Ubuntu 18 ignoring Samba AD user's `loginShell` attribute (set to ZSH, but user receives BASH after login)Unable to get idmap_ad to work with Ubuntu 12.04 and Samba 4keytab auth against samba 4 DC: Client not found in Kerberos database while getting initial credentialsUbuntu 14.04 Active Directory auth fails after static ip configlogin with active directory users on debian jessy not workingSet up Samba with Active Directory and local user authenticationgnome-terminal - I have no nameSamba 4.2.10 on Debian 6.5 file share with windows active directory usersInsufficient quota exists to complete this operation, net ads joinSamba/Kerberos: Cannot contact any KDC, Kerberos not listening?Samba ADS: Cannot contact any KDC for requested realm
What does it mean when みたいな is at the end of a sentence?
DeleteCases using two lists but with partial match?
Ribbon Cable Cross Talk - Is there a fix after the fact?
Writing "hahaha" versus describing the laugh
Real Analysis: Proof of the equivalent definitions of the derivative.
How do I write real-world stories separate from my country of origin?
Salesforce bug enabled "Modify All"
Keeping the dodos out of the field
How many wires should be in a new thermostat cable?
What is the required burn to keep a satellite at a Lagrangian point?
How do you earn the reader's trust?
If I arrive in the UK, and then head to mainland Europe, does my Schengen visa 90 day limit start when I arrived in the UK, or mainland Europe?
What is this dime sized black bug with white on the segments near Loveland Colorodao?
Why is 'additive' EQ more difficult to use than 'subtractive'?
If a character has cast the Fly spell on themselves, can they "hand off" to the Levitate spell without interruption?
Why do the i8080 I/O instructions take a byte-sized operand to determine the port?
Illustrating that universal optimality is stronger than sphere packing
Why is the reciprocal used in fraction division?
mmap: effect of other processes writing to a file previously mapped read-only
Can the Conjure Barrage spell stack with the Disarming Attack or Trip Attack Battle Master maneuvers?
Existence of a model of ZFC in which the natural numbers are really the natural numbers
nginx conf: http2 module not working in Chrome in ubuntu 18.04
Has the wall been repaired?
How to become an Editorial board member?
Ubuntu 18 ignoring Samba AD user's `loginShell` attribute (set to ZSH, but user receives BASH after login)
Unable to get idmap_ad to work with Ubuntu 12.04 and Samba 4keytab auth against samba 4 DC: Client not found in Kerberos database while getting initial credentialsUbuntu 14.04 Active Directory auth fails after static ip configlogin with active directory users on debian jessy not workingSet up Samba with Active Directory and local user authenticationgnome-terminal - I have no nameSamba 4.2.10 on Debian 6.5 file share with windows active directory usersInsufficient quota exists to complete this operation, net ads joinSamba/Kerberos: Cannot contact any KDC, Kerberos not listening?Samba ADS: Cannot contact any KDC for requested realm
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
We have a samba AD (4.3.11-Ubuntu) attaching to both Windows and Linux clients (Ubuntu 14, and Ubuntu 18)
If I examine the LDAP for a user, his loginShell
parameter is /bin/zsh
. This was working for Ubuntu 14, but on the clean installs of Ubuntu 18, his login tries to use bash
.
I have confirmed zsh
is installed on the Ubuntu 18 computers.
If I add an /etc/passwd
entry for the user in a local Ubuntu 18 machine, zsh
is correctly used.
How can I determine where the issue is coming from?
EDIT:
Samba active directory was set up on the clients using Puppet to push in the configuration files, and run any needed commands. The process was:
puppet init.pp
class samba
package 'mycustompackage-samba':
ensure => present,
require => Exec['apt-get-update'],
file "/etc/resolv.conf.local":
ensure => file,
source => "puppet:///modules/samba/resolv.conf",
before => File['/etc/resolv.conf'],
file "/etc/resolv.conf":
ensure => link,
target => "/etc/resolv.conf.local",
service "systemd-resolved":
ensure => false,
enable => false
file '/etc/nsswitch.conf':
source => [
"puppet:///modules/samba/nsswitch.conf.$hostname",
"puppet:///modules/samba/nsswitch.conf.$role",
"puppet:///modules/samba/nsswitch.conf",
],
owner => root,
group => root,
mode => "0644",
ensure => present
file '/etc/NetworkManager/NetworkManager.conf':
source => "puppet:///modules/samba/NetworkManager.conf",
owner => root,
group => root,
mode => "644",
ensure => present,
before => File['/etc/resolv.conf'],
file '/etc/krb5.conf':
source => [
"puppet:///modules/samba/krb5.conf.$hostname",
"puppet:///modules/samba/krb5.conf.$role",
"puppet:///modules/samba/krb5.conf",
],
owner => root,
group => root,
mode => "0600",
ensure => present
file '/etc/samba/smb.conf':
source => [
"puppet:///modules/samba/smb.conf.$hostname",
"puppet:///modules/samba/smb.conf.$role",
"puppet:///modules/samba/smb.conf",
],
ensure => present,
owner => root,
group => root,
mode => "0644",
require => Package['h2t-samba']
host 'Servername.redacted.de':
ip => 'xxx.yyy.zzz.9',
host_aliases => ["Servername"]
smb.conf
[global]
workgroup = RedactedDomainName
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = RedactedDomainName.redacted.de
security = ads
preferred master = no
encrypt passwords = true
log level = 3
log file = /var/log/samba/log.%m
max log size = 50
printcap name = cups
printing = cups
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
winbind refresh tickets = Yes
winbind nss info = rfc2307
idmap config * : backend = tdb
idmap config * : range = 1000-999999
idmap config RedactedDomainName : backend = rid
idmap config RedactedDomainName : range=1000-999999
idmap config RedactedDomainName : base_rid = 0
;template primary group = "redactedPrimaryGroup"
winbind rpc only = no
template homedir = /share/homes/all/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
restrict anonymous = 2
socket options = IPTOS_LOWDELAY TCP_NODELAY
NetworkManager.conf
[main]
plugins=ifupdown,keyfile
dns=none
[ifupdown]
managed=false
[device]
wifi.scan-rand-mac-address=no
krb5.conf
[libdefaults]
default_realm = RedactedDomainName.redacted.de
ticket_lifetime = 24h #
renew_lifetime = 7d
# The following krb5.conf variables are only for MIT Kerberos.
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
[realms]
RedactedDomainName.redacted.de =
kdc = Servrname.redacted.de
admin_server = Servername.redacted.de
default_domain = RedactedDomainName.redacted.de
[domain_realm]
.RedactedDomainName.redacted.de = RedactedDomainName.redacted.de
RedactedDomainName.redacted.de = RedactedDomainName.redacted.de
nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat systemd winbind
group: compat systemd winbind
shadow: compat
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver xxx.yyy.zzz.9
nameserver xxx.yyy.zzz.90
nameserver xxx.yyy.zzz.91
search redacted.de
sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = RedactedDomainName.redacted.de
[domain/RedactedDomainName.redacted.de]
id_provider = ad
access_provider = ad
# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so
override_homedir = /home/%g/%u
# Uncomment if the client machine hostname doesn't match the computer object on the DC.
# ad_hostname = mymachine.myubuntu.example.com
# Uncomment if DNS SRV resolution is not working
# ad_server = dc.mydomain.example.com
# Uncomment if the AD domain is named differently than the Samba domain
# ad_domain = MYUBUNTU.EXAMPLE.COM
# Enumeration is discouraged for performance reasons.
enumerate = true
active-directory ldap samba shell
add a comment |
We have a samba AD (4.3.11-Ubuntu) attaching to both Windows and Linux clients (Ubuntu 14, and Ubuntu 18)
If I examine the LDAP for a user, his loginShell
parameter is /bin/zsh
. This was working for Ubuntu 14, but on the clean installs of Ubuntu 18, his login tries to use bash
.
I have confirmed zsh
is installed on the Ubuntu 18 computers.
If I add an /etc/passwd
entry for the user in a local Ubuntu 18 machine, zsh
is correctly used.
How can I determine where the issue is coming from?
EDIT:
Samba active directory was set up on the clients using Puppet to push in the configuration files, and run any needed commands. The process was:
puppet init.pp
class samba
package 'mycustompackage-samba':
ensure => present,
require => Exec['apt-get-update'],
file "/etc/resolv.conf.local":
ensure => file,
source => "puppet:///modules/samba/resolv.conf",
before => File['/etc/resolv.conf'],
file "/etc/resolv.conf":
ensure => link,
target => "/etc/resolv.conf.local",
service "systemd-resolved":
ensure => false,
enable => false
file '/etc/nsswitch.conf':
source => [
"puppet:///modules/samba/nsswitch.conf.$hostname",
"puppet:///modules/samba/nsswitch.conf.$role",
"puppet:///modules/samba/nsswitch.conf",
],
owner => root,
group => root,
mode => "0644",
ensure => present
file '/etc/NetworkManager/NetworkManager.conf':
source => "puppet:///modules/samba/NetworkManager.conf",
owner => root,
group => root,
mode => "644",
ensure => present,
before => File['/etc/resolv.conf'],
file '/etc/krb5.conf':
source => [
"puppet:///modules/samba/krb5.conf.$hostname",
"puppet:///modules/samba/krb5.conf.$role",
"puppet:///modules/samba/krb5.conf",
],
owner => root,
group => root,
mode => "0600",
ensure => present
file '/etc/samba/smb.conf':
source => [
"puppet:///modules/samba/smb.conf.$hostname",
"puppet:///modules/samba/smb.conf.$role",
"puppet:///modules/samba/smb.conf",
],
ensure => present,
owner => root,
group => root,
mode => "0644",
require => Package['h2t-samba']
host 'Servername.redacted.de':
ip => 'xxx.yyy.zzz.9',
host_aliases => ["Servername"]
smb.conf
[global]
workgroup = RedactedDomainName
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = RedactedDomainName.redacted.de
security = ads
preferred master = no
encrypt passwords = true
log level = 3
log file = /var/log/samba/log.%m
max log size = 50
printcap name = cups
printing = cups
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
winbind refresh tickets = Yes
winbind nss info = rfc2307
idmap config * : backend = tdb
idmap config * : range = 1000-999999
idmap config RedactedDomainName : backend = rid
idmap config RedactedDomainName : range=1000-999999
idmap config RedactedDomainName : base_rid = 0
;template primary group = "redactedPrimaryGroup"
winbind rpc only = no
template homedir = /share/homes/all/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
restrict anonymous = 2
socket options = IPTOS_LOWDELAY TCP_NODELAY
NetworkManager.conf
[main]
plugins=ifupdown,keyfile
dns=none
[ifupdown]
managed=false
[device]
wifi.scan-rand-mac-address=no
krb5.conf
[libdefaults]
default_realm = RedactedDomainName.redacted.de
ticket_lifetime = 24h #
renew_lifetime = 7d
# The following krb5.conf variables are only for MIT Kerberos.
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
[realms]
RedactedDomainName.redacted.de =
kdc = Servrname.redacted.de
admin_server = Servername.redacted.de
default_domain = RedactedDomainName.redacted.de
[domain_realm]
.RedactedDomainName.redacted.de = RedactedDomainName.redacted.de
RedactedDomainName.redacted.de = RedactedDomainName.redacted.de
nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat systemd winbind
group: compat systemd winbind
shadow: compat
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver xxx.yyy.zzz.9
nameserver xxx.yyy.zzz.90
nameserver xxx.yyy.zzz.91
search redacted.de
sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = RedactedDomainName.redacted.de
[domain/RedactedDomainName.redacted.de]
id_provider = ad
access_provider = ad
# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so
override_homedir = /home/%g/%u
# Uncomment if the client machine hostname doesn't match the computer object on the DC.
# ad_hostname = mymachine.myubuntu.example.com
# Uncomment if DNS SRV resolution is not working
# ad_server = dc.mydomain.example.com
# Uncomment if the AD domain is named differently than the Samba domain
# ad_domain = MYUBUNTU.EXAMPLE.COM
# Enumeration is discouraged for performance reasons.
enumerate = true
active-directory ldap samba shell
add a comment |
We have a samba AD (4.3.11-Ubuntu) attaching to both Windows and Linux clients (Ubuntu 14, and Ubuntu 18)
If I examine the LDAP for a user, his loginShell
parameter is /bin/zsh
. This was working for Ubuntu 14, but on the clean installs of Ubuntu 18, his login tries to use bash
.
I have confirmed zsh
is installed on the Ubuntu 18 computers.
If I add an /etc/passwd
entry for the user in a local Ubuntu 18 machine, zsh
is correctly used.
How can I determine where the issue is coming from?
EDIT:
Samba active directory was set up on the clients using Puppet to push in the configuration files, and run any needed commands. The process was:
puppet init.pp
class samba
package 'mycustompackage-samba':
ensure => present,
require => Exec['apt-get-update'],
file "/etc/resolv.conf.local":
ensure => file,
source => "puppet:///modules/samba/resolv.conf",
before => File['/etc/resolv.conf'],
file "/etc/resolv.conf":
ensure => link,
target => "/etc/resolv.conf.local",
service "systemd-resolved":
ensure => false,
enable => false
file '/etc/nsswitch.conf':
source => [
"puppet:///modules/samba/nsswitch.conf.$hostname",
"puppet:///modules/samba/nsswitch.conf.$role",
"puppet:///modules/samba/nsswitch.conf",
],
owner => root,
group => root,
mode => "0644",
ensure => present
file '/etc/NetworkManager/NetworkManager.conf':
source => "puppet:///modules/samba/NetworkManager.conf",
owner => root,
group => root,
mode => "644",
ensure => present,
before => File['/etc/resolv.conf'],
file '/etc/krb5.conf':
source => [
"puppet:///modules/samba/krb5.conf.$hostname",
"puppet:///modules/samba/krb5.conf.$role",
"puppet:///modules/samba/krb5.conf",
],
owner => root,
group => root,
mode => "0600",
ensure => present
file '/etc/samba/smb.conf':
source => [
"puppet:///modules/samba/smb.conf.$hostname",
"puppet:///modules/samba/smb.conf.$role",
"puppet:///modules/samba/smb.conf",
],
ensure => present,
owner => root,
group => root,
mode => "0644",
require => Package['h2t-samba']
host 'Servername.redacted.de':
ip => 'xxx.yyy.zzz.9',
host_aliases => ["Servername"]
smb.conf
[global]
workgroup = RedactedDomainName
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = RedactedDomainName.redacted.de
security = ads
preferred master = no
encrypt passwords = true
log level = 3
log file = /var/log/samba/log.%m
max log size = 50
printcap name = cups
printing = cups
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
winbind refresh tickets = Yes
winbind nss info = rfc2307
idmap config * : backend = tdb
idmap config * : range = 1000-999999
idmap config RedactedDomainName : backend = rid
idmap config RedactedDomainName : range=1000-999999
idmap config RedactedDomainName : base_rid = 0
;template primary group = "redactedPrimaryGroup"
winbind rpc only = no
template homedir = /share/homes/all/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
restrict anonymous = 2
socket options = IPTOS_LOWDELAY TCP_NODELAY
NetworkManager.conf
[main]
plugins=ifupdown,keyfile
dns=none
[ifupdown]
managed=false
[device]
wifi.scan-rand-mac-address=no
krb5.conf
[libdefaults]
default_realm = RedactedDomainName.redacted.de
ticket_lifetime = 24h #
renew_lifetime = 7d
# The following krb5.conf variables are only for MIT Kerberos.
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
[realms]
RedactedDomainName.redacted.de =
kdc = Servrname.redacted.de
admin_server = Servername.redacted.de
default_domain = RedactedDomainName.redacted.de
[domain_realm]
.RedactedDomainName.redacted.de = RedactedDomainName.redacted.de
RedactedDomainName.redacted.de = RedactedDomainName.redacted.de
nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat systemd winbind
group: compat systemd winbind
shadow: compat
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver xxx.yyy.zzz.9
nameserver xxx.yyy.zzz.90
nameserver xxx.yyy.zzz.91
search redacted.de
sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = RedactedDomainName.redacted.de
[domain/RedactedDomainName.redacted.de]
id_provider = ad
access_provider = ad
# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so
override_homedir = /home/%g/%u
# Uncomment if the client machine hostname doesn't match the computer object on the DC.
# ad_hostname = mymachine.myubuntu.example.com
# Uncomment if DNS SRV resolution is not working
# ad_server = dc.mydomain.example.com
# Uncomment if the AD domain is named differently than the Samba domain
# ad_domain = MYUBUNTU.EXAMPLE.COM
# Enumeration is discouraged for performance reasons.
enumerate = true
active-directory ldap samba shell
We have a samba AD (4.3.11-Ubuntu) attaching to both Windows and Linux clients (Ubuntu 14, and Ubuntu 18)
If I examine the LDAP for a user, his loginShell
parameter is /bin/zsh
. This was working for Ubuntu 14, but on the clean installs of Ubuntu 18, his login tries to use bash
.
I have confirmed zsh
is installed on the Ubuntu 18 computers.
If I add an /etc/passwd
entry for the user in a local Ubuntu 18 machine, zsh
is correctly used.
How can I determine where the issue is coming from?
EDIT:
Samba active directory was set up on the clients using Puppet to push in the configuration files, and run any needed commands. The process was:
puppet init.pp
class samba
package 'mycustompackage-samba':
ensure => present,
require => Exec['apt-get-update'],
file "/etc/resolv.conf.local":
ensure => file,
source => "puppet:///modules/samba/resolv.conf",
before => File['/etc/resolv.conf'],
file "/etc/resolv.conf":
ensure => link,
target => "/etc/resolv.conf.local",
service "systemd-resolved":
ensure => false,
enable => false
file '/etc/nsswitch.conf':
source => [
"puppet:///modules/samba/nsswitch.conf.$hostname",
"puppet:///modules/samba/nsswitch.conf.$role",
"puppet:///modules/samba/nsswitch.conf",
],
owner => root,
group => root,
mode => "0644",
ensure => present
file '/etc/NetworkManager/NetworkManager.conf':
source => "puppet:///modules/samba/NetworkManager.conf",
owner => root,
group => root,
mode => "644",
ensure => present,
before => File['/etc/resolv.conf'],
file '/etc/krb5.conf':
source => [
"puppet:///modules/samba/krb5.conf.$hostname",
"puppet:///modules/samba/krb5.conf.$role",
"puppet:///modules/samba/krb5.conf",
],
owner => root,
group => root,
mode => "0600",
ensure => present
file '/etc/samba/smb.conf':
source => [
"puppet:///modules/samba/smb.conf.$hostname",
"puppet:///modules/samba/smb.conf.$role",
"puppet:///modules/samba/smb.conf",
],
ensure => present,
owner => root,
group => root,
mode => "0644",
require => Package['h2t-samba']
host 'Servername.redacted.de':
ip => 'xxx.yyy.zzz.9',
host_aliases => ["Servername"]
smb.conf
[global]
workgroup = RedactedDomainName
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = RedactedDomainName.redacted.de
security = ads
preferred master = no
encrypt passwords = true
log level = 3
log file = /var/log/samba/log.%m
max log size = 50
printcap name = cups
printing = cups
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
winbind refresh tickets = Yes
winbind nss info = rfc2307
idmap config * : backend = tdb
idmap config * : range = 1000-999999
idmap config RedactedDomainName : backend = rid
idmap config RedactedDomainName : range=1000-999999
idmap config RedactedDomainName : base_rid = 0
;template primary group = "redactedPrimaryGroup"
winbind rpc only = no
template homedir = /share/homes/all/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
restrict anonymous = 2
socket options = IPTOS_LOWDELAY TCP_NODELAY
NetworkManager.conf
[main]
plugins=ifupdown,keyfile
dns=none
[ifupdown]
managed=false
[device]
wifi.scan-rand-mac-address=no
krb5.conf
[libdefaults]
default_realm = RedactedDomainName.redacted.de
ticket_lifetime = 24h #
renew_lifetime = 7d
# The following krb5.conf variables are only for MIT Kerberos.
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
[realms]
RedactedDomainName.redacted.de =
kdc = Servrname.redacted.de
admin_server = Servername.redacted.de
default_domain = RedactedDomainName.redacted.de
[domain_realm]
.RedactedDomainName.redacted.de = RedactedDomainName.redacted.de
RedactedDomainName.redacted.de = RedactedDomainName.redacted.de
nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat systemd winbind
group: compat systemd winbind
shadow: compat
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver xxx.yyy.zzz.9
nameserver xxx.yyy.zzz.90
nameserver xxx.yyy.zzz.91
search redacted.de
sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = RedactedDomainName.redacted.de
[domain/RedactedDomainName.redacted.de]
id_provider = ad
access_provider = ad
# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so
override_homedir = /home/%g/%u
# Uncomment if the client machine hostname doesn't match the computer object on the DC.
# ad_hostname = mymachine.myubuntu.example.com
# Uncomment if DNS SRV resolution is not working
# ad_server = dc.mydomain.example.com
# Uncomment if the AD domain is named differently than the Samba domain
# ad_domain = MYUBUNTU.EXAMPLE.COM
# Enumeration is discouraged for performance reasons.
enumerate = true
active-directory ldap samba shell
active-directory ldap samba shell
edited May 8 at 14:58
BurningKrome
asked Apr 26 at 13:04
BurningKromeBurningKrome
205211
205211
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Could you please reproduce the steps taken to integrate the Ubuntu clients into the AD?
If you are using sssd
, you might check that the value sss
is set for passwd in your nsswitch.conf
like passwd: files sss
edit:
I see two possible points:
change
template shell = /bin/bash
intotemplate shell = /bin/zsh
inside smb.conf to set it globallyalter the
passwd
entry in nsswitch.conf topasswd: compat systemd winbind sss
to have sssd resolve the passwd atributes
It seems that winbind is unable to map the LDAP attribute to the local nsswitch passwd. Nsswitch, Winbind and sssd are the areas you might want to investigate further.
I added the info to the OP. I checked the puppet domain config being used on Ubuntu 14 machines, and didn't see any reference toSSS
in thensswitch.conf
. It works on 14. Just not 18. I don't know if that means anything regarding thensswitch.conf
andsss
however.
– BurningKrome
May 8 at 13:08
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f964739%2fubuntu-18-ignoring-samba-ad-users-loginshell-attribute-set-to-zsh-but-user%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Could you please reproduce the steps taken to integrate the Ubuntu clients into the AD?
If you are using sssd
, you might check that the value sss
is set for passwd in your nsswitch.conf
like passwd: files sss
edit:
I see two possible points:
change
template shell = /bin/bash
intotemplate shell = /bin/zsh
inside smb.conf to set it globallyalter the
passwd
entry in nsswitch.conf topasswd: compat systemd winbind sss
to have sssd resolve the passwd atributes
It seems that winbind is unable to map the LDAP attribute to the local nsswitch passwd. Nsswitch, Winbind and sssd are the areas you might want to investigate further.
I added the info to the OP. I checked the puppet domain config being used on Ubuntu 14 machines, and didn't see any reference toSSS
in thensswitch.conf
. It works on 14. Just not 18. I don't know if that means anything regarding thensswitch.conf
andsss
however.
– BurningKrome
May 8 at 13:08
add a comment |
Could you please reproduce the steps taken to integrate the Ubuntu clients into the AD?
If you are using sssd
, you might check that the value sss
is set for passwd in your nsswitch.conf
like passwd: files sss
edit:
I see two possible points:
change
template shell = /bin/bash
intotemplate shell = /bin/zsh
inside smb.conf to set it globallyalter the
passwd
entry in nsswitch.conf topasswd: compat systemd winbind sss
to have sssd resolve the passwd atributes
It seems that winbind is unable to map the LDAP attribute to the local nsswitch passwd. Nsswitch, Winbind and sssd are the areas you might want to investigate further.
I added the info to the OP. I checked the puppet domain config being used on Ubuntu 14 machines, and didn't see any reference toSSS
in thensswitch.conf
. It works on 14. Just not 18. I don't know if that means anything regarding thensswitch.conf
andsss
however.
– BurningKrome
May 8 at 13:08
add a comment |
Could you please reproduce the steps taken to integrate the Ubuntu clients into the AD?
If you are using sssd
, you might check that the value sss
is set for passwd in your nsswitch.conf
like passwd: files sss
edit:
I see two possible points:
change
template shell = /bin/bash
intotemplate shell = /bin/zsh
inside smb.conf to set it globallyalter the
passwd
entry in nsswitch.conf topasswd: compat systemd winbind sss
to have sssd resolve the passwd atributes
It seems that winbind is unable to map the LDAP attribute to the local nsswitch passwd. Nsswitch, Winbind and sssd are the areas you might want to investigate further.
Could you please reproduce the steps taken to integrate the Ubuntu clients into the AD?
If you are using sssd
, you might check that the value sss
is set for passwd in your nsswitch.conf
like passwd: files sss
edit:
I see two possible points:
change
template shell = /bin/bash
intotemplate shell = /bin/zsh
inside smb.conf to set it globallyalter the
passwd
entry in nsswitch.conf topasswd: compat systemd winbind sss
to have sssd resolve the passwd atributes
It seems that winbind is unable to map the LDAP attribute to the local nsswitch passwd. Nsswitch, Winbind and sssd are the areas you might want to investigate further.
edited May 10 at 5:47
answered Apr 29 at 5:52
juojuo
184
184
I added the info to the OP. I checked the puppet domain config being used on Ubuntu 14 machines, and didn't see any reference toSSS
in thensswitch.conf
. It works on 14. Just not 18. I don't know if that means anything regarding thensswitch.conf
andsss
however.
– BurningKrome
May 8 at 13:08
add a comment |
I added the info to the OP. I checked the puppet domain config being used on Ubuntu 14 machines, and didn't see any reference toSSS
in thensswitch.conf
. It works on 14. Just not 18. I don't know if that means anything regarding thensswitch.conf
andsss
however.
– BurningKrome
May 8 at 13:08
I added the info to the OP. I checked the puppet domain config being used on Ubuntu 14 machines, and didn't see any reference to
SSS
in the nsswitch.conf
. It works on 14. Just not 18. I don't know if that means anything regarding the nsswitch.conf
and sss
however.– BurningKrome
May 8 at 13:08
I added the info to the OP. I checked the puppet domain config being used on Ubuntu 14 machines, and didn't see any reference to
SSS
in the nsswitch.conf
. It works on 14. Just not 18. I don't know if that means anything regarding the nsswitch.conf
and sss
however.– BurningKrome
May 8 at 13:08
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f964739%2fubuntu-18-ignoring-samba-ad-users-loginshell-attribute-set-to-zsh-but-user%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown