0] smbd/service.c:1055(make_connection_snum) As far as I unserstand the Samba Docs the connection to the homedir should use the homedir path given in the template and *not* the one from the ldap. So my questions is what I'm doing wrong in this case? Thanks for your help. Regards, Klaus
idmap nss says that that the nsswitch information, that means also the homedir path already is provided by a nss modude different than winbind. template homedir will only make sense if you use nss winbind. idmap nss for winbind only makes clear for winbind which uid ranges it has to use and that it can expect the users to "be there in nss" already.
(In reply to comment #1) > idmap nss says that that the nsswitch information, that means also the homedir > path already is provided by a nss modude different than winbind. template > homedir will only make sense if you use nss winbind. idmap nss for winbind only > makes clear for winbind which uid ranges it has to use and that it can expect > the users to "be there in nss" already. Thanks for clarifying this questions. In my case where I use a central ldap for the ID mapping and without the chance to change the homedir information it would be helpful if idmap nss would accept the setting of template homedir and template shell. If I would decide to use the entries from ldap it would still be possible to establish this as a default template setting I guess. In any case it would be helpful to mention this behaviour on the manpages for smb.conf and idmap_nss, at least for me ...
I think it's obvious enough that with no winbind/samba stuff in nsswitch.conf there cannot come any information from samba into the output of getent passwd.
You are right when you say that there cannot come any information from samba into the output of getent passwd. But this is not what I would assume. My question is what information samba is using to resolve the homedir of a user in the [homes] service. In my configuration mentioned above I use idmap nss and winbind nss info = template template shell = /bin/false template homedir = /home/%U getent passwd username gives /vol/home/username as homedir according to ldap wbinfo -i DOMAIN\\username" gives /home/username according to the template If wbinfo gives me /home/username I would expect that samba would use this information to connect to the homedir of a user, and not the information coming from ldap. Otherwise, if the ldap information is used like it is now the setting of winbind nss info = template doesn't make sense for me when using idmap nss. Regards, Klaus
(In reply to comment #4) > You are right when you say that there cannot come any information from samba > into the output of getent passwd. But this is not what I would assume. > > My question is what information samba is using to resolve the homedir of a user > in the [homes] service. In my configuration mentioned above I use idmap nss and > > winbind nss info = template > > template shell = /bin/false > template homedir = /home/%U > > getent passwd username gives /vol/home/username as homedir according to ldap which is expected. > wbinfo -i DOMAIN\\username" gives /home/username according to the template This is what winbind WOULD return to getent passwd requests, if it WERE configured in nsswitch.conf. Winbind offers various calls, some of which are specifically made for the nsswitch library. If the nsswitch library is not used (i.e. winbind not entered in nsswitch.conf), then these calls are never used. > If wbinfo gives me /home/username I would expect that samba > would use this information to connect to the homedir of a user, > and not the information coming from ldap. It is irrelevant that this comes from ldap in your case. Samba will use for homedir path for the homes magic share (unless path is explicitly configured) whatever the unix system reports as the unix user's home directory. (And this is NOT necessarily what winbind would return if winbind were responsible for this...) And this makes a lot of sense, since this means a user will see the same homedir when connected with samba as he will see when logging in e.g. with ssh. > Otherwise, if the ldap information is used like it is now the setting of > winbind nss info = template doesn't make sense for me when using idmap nss. Correct. When using idmap nss, it is completely useless to set the "winbind nss info" because this is the configuration for the nss winbind calls, that are not used when using idmap backend nss. Marking the bug invalid, since this works as designed. If I am missing an important point in my explanations, please excuse and reopen :-) Cheers - Michael