When using %G or %g in an SMB.CONF directive, the substitution doesn't work. For exemple: # template homedir determines the home directory for winbind users, with # %D expanding to their domain name and %U expanding to their username: template homedir = /home/%G/%U With this directive, when using "getent", we should get: $ getent passwd .... TestUser:x:10465:10004::/home/MyGroup/TestUser:/bin/false .... Here is what I actually get: TestUser:x:10465:10000::/home/10000/TestUser:/bin/false The problem is that this bug seems to have been corrected by the Samba team in the 3.0.3 release of Samba, but is still present in Mandrake's 3.0.6 version. When compiling the source RPM, I saw that Mandrake patches the 3.0.6 tree with some older patches... I posted a bug report on Mandrake's bugzilla, and it was found that this issue seems Samba-related, not due to Mandrake. Well, is %g|G substitution really supposed to work in all the smb.conf directives, or is it restricted to a few ones ? (For exemple, NOT "template homedir") I'm using this feature on my production servers, and it worked till I upgraded to 3.0.2, then 3.0.6... Before that, I was using Samba 2.2.x (Mandrake before 10.0). (Somebody said "Never upgrade prod servers...etc... !" I know, Iknow... :-/ )
I tried to verify this by compiling both the official sources and Mandrake then RedHat's source RPMS, the bug is still present. [Well, I got a problem querying domain users with the official version of Samba (Compiled from "samba-latest.tar.gz"), winbind seem to be unable to find the domain controler... My mistake ? Well, this is another problem] To sum up, Samba 3.0.6 in major distros (Debian's behaves the same) has a %(g| G) bug that prevents it's substitution when in some smb.conf directives.
As I explained in the Mandrake report, winbindd cannot expand the %[gG] variable. Currently only, %[Uu], %D, and %N are supported for 'template homdir'. I'm looking into ways to expand the number of variables that could be supported winbind winbind parameters, but this is essentially new functionality (i.e. it has never worked as far as I can tell). If you know of a version where these variables did work in 'template homedir', please let me know.
It worked with 2.2.7a.Mdk... Ok, here is what I do. My student are divided in two groups on the domain: "1stYear" and "2ndYear". So, on the fileserver, I got used to split the student's home directories based on their NT group name: /home/1stYear/student1/ /home/2ndYear/student2/ ... This way, I find it cleaner, and I can provide 2 additionnal shares on my server: "1stYear" and "2ndYear", respectively /home/1stYear/ and /home/2ndYear. Ok, no matter why. I put this in my smb.conf: template homedir = /home/%G/%U ...And the other usal directives. Join the domain, and when a student click on the share.... I DOES NOT WORK. I forgot: Samba tries to access "/home/DOMAIN\1stYear/student1 for exemple... Although I use the directive "winbind use default domain = yes": No effect here :-( ! I had to create symbolic links "/home/MyDomain\1stYear/" => "/home/1stYear/", and here we go. I've just tried on one of my servers (Still Mdk 9.1 : Samba 2.2.7a-security-rollup-fix) : It DOES work. I intentionally tried by making "template homedir" to an inexistent directory, to se in the log how winbind makes the substitution : [2004/08/30 15:54:01, 0] smbd/service.c:make_connection(599) xxx-xxx-pc-04 (172.xx.xx.185) Can't change directory to /home/toto/DOMAIN\1stYear/student1 (No such file or directory) But, when using "getent passwd", %g behaves erratically: machin.bidule:x:10474:10000::/home/%g/machin.bidule:/bin/false ... Yes ! %g himself, but not subsitued... Still, that's better. Ok, now, let try with Samba 3.0.6Mdk: * Smb.conf : ... winbind uid = 10000-20000 winbind gid = 10000-20000 ; winbind separator = + winbind use default domain = yes template homedir = /home/%G/%U ; obey pam restrictions = yes template shell = /bin/false ... * Getent passwd: ... student1:x:10465:10000::/home/10000/student1:/bin/false ... Argghhhh.... * Connection to the "homes" share from a W2000 station: ... [2004/08/30 18:20:13, 2] smbd/service.c:make_connection(752) [homes] share not available for this user because it was not found or created at session setup time Sh** ! With 3.0.6, the path isn't shown anymore when not existing... Ok, let's create it ! ... [2004/08/30 18:45:30, 2] smbd/service.c:make_connection(752) [homes] share not available for this user because it was not found or created at session setup time Ok, I'm tired. with older versions of Samba, it was more easily possible to know why we couldn't access a share... Path not found ? Bad unix permissions ? pffff... I had noticed that %(g|G) expanded to "DOMAIN\GROUP", which forced me to create folders like "/home/DOMAIN\GROUP/usernamexx". * Getent passwd ... student1:x:10465:10000::/home/10000/student1:/bin/false ... Mmmfff ! Well, I have three questions: - Is it possible to make Samba/Winbind more verbose about which folder is looked after when a user connects ? (I tried "debug level = 10", but it' looonnngggggg. I become readable with "4", but I cannot find what i'm looking for, except the above messages.) - Is it possible to have Winbindd expand correctly %(G|g) when connecting to a home directory (Like it did in 2.2.7 !) ? And, why not, also when using Getent ? - Is it possible to get it expanded without "DOMAIN\", like if using "winbind use default domain" ? It's more friendly sometimes ;-) Bonus question : If it worked in 2.2.7, why did it disappeared from 3.0.x ? Design decision, or I was lucky with 2.2.x ?
Ok, (semi-)good news : My last tests were done on a Samba 3.0.6 badly backported on a MDK10.0 form cooker, and I forgot to start again with an official MDK rpm (Which is now 3.0.2a). So, with Samba 3.0.2a: * Connection to the [Homes] share by "student1": ... [2004/08/30 19:29:50, 0] smbd/service.c:make_connection_snum(677) '/home/10022/student1' does not exist or is not a directory, when connecting to [student1] ... Ok, so the problem comes truly visible here ! * getent passwd ... student1:x:10439:10000::/home/10000/student1:/bin/false ... Hey, Look ! Above, "10022", and here, "10000" ??? NOTE: I alway had to set "1stYear" as the user's primary group, instead of "Domain users", so I have done here, Which explains the "10022". But the "10000" in Getent ?
*** This bug has been marked as a duplicate of 2191 ***