Ubuntu 18 ignoring Samba AD user's `loginShell` attribute (set to ZSH, but user receives BASH after login)Unable to get idmap_ad to work with Ubuntu 12.04 and Samba 4keytab auth against samba 4 DC: Client not found in Kerberos database while getting initial credentialsUbuntu 14.04 Active Directory auth fails after static ip configlogin with active directory users on debian jessy not workingSet up Samba with Active Directory and local user authenticationgnome-terminal - I have no nameSamba 4.2.10 on Debian 6.5 file share with windows active directory usersInsufficient quota exists to complete this operation, net ads joinSamba/Kerberos: Cannot contact any KDC, Kerberos not listening?Samba ADS: Cannot contact any KDC for requested realm

What does it mean when みたいな is at the end of a sentence?

DeleteCases using two lists but with partial match?

Ribbon Cable Cross Talk - Is there a fix after the fact?

Writing "hahaha" versus describing the laugh

Real Analysis: Proof of the equivalent definitions of the derivative.

How do I write real-world stories separate from my country of origin?

Salesforce bug enabled "Modify All"

Keeping the dodos out of the field

How many wires should be in a new thermostat cable?

What is the required burn to keep a satellite at a Lagrangian point?

How do you earn the reader's trust?

If I arrive in the UK, and then head to mainland Europe, does my Schengen visa 90 day limit start when I arrived in the UK, or mainland Europe?

What is this dime sized black bug with white on the segments near Loveland Colorodao?

Why is 'additive' EQ more difficult to use than 'subtractive'?

If a character has cast the Fly spell on themselves, can they "hand off" to the Levitate spell without interruption?

Why do the i8080 I/O instructions take a byte-sized operand to determine the port?

Illustrating that universal optimality is stronger than sphere packing

Why is the reciprocal used in fraction division?

mmap: effect of other processes writing to a file previously mapped read-only

Can the Conjure Barrage spell stack with the Disarming Attack or Trip Attack Battle Master maneuvers?

Existence of a model of ZFC in which the natural numbers are really the natural numbers

nginx conf: http2 module not working in Chrome in ubuntu 18.04

Has the wall been repaired?

How to become an Editorial board member?



Ubuntu 18 ignoring Samba AD user's `loginShell` attribute (set to ZSH, but user receives BASH after login)


Unable to get idmap_ad to work with Ubuntu 12.04 and Samba 4keytab auth against samba 4 DC: Client not found in Kerberos database while getting initial credentialsUbuntu 14.04 Active Directory auth fails after static ip configlogin with active directory users on debian jessy not workingSet up Samba with Active Directory and local user authenticationgnome-terminal - I have no nameSamba 4.2.10 on Debian 6.5 file share with windows active directory usersInsufficient quota exists to complete this operation, net ads joinSamba/Kerberos: Cannot contact any KDC, Kerberos not listening?Samba ADS: Cannot contact any KDC for requested realm






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








1















We have a samba AD (4.3.11-Ubuntu) attaching to both Windows and Linux clients (Ubuntu 14, and Ubuntu 18)



If I examine the LDAP for a user, his loginShell parameter is /bin/zsh. This was working for Ubuntu 14, but on the clean installs of Ubuntu 18, his login tries to use bash.



I have confirmed zsh is installed on the Ubuntu 18 computers.



If I add an /etc/passwd entry for the user in a local Ubuntu 18 machine, zsh is correctly used.



How can I determine where the issue is coming from?



EDIT:



Samba active directory was set up on the clients using Puppet to push in the configuration files, and run any needed commands. The process was:



puppet init.pp



class samba 
 package 'mycustompackage-samba':
 ensure => present,
 require => Exec['apt-get-update'],
 
 file "/etc/resolv.conf.local":
 ensure => file,
 source => "puppet:///modules/samba/resolv.conf",
 before => File['/etc/resolv.conf'],
 
 file "/etc/resolv.conf":
 ensure => link,
 target => "/etc/resolv.conf.local",
 
 service "systemd-resolved":
 ensure => false,
 enable => false
 
 file '/etc/nsswitch.conf':
 source => [
 "puppet:///modules/samba/nsswitch.conf.$hostname",
 "puppet:///modules/samba/nsswitch.conf.$role",
 "puppet:///modules/samba/nsswitch.conf",
 ],
 owner => root,
 group => root,
 mode => "0644",
 ensure => present
 
 file '/etc/NetworkManager/NetworkManager.conf':
 source => "puppet:///modules/samba/NetworkManager.conf",
 owner => root,
 group => root,
 mode => "644",
 ensure => present,
 before => File['/etc/resolv.conf'],
 
 file '/etc/krb5.conf':
 source => [
 "puppet:///modules/samba/krb5.conf.$hostname",
 "puppet:///modules/samba/krb5.conf.$role",
 "puppet:///modules/samba/krb5.conf",
 ],
 owner => root,
 group => root,
 mode => "0600",
 ensure => present
 
 file '/etc/samba/smb.conf':
 source => [
 "puppet:///modules/samba/smb.conf.$hostname",
 "puppet:///modules/samba/smb.conf.$role",
 "puppet:///modules/samba/smb.conf",
 ],
 ensure => present,
 owner => root,
 group => root,
 mode => "0644",
 require => Package['h2t-samba']
 
 host 'Servername.redacted.de':
 ip => 'xxx.yyy.zzz.9',
 host_aliases => ["Servername"]



smb.conf



[global]
 workgroup = RedactedDomainName
 client signing = yes
 client use spnego = yes
 kerberos method = secrets and keytab
 realm = RedactedDomainName.redacted.de
 security = ads
 preferred master = no
 encrypt passwords = true
 log level = 3
 log file = /var/log/samba/log.%m
 max log size = 50
 printcap name = cups
 printing = cups
 winbind enum users = Yes
 winbind enum groups = Yes
 winbind use default domain = Yes
 winbind nested groups = Yes
 winbind separator = +
 winbind refresh tickets = Yes
 winbind nss info = rfc2307
 idmap config * : backend = tdb
 idmap config * : range = 1000-999999
 idmap config RedactedDomainName : backend = rid
 idmap config RedactedDomainName : range=1000-999999
 idmap config RedactedDomainName : base_rid = 0
 ;template primary group = "redactedPrimaryGroup"
 winbind rpc only = no
 template homedir = /share/homes/all/%U
 template shell = /bin/bash
 client use spnego = yes
 client ntlmv2 auth = yes
 restrict anonymous = 2
 socket options = IPTOS_LOWDELAY TCP_NODELAY


NetworkManager.conf



[main]
plugins=ifupdown,keyfile
dns=none
[ifupdown]
managed=false
[device]
wifi.scan-rand-mac-address=no


krb5.conf



[libdefaults]
 default_realm = RedactedDomainName.redacted.de
 ticket_lifetime = 24h #
 renew_lifetime = 7d
# The following krb5.conf variables are only for MIT Kerberos.
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
[realms]
 RedactedDomainName.redacted.de = 
 kdc = Servrname.redacted.de
 admin_server = Servername.redacted.de
 default_domain = RedactedDomainName.redacted.de
 
[domain_realm]
 .RedactedDomainName.redacted.de = RedactedDomainName.redacted.de
 RedactedDomainName.redacted.de = RedactedDomainName.redacted.de


nsswitch.conf



# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat systemd winbind
group: compat systemd winbind
shadow: compat
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis


resolv.conf



# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver xxx.yyy.zzz.9
nameserver xxx.yyy.zzz.90
nameserver xxx.yyy.zzz.91
search redacted.de


sssd.conf



[sssd]
services = nss, pam
config_file_version = 2
domains = RedactedDomainName.redacted.de
[domain/RedactedDomainName.redacted.de]
id_provider = ad
access_provider = ad
# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so
override_homedir = /home/%g/%u
# Uncomment if the client machine hostname doesn't match the computer object on the DC.
# ad_hostname = mymachine.myubuntu.example.com
# Uncomment if DNS SRV resolution is not working
# ad_server = dc.mydomain.example.com
# Uncomment if the AD domain is named differently than the Samba domain
# ad_domain = MYUBUNTU.EXAMPLE.COM
# Enumeration is discouraged for performance reasons.
enumerate = true





active-directory ldap samba shell







share|improve this question






























    1















    We have a samba AD (4.3.11-Ubuntu) attaching to both Windows and Linux clients (Ubuntu 14, and Ubuntu 18)



    If I examine the LDAP for a user, his loginShell parameter is /bin/zsh. This was working for Ubuntu 14, but on the clean installs of Ubuntu 18, his login tries to use bash.



    I have confirmed zsh is installed on the Ubuntu 18 computers.



    If I add an /etc/passwd entry for the user in a local Ubuntu 18 machine, zsh is correctly used.



    How can I determine where the issue is coming from?



    EDIT:



    Samba active directory was set up on the clients using Puppet to push in the configuration files, and run any needed commands. The process was:



    puppet init.pp



    class samba 
     package 'mycustompackage-samba':
     ensure => present,
     require => Exec['apt-get-update'],
     
     file "/etc/resolv.conf.local":
     ensure => file,
     source => "puppet:///modules/samba/resolv.conf",
     before => File['/etc/resolv.conf'],
     
     file "/etc/resolv.conf":
     ensure => link,
     target => "/etc/resolv.conf.local",
     
     service "systemd-resolved":
     ensure => false,
     enable => false
     
     file '/etc/nsswitch.conf':
     source => [
     "puppet:///modules/samba/nsswitch.conf.$hostname",
     "puppet:///modules/samba/nsswitch.conf.$role",
     "puppet:///modules/samba/nsswitch.conf",
     ],
     owner => root,
     group => root,
     mode => "0644",
     ensure => present
     
     file '/etc/NetworkManager/NetworkManager.conf':
     source => "puppet:///modules/samba/NetworkManager.conf",
     owner => root,
     group => root,
     mode => "644",
     ensure => present,
     before => File['/etc/resolv.conf'],
     
     file '/etc/krb5.conf':
     source => [
     "puppet:///modules/samba/krb5.conf.$hostname",
     "puppet:///modules/samba/krb5.conf.$role",
     "puppet:///modules/samba/krb5.conf",
     ],
     owner => root,
     group => root,
     mode => "0600",
     ensure => present
     
     file '/etc/samba/smb.conf':
     source => [
     "puppet:///modules/samba/smb.conf.$hostname",
     "puppet:///modules/samba/smb.conf.$role",
     "puppet:///modules/samba/smb.conf",
     ],
     ensure => present,
     owner => root,
     group => root,
     mode => "0644",
     require => Package['h2t-samba']
     
     host 'Servername.redacted.de':
     ip => 'xxx.yyy.zzz.9',
     host_aliases => ["Servername"]



    smb.conf



    [global]
     workgroup = RedactedDomainName
     client signing = yes
     client use spnego = yes
     kerberos method = secrets and keytab
     realm = RedactedDomainName.redacted.de
     security = ads
     preferred master = no
     encrypt passwords = true
     log level = 3
     log file = /var/log/samba/log.%m
     max log size = 50
     printcap name = cups
     printing = cups
     winbind enum users = Yes
     winbind enum groups = Yes
     winbind use default domain = Yes
     winbind nested groups = Yes
     winbind separator = +
     winbind refresh tickets = Yes
     winbind nss info = rfc2307
     idmap config * : backend = tdb
     idmap config * : range = 1000-999999
     idmap config RedactedDomainName : backend = rid
     idmap config RedactedDomainName : range=1000-999999
     idmap config RedactedDomainName : base_rid = 0
     ;template primary group = "redactedPrimaryGroup"
     winbind rpc only = no
     template homedir = /share/homes/all/%U
     template shell = /bin/bash
     client use spnego = yes
     client ntlmv2 auth = yes
     restrict anonymous = 2
     socket options = IPTOS_LOWDELAY TCP_NODELAY


    NetworkManager.conf



    [main]
    plugins=ifupdown,keyfile
    dns=none
    [ifupdown]
    managed=false
    [device]
    wifi.scan-rand-mac-address=no


    krb5.conf



    [libdefaults]
     default_realm = RedactedDomainName.redacted.de
     ticket_lifetime = 24h #
     renew_lifetime = 7d
    # The following krb5.conf variables are only for MIT Kerberos.
    # The following encryption type specification will be used by MIT Kerberos
    # if uncommented. In general, the defaults in the MIT Kerberos code are
    # correct and overriding these specifications only serves to disable new
    # encryption types as they are added, creating interoperability problems.
    #
    # Thie only time when you might need to uncomment these lines and change
    # the enctypes is if you have local software that will break on ticket
    # caches containing ticket encryption types it doesn't know about (such as
    # old versions of Sun Java).
    # default_tgs_enctypes = des3-hmac-sha1
    # default_tkt_enctypes = des3-hmac-sha1
    # permitted_enctypes = des3-hmac-sha1
    # The following libdefaults parameters are only for Heimdal Kerberos.
    [realms]
     RedactedDomainName.redacted.de = 
     kdc = Servrname.redacted.de
     admin_server = Servername.redacted.de
     default_domain = RedactedDomainName.redacted.de
     
    [domain_realm]
     .RedactedDomainName.redacted.de = RedactedDomainName.redacted.de
     RedactedDomainName.redacted.de = RedactedDomainName.redacted.de


    nsswitch.conf



    # /etc/nsswitch.conf
    #
    # Example configuration of GNU Name Service Switch functionality.
    # If you have the `glibc-doc-reference' and `info' packages installed, try:
    # `info libc "Name Service Switch"' for information about this file.
    passwd: compat systemd winbind
    group: compat systemd winbind
    shadow: compat
    gshadow: files
    hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
    networks: files
    protocols: db files
    services: db files
    ethers: db files
    rpc: db files
    netgroup: nis


    resolv.conf



    # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
    # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
    nameserver xxx.yyy.zzz.9
    nameserver xxx.yyy.zzz.90
    nameserver xxx.yyy.zzz.91
    search redacted.de


    sssd.conf



    [sssd]
    services = nss, pam
    config_file_version = 2
    domains = RedactedDomainName.redacted.de
    [domain/RedactedDomainName.redacted.de]
    id_provider = ad
    access_provider = ad
    # Use this if users are being logged in at /.
    # This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so
    override_homedir = /home/%g/%u
    # Uncomment if the client machine hostname doesn't match the computer object on the DC.
    # ad_hostname = mymachine.myubuntu.example.com
    # Uncomment if DNS SRV resolution is not working
    # ad_server = dc.mydomain.example.com
    # Uncomment if the AD domain is named differently than the Samba domain
    # ad_domain = MYUBUNTU.EXAMPLE.COM
    # Enumeration is discouraged for performance reasons.
    enumerate = true





    active-directory ldap samba shell







    share|improve this question


























      1












      1








      1


      0






      We have a samba AD (4.3.11-Ubuntu) attaching to both Windows and Linux clients (Ubuntu 14, and Ubuntu 18)



      If I examine the LDAP for a user, his loginShell parameter is /bin/zsh. This was working for Ubuntu 14, but on the clean installs of Ubuntu 18, his login tries to use bash.



      I have confirmed zsh is installed on the Ubuntu 18 computers.



      If I add an /etc/passwd entry for the user in a local Ubuntu 18 machine, zsh is correctly used.



      How can I determine where the issue is coming from?



      EDIT:



      Samba active directory was set up on the clients using Puppet to push in the configuration files, and run any needed commands. The process was:



      puppet init.pp



      class samba 
       package 'mycustompackage-samba':
       ensure => present,
       require => Exec['apt-get-update'],
       
       file "/etc/resolv.conf.local":
       ensure => file,
       source => "puppet:///modules/samba/resolv.conf",
       before => File['/etc/resolv.conf'],
       
       file "/etc/resolv.conf":
       ensure => link,
       target => "/etc/resolv.conf.local",
       
       service "systemd-resolved":
       ensure => false,
       enable => false
       
       file '/etc/nsswitch.conf':
       source => [
       "puppet:///modules/samba/nsswitch.conf.$hostname",
       "puppet:///modules/samba/nsswitch.conf.$role",
       "puppet:///modules/samba/nsswitch.conf",
       ],
       owner => root,
       group => root,
       mode => "0644",
       ensure => present
       
       file '/etc/NetworkManager/NetworkManager.conf':
       source => "puppet:///modules/samba/NetworkManager.conf",
       owner => root,
       group => root,
       mode => "644",
       ensure => present,
       before => File['/etc/resolv.conf'],
       
       file '/etc/krb5.conf':
       source => [
       "puppet:///modules/samba/krb5.conf.$hostname",
       "puppet:///modules/samba/krb5.conf.$role",
       "puppet:///modules/samba/krb5.conf",
       ],
       owner => root,
       group => root,
       mode => "0600",
       ensure => present
       
       file '/etc/samba/smb.conf':
       source => [
       "puppet:///modules/samba/smb.conf.$hostname",
       "puppet:///modules/samba/smb.conf.$role",
       "puppet:///modules/samba/smb.conf",
       ],
       ensure => present,
       owner => root,
       group => root,
       mode => "0644",
       require => Package['h2t-samba']
       
       host 'Servername.redacted.de':
       ip => 'xxx.yyy.zzz.9',
       host_aliases => ["Servername"]



      smb.conf



      [global]
       workgroup = RedactedDomainName
       client signing = yes
       client use spnego = yes
       kerberos method = secrets and keytab
       realm = RedactedDomainName.redacted.de
       security = ads
       preferred master = no
       encrypt passwords = true
       log level = 3
       log file = /var/log/samba/log.%m
       max log size = 50
       printcap name = cups
       printing = cups
       winbind enum users = Yes
       winbind enum groups = Yes
       winbind use default domain = Yes
       winbind nested groups = Yes
       winbind separator = +
       winbind refresh tickets = Yes
       winbind nss info = rfc2307
       idmap config * : backend = tdb
       idmap config * : range = 1000-999999
       idmap config RedactedDomainName : backend = rid
       idmap config RedactedDomainName : range=1000-999999
       idmap config RedactedDomainName : base_rid = 0
       ;template primary group = "redactedPrimaryGroup"
       winbind rpc only = no
       template homedir = /share/homes/all/%U
       template shell = /bin/bash
       client use spnego = yes
       client ntlmv2 auth = yes
       restrict anonymous = 2
       socket options = IPTOS_LOWDELAY TCP_NODELAY


      NetworkManager.conf



      [main]
      plugins=ifupdown,keyfile
      dns=none
      [ifupdown]
      managed=false
      [device]
      wifi.scan-rand-mac-address=no


      krb5.conf



      [libdefaults]
       default_realm = RedactedDomainName.redacted.de
       ticket_lifetime = 24h #
       renew_lifetime = 7d
      # The following krb5.conf variables are only for MIT Kerberos.
      # The following encryption type specification will be used by MIT Kerberos
      # if uncommented. In general, the defaults in the MIT Kerberos code are
      # correct and overriding these specifications only serves to disable new
      # encryption types as they are added, creating interoperability problems.
      #
      # Thie only time when you might need to uncomment these lines and change
      # the enctypes is if you have local software that will break on ticket
      # caches containing ticket encryption types it doesn't know about (such as
      # old versions of Sun Java).
      # default_tgs_enctypes = des3-hmac-sha1
      # default_tkt_enctypes = des3-hmac-sha1
      # permitted_enctypes = des3-hmac-sha1
      # The following libdefaults parameters are only for Heimdal Kerberos.
      [realms]
       RedactedDomainName.redacted.de = 
       kdc = Servrname.redacted.de
       admin_server = Servername.redacted.de
       default_domain = RedactedDomainName.redacted.de
       
      [domain_realm]
       .RedactedDomainName.redacted.de = RedactedDomainName.redacted.de
       RedactedDomainName.redacted.de = RedactedDomainName.redacted.de


      nsswitch.conf



      # /etc/nsswitch.conf
      #
      # Example configuration of GNU Name Service Switch functionality.
      # If you have the `glibc-doc-reference' and `info' packages installed, try:
      # `info libc "Name Service Switch"' for information about this file.
      passwd: compat systemd winbind
      group: compat systemd winbind
      shadow: compat
      gshadow: files
      hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
      networks: files
      protocols: db files
      services: db files
      ethers: db files
      rpc: db files
      netgroup: nis


      resolv.conf



      # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
      # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
      nameserver xxx.yyy.zzz.9
      nameserver xxx.yyy.zzz.90
      nameserver xxx.yyy.zzz.91
      search redacted.de


      sssd.conf



      [sssd]
      services = nss, pam
      config_file_version = 2
      domains = RedactedDomainName.redacted.de
      [domain/RedactedDomainName.redacted.de]
      id_provider = ad
      access_provider = ad
      # Use this if users are being logged in at /.
      # This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so
      override_homedir = /home/%g/%u
      # Uncomment if the client machine hostname doesn't match the computer object on the DC.
      # ad_hostname = mymachine.myubuntu.example.com
      # Uncomment if DNS SRV resolution is not working
      # ad_server = dc.mydomain.example.com
      # Uncomment if the AD domain is named differently than the Samba domain
      # ad_domain = MYUBUNTU.EXAMPLE.COM
      # Enumeration is discouraged for performance reasons.
      enumerate = true





      active-directory ldap samba shell







      share|improve this question
















      We have a samba AD (4.3.11-Ubuntu) attaching to both Windows and Linux clients (Ubuntu 14, and Ubuntu 18)



      If I examine the LDAP for a user, his loginShell parameter is /bin/zsh. This was working for Ubuntu 14, but on the clean installs of Ubuntu 18, his login tries to use bash.



      I have confirmed zsh is installed on the Ubuntu 18 computers.



      If I add an /etc/passwd entry for the user in a local Ubuntu 18 machine, zsh is correctly used.



      How can I determine where the issue is coming from?



      EDIT:



      Samba active directory was set up on the clients using Puppet to push in the configuration files, and run any needed commands. The process was:



      puppet init.pp



      class samba 
       package 'mycustompackage-samba':
       ensure => present,
       require => Exec['apt-get-update'],
       
       file "/etc/resolv.conf.local":
       ensure => file,
       source => "puppet:///modules/samba/resolv.conf",
       before => File['/etc/resolv.conf'],
       
       file "/etc/resolv.conf":
       ensure => link,
       target => "/etc/resolv.conf.local",
       
       service "systemd-resolved":
       ensure => false,
       enable => false
       
       file '/etc/nsswitch.conf':
       source => [
       "puppet:///modules/samba/nsswitch.conf.$hostname",
       "puppet:///modules/samba/nsswitch.conf.$role",
       "puppet:///modules/samba/nsswitch.conf",
       ],
       owner => root,
       group => root,
       mode => "0644",
       ensure => present
       
       file '/etc/NetworkManager/NetworkManager.conf':
       source => "puppet:///modules/samba/NetworkManager.conf",
       owner => root,
       group => root,
       mode => "644",
       ensure => present,
       before => File['/etc/resolv.conf'],
       
       file '/etc/krb5.conf':
       source => [
       "puppet:///modules/samba/krb5.conf.$hostname",
       "puppet:///modules/samba/krb5.conf.$role",
       "puppet:///modules/samba/krb5.conf",
       ],
       owner => root,
       group => root,
       mode => "0600",
       ensure => present
       
       file '/etc/samba/smb.conf':
       source => [
       "puppet:///modules/samba/smb.conf.$hostname",
       "puppet:///modules/samba/smb.conf.$role",
       "puppet:///modules/samba/smb.conf",
       ],
       ensure => present,
       owner => root,
       group => root,
       mode => "0644",
       require => Package['h2t-samba']
       
       host 'Servername.redacted.de':
       ip => 'xxx.yyy.zzz.9',
       host_aliases => ["Servername"]



      smb.conf



      [global]
       workgroup = RedactedDomainName
       client signing = yes
       client use spnego = yes
       kerberos method = secrets and keytab
       realm = RedactedDomainName.redacted.de
       security = ads
       preferred master = no
       encrypt passwords = true
       log level = 3
       log file = /var/log/samba/log.%m
       max log size = 50
       printcap name = cups
       printing = cups
       winbind enum users = Yes
       winbind enum groups = Yes
       winbind use default domain = Yes
       winbind nested groups = Yes
       winbind separator = +
       winbind refresh tickets = Yes
       winbind nss info = rfc2307
       idmap config * : backend = tdb
       idmap config * : range = 1000-999999
       idmap config RedactedDomainName : backend = rid
       idmap config RedactedDomainName : range=1000-999999
       idmap config RedactedDomainName : base_rid = 0
       ;template primary group = "redactedPrimaryGroup"
       winbind rpc only = no
       template homedir = /share/homes/all/%U
       template shell = /bin/bash
       client use spnego = yes
       client ntlmv2 auth = yes
       restrict anonymous = 2
       socket options = IPTOS_LOWDELAY TCP_NODELAY


      NetworkManager.conf



      [main]
      plugins=ifupdown,keyfile
      dns=none
      [ifupdown]
      managed=false
      [device]
      wifi.scan-rand-mac-address=no


      krb5.conf



      [libdefaults]
       default_realm = RedactedDomainName.redacted.de
       ticket_lifetime = 24h #
       renew_lifetime = 7d
      # The following krb5.conf variables are only for MIT Kerberos.
      # The following encryption type specification will be used by MIT Kerberos
      # if uncommented. In general, the defaults in the MIT Kerberos code are
      # correct and overriding these specifications only serves to disable new
      # encryption types as they are added, creating interoperability problems.
      #
      # Thie only time when you might need to uncomment these lines and change
      # the enctypes is if you have local software that will break on ticket
      # caches containing ticket encryption types it doesn't know about (such as
      # old versions of Sun Java).
      # default_tgs_enctypes = des3-hmac-sha1
      # default_tkt_enctypes = des3-hmac-sha1
      # permitted_enctypes = des3-hmac-sha1
      # The following libdefaults parameters are only for Heimdal Kerberos.
      [realms]
       RedactedDomainName.redacted.de = 
       kdc = Servrname.redacted.de
       admin_server = Servername.redacted.de
       default_domain = RedactedDomainName.redacted.de
       
      [domain_realm]
       .RedactedDomainName.redacted.de = RedactedDomainName.redacted.de
       RedactedDomainName.redacted.de = RedactedDomainName.redacted.de


      nsswitch.conf



      # /etc/nsswitch.conf
      #
      # Example configuration of GNU Name Service Switch functionality.
      # If you have the `glibc-doc-reference' and `info' packages installed, try:
      # `info libc "Name Service Switch"' for information about this file.
      passwd: compat systemd winbind
      group: compat systemd winbind
      shadow: compat
      gshadow: files
      hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
      networks: files
      protocols: db files
      services: db files
      ethers: db files
      rpc: db files
      netgroup: nis


      resolv.conf



      # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
      # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
      nameserver xxx.yyy.zzz.9
      nameserver xxx.yyy.zzz.90
      nameserver xxx.yyy.zzz.91
      search redacted.de


      sssd.conf



      [sssd]
      services = nss, pam
      config_file_version = 2
      domains = RedactedDomainName.redacted.de
      [domain/RedactedDomainName.redacted.de]
      id_provider = ad
      access_provider = ad
      # Use this if users are being logged in at /.
      # This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so
      override_homedir = /home/%g/%u
      # Uncomment if the client machine hostname doesn't match the computer object on the DC.
      # ad_hostname = mymachine.myubuntu.example.com
      # Uncomment if DNS SRV resolution is not working
      # ad_server = dc.mydomain.example.com
      # Uncomment if the AD domain is named differently than the Samba domain
      # ad_domain = MYUBUNTU.EXAMPLE.COM
      # Enumeration is discouraged for performance reasons.
      enumerate = true





      active-directory ldap samba shell




      active-directory ldap samba shell






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited May 8 at 14:58







      BurningKrome

















      asked Apr 26 at 13:04









      BurningKromeBurningKrome

      205211




      205211




















          1 Answer
          1






          active

          oldest

          votes


















          0














          Could you please reproduce the steps taken to integrate the Ubuntu clients into the AD?
          If you are using sssd, you might check that the value sss is set for passwd in your nsswitch.conf like passwd: files sss



          edit:
          I see two possible points:



          • change template shell = /bin/bash into template shell = /bin/zsh inside smb.conf to set it globally


          • alter the passwd entry in nsswitch.conf to passwd: compat systemd winbind sss to have sssd resolve the passwd atributes


          It seems that winbind is unable to map the LDAP attribute to the local nsswitch passwd. Nsswitch, Winbind and sssd are the areas you might want to investigate further.






          share|improve this answer

























          • I added the info to the OP. I checked the puppet domain config being used on Ubuntu 14 machines, and didn't see any reference to SSS in the nsswitch.conf. It works on 14. Just not 18. I don't know if that means anything regarding the nsswitch.conf and sss however.

            – BurningKrome
            May 8 at 13:08











          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "2"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f964739%2fubuntu-18-ignoring-samba-ad-users-loginshell-attribute-set-to-zsh-but-user%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          Could you please reproduce the steps taken to integrate the Ubuntu clients into the AD?
          If you are using sssd, you might check that the value sss is set for passwd in your nsswitch.conf like passwd: files sss



          edit:
          I see two possible points:



          • change template shell = /bin/bash into template shell = /bin/zsh inside smb.conf to set it globally


          • alter the passwd entry in nsswitch.conf to passwd: compat systemd winbind sss to have sssd resolve the passwd atributes


          It seems that winbind is unable to map the LDAP attribute to the local nsswitch passwd. Nsswitch, Winbind and sssd are the areas you might want to investigate further.






          share|improve this answer

























          • I added the info to the OP. I checked the puppet domain config being used on Ubuntu 14 machines, and didn't see any reference to SSS in the nsswitch.conf. It works on 14. Just not 18. I don't know if that means anything regarding the nsswitch.conf and sss however.

            – BurningKrome
            May 8 at 13:08















          0














          Could you please reproduce the steps taken to integrate the Ubuntu clients into the AD?
          If you are using sssd, you might check that the value sss is set for passwd in your nsswitch.conf like passwd: files sss



          edit:
          I see two possible points:



          • change template shell = /bin/bash into template shell = /bin/zsh inside smb.conf to set it globally


          • alter the passwd entry in nsswitch.conf to passwd: compat systemd winbind sss to have sssd resolve the passwd atributes


          It seems that winbind is unable to map the LDAP attribute to the local nsswitch passwd. Nsswitch, Winbind and sssd are the areas you might want to investigate further.






          share|improve this answer

























          • I added the info to the OP. I checked the puppet domain config being used on Ubuntu 14 machines, and didn't see any reference to SSS in the nsswitch.conf. It works on 14. Just not 18. I don't know if that means anything regarding the nsswitch.conf and sss however.

            – BurningKrome
            May 8 at 13:08













          0












          0








          0







          Could you please reproduce the steps taken to integrate the Ubuntu clients into the AD?
          If you are using sssd, you might check that the value sss is set for passwd in your nsswitch.conf like passwd: files sss



          edit:
          I see two possible points:



          • change template shell = /bin/bash into template shell = /bin/zsh inside smb.conf to set it globally


          • alter the passwd entry in nsswitch.conf to passwd: compat systemd winbind sss to have sssd resolve the passwd atributes


          It seems that winbind is unable to map the LDAP attribute to the local nsswitch passwd. Nsswitch, Winbind and sssd are the areas you might want to investigate further.






          share|improve this answer















          Could you please reproduce the steps taken to integrate the Ubuntu clients into the AD?
          If you are using sssd, you might check that the value sss is set for passwd in your nsswitch.conf like passwd: files sss



          edit:
          I see two possible points:



          • change template shell = /bin/bash into template shell = /bin/zsh inside smb.conf to set it globally


          • alter the passwd entry in nsswitch.conf to passwd: compat systemd winbind sss to have sssd resolve the passwd atributes


          It seems that winbind is unable to map the LDAP attribute to the local nsswitch passwd. Nsswitch, Winbind and sssd are the areas you might want to investigate further.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited May 10 at 5:47

























          answered Apr 29 at 5:52









          juojuo

          184




          184












          • I added the info to the OP. I checked the puppet domain config being used on Ubuntu 14 machines, and didn't see any reference to SSS in the nsswitch.conf. It works on 14. Just not 18. I don't know if that means anything regarding the nsswitch.conf and sss however.

            – BurningKrome
            May 8 at 13:08

















          • I added the info to the OP. I checked the puppet domain config being used on Ubuntu 14 machines, and didn't see any reference to SSS in the nsswitch.conf. It works on 14. Just not 18. I don't know if that means anything regarding the nsswitch.conf and sss however.

            – BurningKrome
            May 8 at 13:08
















          I added the info to the OP. I checked the puppet domain config being used on Ubuntu 14 machines, and didn't see any reference to SSS in the nsswitch.conf. It works on 14. Just not 18. I don't know if that means anything regarding the nsswitch.conf and sss however.

          – BurningKrome
          May 8 at 13:08





          I added the info to the OP. I checked the puppet domain config being used on Ubuntu 14 machines, and didn't see any reference to SSS in the nsswitch.conf. It works on 14. Just not 18. I don't know if that means anything regarding the nsswitch.conf and sss however.

          – BurningKrome
          May 8 at 13:08

















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Server Fault!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f964739%2fubuntu-18-ignoring-samba-ad-users-loginshell-attribute-set-to-zsh-but-user%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          RemoteApp sporadic failureWindows 2008 RemoteAPP client disconnects within a matter of minutesWhat is the minimum version of RDP supported by Server 2012 RDS?How to configure a Remoteapp server to increase stabilityMicrosoft RemoteApp Active SessionRDWeb TS connection broken for some users post RemoteApp certificate changeRemote Desktop Licensing, RemoteAPPRDS 2012 R2 some users are not able to logon after changed date and time on Connection BrokersWhat happens during Remote Desktop logon, and is there any logging?After installing RDS on WinServer 2016 I still can only connect with two users?RD Connection via RDGW to Session host is not connecting

          Image
          Can I use my laptop, which says 100-240V, in the USA? Definition of Newton's first law Why did the ICC decide not to probe alleged US atrocities in Afghanistan? Is there ever any indication in the MCU as to how Spider-Man got his powers? Should pressure only be applied at the top of a pastry bag? How did Thanos not realise this had happened at the end of Endgame? On studying Computer Science vs. Software Engineering to become a proficient coder Why does the Earth follow an elliptical trajectory rather than a parabolic one? What's the word for the soldier salute? Why not just directly invest in the holdings of an ETF? Can a tourist shoot a gun in the USA? Why in a Ethernet LAN, a packet sniffer can obtain all packets sent over the LAN? What is Plautus’s pun about frustum and frustrum? Extrude the faces of a cube symmetrically along XYZ Why does my circuit work on a breadboard, but not on a perfboard? I am new to soldering How do I tell my supervisor...
          Read more

          How to write a 12-bar blues melodyI-IV-V blues progressionHow to play the bridges in a standard blues progressionHow does Gdim7 fit in C# minor?question on a certain chord progressionMusicology of Melody12 bar blues, spread rhythm: alternative to 6th chord to avoid finger stretchChord progressions/ Root key/ MelodiesHow to put chords (POP-EDM) under a given lead vocal melody (starting from a good knowledge in music theory)Are there “rules” for improvising with the minor pentatonic scale over 12-bar shuffle?Confusion about blues scale and chords

          Image
          Why is a set not a partition of itself? Would an 8% reduction in drag outweigh the weight addition from this custom CFD-tested winglet? Labeling matrices/rectangles and drawing Sigma inside rectangle Unexpected Netflix account registered to my Gmail address - any way it could be a hack attempt? 51% attack - apparently very easy? refering to CZ's "rollback btc chain" - How to make sure such corruptible scenario can never happen so easily? Missouri raptors have wild hairdos Can someone explain homicide-related death rates? Why is tomato paste so cheap? What are the implications of the new alleged key recovery attack preprint on SIMON? Effects of ~10atm pressure on engine design Is taking modulus on both sides of an equation valid? Jumping frame contents with beamer and pgfplots Are there any established rules for splitting books into parts, chapters, sections etc? Anatomically Correct Carnivorous Tree Why do I get two different answers when solvi...
          Read more

          Esgonzo ibérico Índice Descrición Distribución Hábitat Ameazas Notas Véxase tamén "Acerca dos nomes dos anfibios e réptiles galegos""Chalcides bedriagai"Chalcides bedriagai en Carrascal, L. M. Salvador, A. (Eds). Enciclopedia virtual de los vertebrados españoles. Museo Nacional de Ciencias Naturales, Madrid. España.Fotos

          Image
          escíncidospenínsula Ibéricaesgonzo comúnJacques von Bedriagaesgonzo comúndimorfismo sexualovovivíparaendémicaPenínsula IbéricaCordilleira CantábricaAsturiasPaís VascoGaliciaRías BaixasMurosCarnotaillas CíesOnsAtlánticoIllas CíesIlla de Onsilla do PesegueiroIlla de Sancti PetriMediterráneoMar MenorIlla de TabarcaGaliciaCantabriaBurgossolosdestrución do hábitatIUCN Abrir o menú principal Procurar Esgonzo ibérico Ler noutra lingua Vixiar esta páxina Editar function mfTempOpenSection(id)var block=document.getElementById("mf-section-"+id);block.className+=" open-block";block.previousSibling.className+=" open-block"; Esgonzo ibérico Estado de conservación Case ameazada Clasificaci...
          Read more