Ubuntu 18 ignoring Samba AD user's `loginShell` attribute (set to ZSH, but user receives BASH after login)Unable to get idmap_ad to work with Ubuntu 12.04 and Samba 4keytab auth against samba 4 DC: Client not found in Kerberos database while getting initial credentialsUbuntu 14.04 Active Directory auth fails after static ip configlogin with active directory users on debian jessy not workingSet up Samba with Active Directory and local user authenticationgnome-terminal - I have no nameSamba 4.2.10 on Debian 6.5 file share with windows active directory usersInsufficient quota exists to complete this operation, net ads joinSamba/Kerberos: Cannot contact any KDC, Kerberos not listening?Samba ADS: Cannot contact any KDC for requested realm

What does it mean when みたいな is at the end of a sentence?

DeleteCases using two lists but with partial match?

Ribbon Cable Cross Talk - Is there a fix after the fact?

Writing "hahaha" versus describing the laugh

Real Analysis: Proof of the equivalent definitions of the derivative.

How do I write real-world stories separate from my country of origin?

Salesforce bug enabled "Modify All"

Keeping the dodos out of the field

How many wires should be in a new thermostat cable?

What is the required burn to keep a satellite at a Lagrangian point?

How do you earn the reader's trust?

If I arrive in the UK, and then head to mainland Europe, does my Schengen visa 90 day limit start when I arrived in the UK, or mainland Europe?

What is this dime sized black bug with white on the segments near Loveland Colorodao?

Why is 'additive' EQ more difficult to use than 'subtractive'?

If a character has cast the Fly spell on themselves, can they "hand off" to the Levitate spell without interruption?

Why do the i8080 I/O instructions take a byte-sized operand to determine the port?

Illustrating that universal optimality is stronger than sphere packing

Why is the reciprocal used in fraction division?

mmap: effect of other processes writing to a file previously mapped read-only

Can the Conjure Barrage spell stack with the Disarming Attack or Trip Attack Battle Master maneuvers?

Existence of a model of ZFC in which the natural numbers are really the natural numbers

nginx conf: http2 module not working in Chrome in ubuntu 18.04

Has the wall been repaired?

How to become an Editorial board member?



Ubuntu 18 ignoring Samba AD user's `loginShell` attribute (set to ZSH, but user receives BASH after login)


Unable to get idmap_ad to work with Ubuntu 12.04 and Samba 4keytab auth against samba 4 DC: Client not found in Kerberos database while getting initial credentialsUbuntu 14.04 Active Directory auth fails after static ip configlogin with active directory users on debian jessy not workingSet up Samba with Active Directory and local user authenticationgnome-terminal - I have no nameSamba 4.2.10 on Debian 6.5 file share with windows active directory usersInsufficient quota exists to complete this operation, net ads joinSamba/Kerberos: Cannot contact any KDC, Kerberos not listening?Samba ADS: Cannot contact any KDC for requested realm






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








1















We have a samba AD (4.3.11-Ubuntu) attaching to both Windows and Linux clients (Ubuntu 14, and Ubuntu 18)



If I examine the LDAP for a user, his loginShell parameter is /bin/zsh. This was working for Ubuntu 14, but on the clean installs of Ubuntu 18, his login tries to use bash.



I have confirmed zsh is installed on the Ubuntu 18 computers.



If I add an /etc/passwd entry for the user in a local Ubuntu 18 machine, zsh is correctly used.



How can I determine where the issue is coming from?



EDIT:



Samba active directory was set up on the clients using Puppet to push in the configuration files, and run any needed commands. The process was:



puppet init.pp



class samba 
 package 'mycustompackage-samba':
 ensure => present,
 require => Exec['apt-get-update'],
 
 file "/etc/resolv.conf.local":
 ensure => file,
 source => "puppet:///modules/samba/resolv.conf",
 before => File['/etc/resolv.conf'],
 
 file "/etc/resolv.conf":
 ensure => link,
 target => "/etc/resolv.conf.local",
 
 service "systemd-resolved":
 ensure => false,
 enable => false
 
 file '/etc/nsswitch.conf':
 source => [
 "puppet:///modules/samba/nsswitch.conf.$hostname",
 "puppet:///modules/samba/nsswitch.conf.$role",
 "puppet:///modules/samba/nsswitch.conf",
 ],
 owner => root,
 group => root,
 mode => "0644",
 ensure => present
 
 file '/etc/NetworkManager/NetworkManager.conf':
 source => "puppet:///modules/samba/NetworkManager.conf",
 owner => root,
 group => root,
 mode => "644",
 ensure => present,
 before => File['/etc/resolv.conf'],
 
 file '/etc/krb5.conf':
 source => [
 "puppet:///modules/samba/krb5.conf.$hostname",
 "puppet:///modules/samba/krb5.conf.$role",
 "puppet:///modules/samba/krb5.conf",
 ],
 owner => root,
 group => root,
 mode => "0600",
 ensure => present
 
 file '/etc/samba/smb.conf':
 source => [
 "puppet:///modules/samba/smb.conf.$hostname",
 "puppet:///modules/samba/smb.conf.$role",
 "puppet:///modules/samba/smb.conf",
 ],
 ensure => present,
 owner => root,
 group => root,
 mode => "0644",
 require => Package['h2t-samba']
 
 host 'Servername.redacted.de':
 ip => 'xxx.yyy.zzz.9',
 host_aliases => ["Servername"]



smb.conf



[global]
 workgroup = RedactedDomainName
 client signing = yes
 client use spnego = yes
 kerberos method = secrets and keytab
 realm = RedactedDomainName.redacted.de
 security = ads
 preferred master = no
 encrypt passwords = true
 log level = 3
 log file = /var/log/samba/log.%m
 max log size = 50
 printcap name = cups
 printing = cups
 winbind enum users = Yes
 winbind enum groups = Yes
 winbind use default domain = Yes
 winbind nested groups = Yes
 winbind separator = +
 winbind refresh tickets = Yes
 winbind nss info = rfc2307
 idmap config * : backend = tdb
 idmap config * : range = 1000-999999
 idmap config RedactedDomainName : backend = rid
 idmap config RedactedDomainName : range=1000-999999
 idmap config RedactedDomainName : base_rid = 0
 ;template primary group = "redactedPrimaryGroup"
 winbind rpc only = no
 template homedir = /share/homes/all/%U
 template shell = /bin/bash
 client use spnego = yes
 client ntlmv2 auth = yes
 restrict anonymous = 2
 socket options = IPTOS_LOWDELAY TCP_NODELAY


NetworkManager.conf



[main]
plugins=ifupdown,keyfile
dns=none
[ifupdown]
managed=false
[device]
wifi.scan-rand-mac-address=no


krb5.conf



[libdefaults]
 default_realm = RedactedDomainName.redacted.de
 ticket_lifetime = 24h #
 renew_lifetime = 7d
# The following krb5.conf variables are only for MIT Kerberos.
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
[realms]
 RedactedDomainName.redacted.de = 
 kdc = Servrname.redacted.de
 admin_server = Servername.redacted.de
 default_domain = RedactedDomainName.redacted.de
 
[domain_realm]
 .RedactedDomainName.redacted.de = RedactedDomainName.redacted.de
 RedactedDomainName.redacted.de = RedactedDomainName.redacted.de


nsswitch.conf



# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat systemd winbind
group: compat systemd winbind
shadow: compat
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis


resolv.conf



# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver xxx.yyy.zzz.9
nameserver xxx.yyy.zzz.90
nameserver xxx.yyy.zzz.91
search redacted.de


sssd.conf



[sssd]
services = nss, pam
config_file_version = 2
domains = RedactedDomainName.redacted.de
[domain/RedactedDomainName.redacted.de]
id_provider = ad
access_provider = ad
# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so
override_homedir = /home/%g/%u
# Uncomment if the client machine hostname doesn't match the computer object on the DC.
# ad_hostname = mymachine.myubuntu.example.com
# Uncomment if DNS SRV resolution is not working
# ad_server = dc.mydomain.example.com
# Uncomment if the AD domain is named differently than the Samba domain
# ad_domain = MYUBUNTU.EXAMPLE.COM
# Enumeration is discouraged for performance reasons.
enumerate = true





active-directory ldap samba shell







share|improve this question






























    1















    We have a samba AD (4.3.11-Ubuntu) attaching to both Windows and Linux clients (Ubuntu 14, and Ubuntu 18)



    If I examine the LDAP for a user, his loginShell parameter is /bin/zsh. This was working for Ubuntu 14, but on the clean installs of Ubuntu 18, his login tries to use bash.



    I have confirmed zsh is installed on the Ubuntu 18 computers.



    If I add an /etc/passwd entry for the user in a local Ubuntu 18 machine, zsh is correctly used.



    How can I determine where the issue is coming from?



    EDIT:



    Samba active directory was set up on the clients using Puppet to push in the configuration files, and run any needed commands. The process was:



    puppet init.pp



    class samba 
     package 'mycustompackage-samba':
     ensure => present,
     require => Exec['apt-get-update'],
     
     file "/etc/resolv.conf.local":
     ensure => file,
     source => "puppet:///modules/samba/resolv.conf",
     before => File['/etc/resolv.conf'],
     
     file "/etc/resolv.conf":
     ensure => link,
     target => "/etc/resolv.conf.local",
     
     service "systemd-resolved":
     ensure => false,
     enable => false
     
     file '/etc/nsswitch.conf':
     source => [
     "puppet:///modules/samba/nsswitch.conf.$hostname",
     "puppet:///modules/samba/nsswitch.conf.$role",
     "puppet:///modules/samba/nsswitch.conf",
     ],
     owner => root,
     group => root,
     mode => "0644",
     ensure => present
     
     file '/etc/NetworkManager/NetworkManager.conf':
     source => "puppet:///modules/samba/NetworkManager.conf",
     owner => root,
     group => root,
     mode => "644",
     ensure => present,
     before => File['/etc/resolv.conf'],
     
     file '/etc/krb5.conf':
     source => [
     "puppet:///modules/samba/krb5.conf.$hostname",
     "puppet:///modules/samba/krb5.conf.$role",
     "puppet:///modules/samba/krb5.conf",
     ],
     owner => root,
     group => root,
     mode => "0600",
     ensure => present
     
     file '/etc/samba/smb.conf':
     source => [
     "puppet:///modules/samba/smb.conf.$hostname",
     "puppet:///modules/samba/smb.conf.$role",
     "puppet:///modules/samba/smb.conf",
     ],
     ensure => present,
     owner => root,
     group => root,
     mode => "0644",
     require => Package['h2t-samba']
     
     host 'Servername.redacted.de':
     ip => 'xxx.yyy.zzz.9',
     host_aliases => ["Servername"]



    smb.conf



    [global]
     workgroup = RedactedDomainName
     client signing = yes
     client use spnego = yes
     kerberos method = secrets and keytab
     realm = RedactedDomainName.redacted.de
     security = ads
     preferred master = no
     encrypt passwords = true
     log level = 3
     log file = /var/log/samba/log.%m
     max log size = 50
     printcap name = cups
     printing = cups
     winbind enum users = Yes
     winbind enum groups = Yes
     winbind use default domain = Yes
     winbind nested groups = Yes
     winbind separator = +
     winbind refresh tickets = Yes
     winbind nss info = rfc2307
     idmap config * : backend = tdb
     idmap config * : range = 1000-999999
     idmap config RedactedDomainName : backend = rid
     idmap config RedactedDomainName : range=1000-999999
     idmap config RedactedDomainName : base_rid = 0
     ;template primary group = "redactedPrimaryGroup"
     winbind rpc only = no
     template homedir = /share/homes/all/%U
     template shell = /bin/bash
     client use spnego = yes
     client ntlmv2 auth = yes
     restrict anonymous = 2
     socket options = IPTOS_LOWDELAY TCP_NODELAY


    NetworkManager.conf



    [main]
    plugins=ifupdown,keyfile
    dns=none
    [ifupdown]
    managed=false
    [device]
    wifi.scan-rand-mac-address=no


    krb5.conf



    [libdefaults]
     default_realm = RedactedDomainName.redacted.de
     ticket_lifetime = 24h #
     renew_lifetime = 7d
    # The following krb5.conf variables are only for MIT Kerberos.
    # The following encryption type specification will be used by MIT Kerberos
    # if uncommented. In general, the defaults in the MIT Kerberos code are
    # correct and overriding these specifications only serves to disable new
    # encryption types as they are added, creating interoperability problems.
    #
    # Thie only time when you might need to uncomment these lines and change
    # the enctypes is if you have local software that will break on ticket
    # caches containing ticket encryption types it doesn't know about (such as
    # old versions of Sun Java).
    # default_tgs_enctypes = des3-hmac-sha1
    # default_tkt_enctypes = des3-hmac-sha1
    # permitted_enctypes = des3-hmac-sha1
    # The following libdefaults parameters are only for Heimdal Kerberos.
    [realms]
     RedactedDomainName.redacted.de = 
     kdc = Servrname.redacted.de
     admin_server = Servername.redacted.de
     default_domain = RedactedDomainName.redacted.de
     
    [domain_realm]
     .RedactedDomainName.redacted.de = RedactedDomainName.redacted.de
     RedactedDomainName.redacted.de = RedactedDomainName.redacted.de


    nsswitch.conf



    # /etc/nsswitch.conf
    #
    # Example configuration of GNU Name Service Switch functionality.
    # If you have the `glibc-doc-reference' and `info' packages installed, try:
    # `info libc "Name Service Switch"' for information about this file.
    passwd: compat systemd winbind
    group: compat systemd winbind
    shadow: compat
    gshadow: files
    hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
    networks: files
    protocols: db files
    services: db files
    ethers: db files
    rpc: db files
    netgroup: nis


    resolv.conf



    # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
    # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
    nameserver xxx.yyy.zzz.9
    nameserver xxx.yyy.zzz.90
    nameserver xxx.yyy.zzz.91
    search redacted.de


    sssd.conf



    [sssd]
    services = nss, pam
    config_file_version = 2
    domains = RedactedDomainName.redacted.de
    [domain/RedactedDomainName.redacted.de]
    id_provider = ad
    access_provider = ad
    # Use this if users are being logged in at /.
    # This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so
    override_homedir = /home/%g/%u
    # Uncomment if the client machine hostname doesn't match the computer object on the DC.
    # ad_hostname = mymachine.myubuntu.example.com
    # Uncomment if DNS SRV resolution is not working
    # ad_server = dc.mydomain.example.com
    # Uncomment if the AD domain is named differently than the Samba domain
    # ad_domain = MYUBUNTU.EXAMPLE.COM
    # Enumeration is discouraged for performance reasons.
    enumerate = true





    active-directory ldap samba shell







    share|improve this question


























      1












      1








      1


      0






      We have a samba AD (4.3.11-Ubuntu) attaching to both Windows and Linux clients (Ubuntu 14, and Ubuntu 18)



      If I examine the LDAP for a user, his loginShell parameter is /bin/zsh. This was working for Ubuntu 14, but on the clean installs of Ubuntu 18, his login tries to use bash.



      I have confirmed zsh is installed on the Ubuntu 18 computers.



      If I add an /etc/passwd entry for the user in a local Ubuntu 18 machine, zsh is correctly used.



      How can I determine where the issue is coming from?



      EDIT:



      Samba active directory was set up on the clients using Puppet to push in the configuration files, and run any needed commands. The process was:



      puppet init.pp



      class samba 
       package 'mycustompackage-samba':
       ensure => present,
       require => Exec['apt-get-update'],
       
       file "/etc/resolv.conf.local":
       ensure => file,
       source => "puppet:///modules/samba/resolv.conf",
       before => File['/etc/resolv.conf'],
       
       file "/etc/resolv.conf":
       ensure => link,
       target => "/etc/resolv.conf.local",
       
       service "systemd-resolved":
       ensure => false,
       enable => false
       
       file '/etc/nsswitch.conf':
       source => [
       "puppet:///modules/samba/nsswitch.conf.$hostname",
       "puppet:///modules/samba/nsswitch.conf.$role",
       "puppet:///modules/samba/nsswitch.conf",
       ],
       owner => root,
       group => root,
       mode => "0644",
       ensure => present
       
       file '/etc/NetworkManager/NetworkManager.conf':
       source => "puppet:///modules/samba/NetworkManager.conf",
       owner => root,
       group => root,
       mode => "644",
       ensure => present,
       before => File['/etc/resolv.conf'],
       
       file '/etc/krb5.conf':
       source => [
       "puppet:///modules/samba/krb5.conf.$hostname",
       "puppet:///modules/samba/krb5.conf.$role",
       "puppet:///modules/samba/krb5.conf",
       ],
       owner => root,
       group => root,
       mode => "0600",
       ensure => present
       
       file '/etc/samba/smb.conf':
       source => [
       "puppet:///modules/samba/smb.conf.$hostname",
       "puppet:///modules/samba/smb.conf.$role",
       "puppet:///modules/samba/smb.conf",
       ],
       ensure => present,
       owner => root,
       group => root,
       mode => "0644",
       require => Package['h2t-samba']
       
       host 'Servername.redacted.de':
       ip => 'xxx.yyy.zzz.9',
       host_aliases => ["Servername"]



      smb.conf



      [global]
       workgroup = RedactedDomainName
       client signing = yes
       client use spnego = yes
       kerberos method = secrets and keytab
       realm = RedactedDomainName.redacted.de
       security = ads
       preferred master = no
       encrypt passwords = true
       log level = 3
       log file = /var/log/samba/log.%m
       max log size = 50
       printcap name = cups
       printing = cups
       winbind enum users = Yes
       winbind enum groups = Yes
       winbind use default domain = Yes
       winbind nested groups = Yes
       winbind separator = +
       winbind refresh tickets = Yes
       winbind nss info = rfc2307
       idmap config * : backend = tdb
       idmap config * : range = 1000-999999
       idmap config RedactedDomainName : backend = rid
       idmap config RedactedDomainName : range=1000-999999
       idmap config RedactedDomainName : base_rid = 0
       ;template primary group = "redactedPrimaryGroup"
       winbind rpc only = no
       template homedir = /share/homes/all/%U
       template shell = /bin/bash
       client use spnego = yes
       client ntlmv2 auth = yes
       restrict anonymous = 2
       socket options = IPTOS_LOWDELAY TCP_NODELAY


      NetworkManager.conf



      [main]
      plugins=ifupdown,keyfile
      dns=none
      [ifupdown]
      managed=false
      [device]
      wifi.scan-rand-mac-address=no


      krb5.conf



      [libdefaults]
       default_realm = RedactedDomainName.redacted.de
       ticket_lifetime = 24h #
       renew_lifetime = 7d
      # The following krb5.conf variables are only for MIT Kerberos.
      # The following encryption type specification will be used by MIT Kerberos
      # if uncommented. In general, the defaults in the MIT Kerberos code are
      # correct and overriding these specifications only serves to disable new
      # encryption types as they are added, creating interoperability problems.
      #
      # Thie only time when you might need to uncomment these lines and change
      # the enctypes is if you have local software that will break on ticket
      # caches containing ticket encryption types it doesn't know about (such as
      # old versions of Sun Java).
      # default_tgs_enctypes = des3-hmac-sha1
      # default_tkt_enctypes = des3-hmac-sha1
      # permitted_enctypes = des3-hmac-sha1
      # The following libdefaults parameters are only for Heimdal Kerberos.
      [realms]
       RedactedDomainName.redacted.de = 
       kdc = Servrname.redacted.de
       admin_server = Servername.redacted.de
       default_domain = RedactedDomainName.redacted.de
       
      [domain_realm]
       .RedactedDomainName.redacted.de = RedactedDomainName.redacted.de
       RedactedDomainName.redacted.de = RedactedDomainName.redacted.de


      nsswitch.conf



      # /etc/nsswitch.conf
      #
      # Example configuration of GNU Name Service Switch functionality.
      # If you have the `glibc-doc-reference' and `info' packages installed, try:
      # `info libc "Name Service Switch"' for information about this file.
      passwd: compat systemd winbind
      group: compat systemd winbind
      shadow: compat
      gshadow: files
      hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
      networks: files
      protocols: db files
      services: db files
      ethers: db files
      rpc: db files
      netgroup: nis


      resolv.conf



      # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
      # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
      nameserver xxx.yyy.zzz.9
      nameserver xxx.yyy.zzz.90
      nameserver xxx.yyy.zzz.91
      search redacted.de


      sssd.conf



      [sssd]
      services = nss, pam
      config_file_version = 2
      domains = RedactedDomainName.redacted.de
      [domain/RedactedDomainName.redacted.de]
      id_provider = ad
      access_provider = ad
      # Use this if users are being logged in at /.
      # This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so
      override_homedir = /home/%g/%u
      # Uncomment if the client machine hostname doesn't match the computer object on the DC.
      # ad_hostname = mymachine.myubuntu.example.com
      # Uncomment if DNS SRV resolution is not working
      # ad_server = dc.mydomain.example.com
      # Uncomment if the AD domain is named differently than the Samba domain
      # ad_domain = MYUBUNTU.EXAMPLE.COM
      # Enumeration is discouraged for performance reasons.
      enumerate = true





      active-directory ldap samba shell







      share|improve this question
















      We have a samba AD (4.3.11-Ubuntu) attaching to both Windows and Linux clients (Ubuntu 14, and Ubuntu 18)



      If I examine the LDAP for a user, his loginShell parameter is /bin/zsh. This was working for Ubuntu 14, but on the clean installs of Ubuntu 18, his login tries to use bash.



      I have confirmed zsh is installed on the Ubuntu 18 computers.



      If I add an /etc/passwd entry for the user in a local Ubuntu 18 machine, zsh is correctly used.



      How can I determine where the issue is coming from?



      EDIT:



      Samba active directory was set up on the clients using Puppet to push in the configuration files, and run any needed commands. The process was:



      puppet init.pp



      class samba 
       package 'mycustompackage-samba':
       ensure => present,
       require => Exec['apt-get-update'],
       
       file "/etc/resolv.conf.local":
       ensure => file,
       source => "puppet:///modules/samba/resolv.conf",
       before => File['/etc/resolv.conf'],
       
       file "/etc/resolv.conf":
       ensure => link,
       target => "/etc/resolv.conf.local",
       
       service "systemd-resolved":
       ensure => false,
       enable => false
       
       file '/etc/nsswitch.conf':
       source => [
       "puppet:///modules/samba/nsswitch.conf.$hostname",
       "puppet:///modules/samba/nsswitch.conf.$role",
       "puppet:///modules/samba/nsswitch.conf",
       ],
       owner => root,
       group => root,
       mode => "0644",
       ensure => present
       
       file '/etc/NetworkManager/NetworkManager.conf':
       source => "puppet:///modules/samba/NetworkManager.conf",
       owner => root,
       group => root,
       mode => "644",
       ensure => present,
       before => File['/etc/resolv.conf'],
       
       file '/etc/krb5.conf':
       source => [
       "puppet:///modules/samba/krb5.conf.$hostname",
       "puppet:///modules/samba/krb5.conf.$role",
       "puppet:///modules/samba/krb5.conf",
       ],
       owner => root,
       group => root,
       mode => "0600",
       ensure => present
       
       file '/etc/samba/smb.conf':
       source => [
       "puppet:///modules/samba/smb.conf.$hostname",
       "puppet:///modules/samba/smb.conf.$role",
       "puppet:///modules/samba/smb.conf",
       ],
       ensure => present,
       owner => root,
       group => root,
       mode => "0644",
       require => Package['h2t-samba']
       
       host 'Servername.redacted.de':
       ip => 'xxx.yyy.zzz.9',
       host_aliases => ["Servername"]



      smb.conf



      [global]
       workgroup = RedactedDomainName
       client signing = yes
       client use spnego = yes
       kerberos method = secrets and keytab
       realm = RedactedDomainName.redacted.de
       security = ads
       preferred master = no
       encrypt passwords = true
       log level = 3
       log file = /var/log/samba/log.%m
       max log size = 50
       printcap name = cups
       printing = cups
       winbind enum users = Yes
       winbind enum groups = Yes
       winbind use default domain = Yes
       winbind nested groups = Yes
       winbind separator = +
       winbind refresh tickets = Yes
       winbind nss info = rfc2307
       idmap config * : backend = tdb
       idmap config * : range = 1000-999999
       idmap config RedactedDomainName : backend = rid
       idmap config RedactedDomainName : range=1000-999999
       idmap config RedactedDomainName : base_rid = 0
       ;template primary group = "redactedPrimaryGroup"
       winbind rpc only = no
       template homedir = /share/homes/all/%U
       template shell = /bin/bash
       client use spnego = yes
       client ntlmv2 auth = yes
       restrict anonymous = 2
       socket options = IPTOS_LOWDELAY TCP_NODELAY


      NetworkManager.conf



      [main]
      plugins=ifupdown,keyfile
      dns=none
      [ifupdown]
      managed=false
      [device]
      wifi.scan-rand-mac-address=no


      krb5.conf



      [libdefaults]
       default_realm = RedactedDomainName.redacted.de
       ticket_lifetime = 24h #
       renew_lifetime = 7d
      # The following krb5.conf variables are only for MIT Kerberos.
      # The following encryption type specification will be used by MIT Kerberos
      # if uncommented. In general, the defaults in the MIT Kerberos code are
      # correct and overriding these specifications only serves to disable new
      # encryption types as they are added, creating interoperability problems.
      #
      # Thie only time when you might need to uncomment these lines and change
      # the enctypes is if you have local software that will break on ticket
      # caches containing ticket encryption types it doesn't know about (such as
      # old versions of Sun Java).
      # default_tgs_enctypes = des3-hmac-sha1
      # default_tkt_enctypes = des3-hmac-sha1
      # permitted_enctypes = des3-hmac-sha1
      # The following libdefaults parameters are only for Heimdal Kerberos.
      [realms]
       RedactedDomainName.redacted.de = 
       kdc = Servrname.redacted.de
       admin_server = Servername.redacted.de
       default_domain = RedactedDomainName.redacted.de
       
      [domain_realm]
       .RedactedDomainName.redacted.de = RedactedDomainName.redacted.de
       RedactedDomainName.redacted.de = RedactedDomainName.redacted.de


      nsswitch.conf



      # /etc/nsswitch.conf
      #
      # Example configuration of GNU Name Service Switch functionality.
      # If you have the `glibc-doc-reference' and `info' packages installed, try:
      # `info libc "Name Service Switch"' for information about this file.
      passwd: compat systemd winbind
      group: compat systemd winbind
      shadow: compat
      gshadow: files
      hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
      networks: files
      protocols: db files
      services: db files
      ethers: db files
      rpc: db files
      netgroup: nis


      resolv.conf



      # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
      # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
      nameserver xxx.yyy.zzz.9
      nameserver xxx.yyy.zzz.90
      nameserver xxx.yyy.zzz.91
      search redacted.de


      sssd.conf



      [sssd]
      services = nss, pam
      config_file_version = 2
      domains = RedactedDomainName.redacted.de
      [domain/RedactedDomainName.redacted.de]
      id_provider = ad
      access_provider = ad
      # Use this if users are being logged in at /.
      # This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so
      override_homedir = /home/%g/%u
      # Uncomment if the client machine hostname doesn't match the computer object on the DC.
      # ad_hostname = mymachine.myubuntu.example.com
      # Uncomment if DNS SRV resolution is not working
      # ad_server = dc.mydomain.example.com
      # Uncomment if the AD domain is named differently than the Samba domain
      # ad_domain = MYUBUNTU.EXAMPLE.COM
      # Enumeration is discouraged for performance reasons.
      enumerate = true





      active-directory ldap samba shell




      active-directory ldap samba shell






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited May 8 at 14:58







      BurningKrome

















      asked Apr 26 at 13:04









      BurningKromeBurningKrome

      205211




      205211




















          1 Answer
          1






          active

          oldest

          votes


















          0














          Could you please reproduce the steps taken to integrate the Ubuntu clients into the AD?
          If you are using sssd, you might check that the value sss is set for passwd in your nsswitch.conf like passwd: files sss



          edit:
          I see two possible points:



          • change template shell = /bin/bash into template shell = /bin/zsh inside smb.conf to set it globally


          • alter the passwd entry in nsswitch.conf to passwd: compat systemd winbind sss to have sssd resolve the passwd atributes


          It seems that winbind is unable to map the LDAP attribute to the local nsswitch passwd. Nsswitch, Winbind and sssd are the areas you might want to investigate further.






          share|improve this answer

























          • I added the info to the OP. I checked the puppet domain config being used on Ubuntu 14 machines, and didn't see any reference to SSS in the nsswitch.conf. It works on 14. Just not 18. I don't know if that means anything regarding the nsswitch.conf and sss however.

            – BurningKrome
            May 8 at 13:08











          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "2"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f964739%2fubuntu-18-ignoring-samba-ad-users-loginshell-attribute-set-to-zsh-but-user%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          Could you please reproduce the steps taken to integrate the Ubuntu clients into the AD?
          If you are using sssd, you might check that the value sss is set for passwd in your nsswitch.conf like passwd: files sss



          edit:
          I see two possible points:



          • change template shell = /bin/bash into template shell = /bin/zsh inside smb.conf to set it globally


          • alter the passwd entry in nsswitch.conf to passwd: compat systemd winbind sss to have sssd resolve the passwd atributes


          It seems that winbind is unable to map the LDAP attribute to the local nsswitch passwd. Nsswitch, Winbind and sssd are the areas you might want to investigate further.






          share|improve this answer

























          • I added the info to the OP. I checked the puppet domain config being used on Ubuntu 14 machines, and didn't see any reference to SSS in the nsswitch.conf. It works on 14. Just not 18. I don't know if that means anything regarding the nsswitch.conf and sss however.

            – BurningKrome
            May 8 at 13:08















          0














          Could you please reproduce the steps taken to integrate the Ubuntu clients into the AD?
          If you are using sssd, you might check that the value sss is set for passwd in your nsswitch.conf like passwd: files sss



          edit:
          I see two possible points:



          • change template shell = /bin/bash into template shell = /bin/zsh inside smb.conf to set it globally


          • alter the passwd entry in nsswitch.conf to passwd: compat systemd winbind sss to have sssd resolve the passwd atributes


          It seems that winbind is unable to map the LDAP attribute to the local nsswitch passwd. Nsswitch, Winbind and sssd are the areas you might want to investigate further.






          share|improve this answer

























          • I added the info to the OP. I checked the puppet domain config being used on Ubuntu 14 machines, and didn't see any reference to SSS in the nsswitch.conf. It works on 14. Just not 18. I don't know if that means anything regarding the nsswitch.conf and sss however.

            – BurningKrome
            May 8 at 13:08













          0












          0








          0







          Could you please reproduce the steps taken to integrate the Ubuntu clients into the AD?
          If you are using sssd, you might check that the value sss is set for passwd in your nsswitch.conf like passwd: files sss



          edit:
          I see two possible points:



          • change template shell = /bin/bash into template shell = /bin/zsh inside smb.conf to set it globally


          • alter the passwd entry in nsswitch.conf to passwd: compat systemd winbind sss to have sssd resolve the passwd atributes


          It seems that winbind is unable to map the LDAP attribute to the local nsswitch passwd. Nsswitch, Winbind and sssd are the areas you might want to investigate further.






          share|improve this answer















          Could you please reproduce the steps taken to integrate the Ubuntu clients into the AD?
          If you are using sssd, you might check that the value sss is set for passwd in your nsswitch.conf like passwd: files sss



          edit:
          I see two possible points:



          • change template shell = /bin/bash into template shell = /bin/zsh inside smb.conf to set it globally


          • alter the passwd entry in nsswitch.conf to passwd: compat systemd winbind sss to have sssd resolve the passwd atributes


          It seems that winbind is unable to map the LDAP attribute to the local nsswitch passwd. Nsswitch, Winbind and sssd are the areas you might want to investigate further.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited May 10 at 5:47

























          answered Apr 29 at 5:52









          juojuo

          184




          184












          • I added the info to the OP. I checked the puppet domain config being used on Ubuntu 14 machines, and didn't see any reference to SSS in the nsswitch.conf. It works on 14. Just not 18. I don't know if that means anything regarding the nsswitch.conf and sss however.

            – BurningKrome
            May 8 at 13:08

















          • I added the info to the OP. I checked the puppet domain config being used on Ubuntu 14 machines, and didn't see any reference to SSS in the nsswitch.conf. It works on 14. Just not 18. I don't know if that means anything regarding the nsswitch.conf and sss however.

            – BurningKrome
            May 8 at 13:08
















          I added the info to the OP. I checked the puppet domain config being used on Ubuntu 14 machines, and didn't see any reference to SSS in the nsswitch.conf. It works on 14. Just not 18. I don't know if that means anything regarding the nsswitch.conf and sss however.

          – BurningKrome
          May 8 at 13:08





          I added the info to the OP. I checked the puppet domain config being used on Ubuntu 14 machines, and didn't see any reference to SSS in the nsswitch.conf. It works on 14. Just not 18. I don't know if that means anything regarding the nsswitch.conf and sss however.

          – BurningKrome
          May 8 at 13:08

















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Server Fault!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f964739%2fubuntu-18-ignoring-samba-ad-users-loginshell-attribute-set-to-zsh-but-user%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Wikipedia:Vital articles Мазмуну Biography - Өмүр баян Philosophy and psychology - Философия жана психология Religion - Дин Social sciences - Коомдук илимдер Language and literature - Тил жана адабият Science - Илим Technology - Технология Arts and recreation - Искусство жана эс алуу History and geography - Тарых жана география Навигация менюсу

          Image
          centralized watchlist Wikipedia:Vital articles Wikipedia дан Jump to navigation Jump to search This is a list of basic subjects for which Wikipedia should have a corresponding high-quality article, and ideally a featured article. It also serves as a centralized watchlist and tracks the status of some of Wikipedia's most essential articles. Ideally this page should list approximately 1,000 of the most vital Wikipedia articles. Мазмуну 1 Biography - Өмүр баян 1.1 Actors, dancers and models - Актёрлор, бийчилер жана моделдер 1.2 Artists and architects - Сүрөтчүлөр жана архитекторлор 1.3 Authors, playwrights and poets - Жазуучулар, драматургдар жана акындар 1.4 Composers and musicians - Композиторлор жана музыканттар 1.5 Explorers and travelers - Изилдөөчүлөр менен саякатчылар 1.6 Film directors and screenwriters - Режиссёрлор жана сценаристтер 1.7 Inventors, scientists and mathematicians - Ойлоп табуучулар, окумуштуулар жана математиктер
          Read more

          Bruxelas-Capital Índice Historia | Composición | Situación lingüística | Clima | Cidades irmandadas | Notas | Véxase tamén | Menú de navegacióneO uso das linguas en Bruxelas e a situación do neerlandés"Rexión de Bruxelas Capital"o orixinalSitio da rexiónPáxina de Bruselas no sitio da Oficina de Promoción Turística de Valonia e BruxelasMapa Interactivo da Rexión de Bruxelas-CapitaleeWorldCat332144929079854441105155190212ID28008674080552-90000 0001 0666 3698n94104302ID540940339365017018237

          Image
          AnderlechtCidade de BruxelasIxellesEtterbeekEvereGanshorenJetteKoekelbergAuderghemSchaerbeekBerchem-Sainte-AgatheSaint-GillesMolenbeek-Saint-JeanSaint-Josse-ten-NoodeWoluwe-Saint-LambertWoluwe-Saint-PierreUccleForestWatermaal-Bosvoorde Comunidade Francesa de Bélxica Comunidade Flamenga de Bélxica Comunidade Xermanófona de Bélxica Bruxelas-CapitalRexións de Bélxica francésneerlandésRexiónsBélxicacomunidade francesacomunidade flamengafrancófonaflamengaUnión EuropeaMagrebMarrocosTurquíaAméricaÁfricaRepública Democrática do CongoEuropa central18 de xuño1989FlandresRexión Valoaflamengaséculo XIXClasificación climática de Köppen Bruxelas-Capital Na Galipedia, a Wikipedia en galego. Saltar ata a navegación Saltar á procura Para outras páxinas con títulos homónimos véxase: Bruxelas . Région de Bruxelles-Capitale Brussels Hoofdstedelijk Gewest Bandeira Estado Bélxica Capital Cidade de Bruxelas  • Poboación n/d Lingua oficial As dúas Superficie  • Total 1
          Read more

          What should I write in an apology letter, since I have decided not to join a company after accepting an offer letterShould I keep looking after accepting a job offer?What should I do when I've been verbally told I would get an offer letter, but still haven't gotten one after 4 weeks?Do I accept an offer from a company that I am not likely to join?New job hasn't confirmed starting date and I want to give current employer as much notice as possibleHow should I address my manager in my resignation letter?HR delayed background verification, now jobless as resignedNo email communication after accepting a formal written offer. How should I phrase the call?What should I do if after receiving a verbal offer letter I am informed that my written job offer is put on hold due to some internal issues?Should I inform the current employer that I am about to resign within 1-2 weeks since I have signed the offer letter and waiting for visa?What company will do, if I send their offer letter to another company

          Image
          When is the original BFGS algorithm still better than the Limited-Memory version? How well known and how commonly used was Huffman coding in 1979? Inverse-quotes-quine Can the US president have someone sent to jail? Employer wants to use my work email account after I quit, is this legal under German law? Is this a GDPR waiver? Do French speakers not use the subjunctive informally? Low-gravity Bronze Age fortifications Does ultrasonic bath cleaning damage laboratory volumetric glassware calibration? Why do some games show lights shine through walls? Unusual mail headers, evidence of an attempted attack. Have I been pwned? Smooth Julia set for quadratic polynomials Require advice on power conservation for backpacking trip Dimensions of list used in test C-152 carb heat on before landing in hot weather? Is my Rep in Stack-Exchange Form? What happens when your group is victim of a surprise attack but you can't be surprised? How come I was asked by a CBP
          Read more