How to specify Linux home directory and shell on a Samba Active Directory server?

Question

This question relates to SAMBA version 4 when used as an Active Directory Domain Controller.

I have everything set up to allow domain users to log in to Linux. However, I have been searching for ages and cannot find how to set a users home directory and shell. I am just getting /bin/false at the moment. I have winbind, libnss-winbind and libpam-winbind all installed and working - I can log in but the /bin/false shell isn't exactly useful!

I know how to edit the idmap.ldb, e.g. to set a user's UID, and I can edit the sam.ldb also for other attributes. I have ADUC on a Windows box joined to the Samba domain and that works too. I have tried the template homedir and template shell in the smb.conf but nothing has so far worked.

I hope I have missed somethig really simple and the answer is obvious, but I am suffering from Google Blindless after much time spent searching for the answer. Even the Samba docs fall short here.

Answer 1

You can set defaults for the home directory and login shell in the [global] section of the smb.conf configuration file:

template shell    = /bin/sh
template homedir  = /home/%ACCOUNTNAME%

Note that it is %ACCOUNTNAME% and not %U as was the case with Samba 3. Similarly, it is %WORKGROUP% instead of %D. I also discovered that changes to these values are not picked up by smbcontrol all reload-config - you have to restart Samba for them to take effect.

You should be able to add RFC2307 attributes to the user's entry in LDAP to specify per-user values but this doesn't work (yet). From the Samba Wiki:

currently (4.1.11), Samba servers with AD DC role don't use the standard winbind daemon. This causes winbind & nss-winbind to only fetch UID & GID, not login shell and home. Samba 4.2 will give the possibility to use standard winbind, circumventing this drawback.

So, for the time being at least, we're stuck with system-wide values defined in smb.conf.