-   Linux - Server (
-   -   Samba home directory mapping (

Nerdio 10-20-2011 02:54 AM

Samba home directory mapping
I have configured Samba on a RHEL 3 server, and am able to authenticate on that server against our Windows 2003 Active Directory. What I want to be able to do is then force the home directory for my AD login to be a home directory with a different name.

For example AD login name = bloggsf maps to a user directory of /home/EU/fredb.

(The reason why I want to do this is because our existing RHEL server has local accounts that have different names to the users domain accounts, and we want to rationalise this and centralise security. But we don't want to have to rename and move all of the home directories).

Anyway, in my smb.conf file, I have added this;

username map = /etc/samba/smbusers

And in that file I have this;

# Unix_name = SMB_name1 SMB_name2 ...
root = administrator admin
nobody = guest pcguest smbguest
!fredb = bloggsf

But when I login as bloggsf, I get this;

Could not chdir to home directory /home/EU/bloggsf: No such file or directory

Which is quite simply because that directory does not exist.

I have created a home directory of /home/EU/fredb, and I have created a 'local' user of fredb, which can login locally and goes to the right home directory.

I amusing windbind, so in my smbusers file I don't think I need an FQDN on the AD name.

This feels so close, but I am missing something. Can anyone offer me some advice/help please.

Thanks in anticipation

ostrosky.jeremiah 10-20-2011 07:00 AM

from the smb.conf man page:

force user (S)

This specifies a UNIX user name that will be assigned as the default user for all users connecting to this service. This is useful for sharing files. You should also use it carefully as using it incorrectly can cause security problems.

This user name only gets used once a connection is established. Thus clients still need to connect as a valid user and supply a valid password. Once connected, all file operations will be performed as the "forced user", no matter what username the client connected as. This can be very useful.

In Samba 2.0.5 and above this parameter also causes the primary group of the forced user to be used as the primary group for all file activity. Prior to 2.0.5 the primary group was left as the primary group of the connecting user (this was a bug).

Default: force user =

Example: force user = auser

I'm not sure if this works or not but sounds good in theory. Maybe using 'force user = %u' would work in your [homes] share if you list 'path = /home/%u'. Give it a shot and let's see what happens

Nerdio 10-20-2011 08:07 AM

If I understand this correctly, this is not quite what I want.

I have multiple users, all who have home directories already on the server, but with a 'Linux User Name' that is different to the 'AD User Name' they logged in with. I therefore wanted to be able to map each user uniquely, rather than map all users to one (which I think is what you are suggesting - sorry if I misunderstood that).

The smbusers file seems to express exactly what I want, in that it maps the logged in user name to some other user name, but this does not seem to determine the home directory as I had hoped.

ostrosky.jeremiah 10-21-2011 01:19 AM

I could be wrong in how I suggested to accomplish this but I think we're on the same page. I'm suggesting using the %u macro in your [homes] share definitions so that once the AD user has been mapped to the Linux user via smbuser, that username (%u) will be used for the home directory. for instance, in the [homes] share section, using something like 'path = /home/%u'. If it works how I think it does, the AD name (bloggs) will already be mapped to the unix name (fredb) and it should substitude 'fredb' in place of the %u macro (or, whatever user logged in).

Nerdio 10-21-2011 03:29 AM

Thanks for your reply. What you are suggesting is along the lines of how I hoped it would work. However, if I add the 'path' to the [homes] section, it still insists when I login that the home directory is /home/EU/bloggsf. I have tried putting rubbish in the smbusers file for the mapping, and for the 'path' and 'template homedir' in smb.conf but the path for the missing home directory in the error never changes. I think I have tried all combinations.

It seems now, that the home directory is being defined elsewhere, but I cannot see where. Unfortunately I cannot devote too much time to this each day, so progress on my side is slow :(.

Any further suggestions of things to check/test would be appreciated. It feels like I am missing something obvious.

ostrosky.jeremiah 10-21-2011 09:38 AM

There's an option of registry based configs that may work. You can probably look into it and define the share in a registry key on the Windows machine. However, this would only work if the user uses the same workstation all the time as the config settings are stored locally.

Nerdio 10-21-2011 09:57 AM

The users will be logging into the RHEL server directly via a Putty session. The credentials are authenticated against AD on a Windows PDC. So I am not sure how this would help, or am I not understanding something.

Nerdio 10-21-2011 01:19 PM

I have had another look at this, and re-run getent passwd, which as I understand returns all the configured users. In my case then this will return users on the local machine, and those retrieved from Active Directory. When I run getent passwd, the home directory it comes back with is /home/EU/bloggsf. I am presuming then that this has come from AD, and has not been updated based on my smbusers configuration. Is this a correct assumption? If so how do I go about updating it.

ostrosky.jeremiah 10-21-2011 03:33 PM

I think I was incorrect in what option to use. Looking into it a little further, you should try something along the lines of the following:

username map = /etc/samba/smbusers #containing 'bloggsf = fredb'

path = /home/EU/%u #or whatever path to the homes directories
valid users = %u

Or, could always go the more tedious route and just create a unix user bloggsf if you don't end up getting the username mappings to work. But I guess that could always be a last resort.

Nerdio 10-24-2011 08:45 AM

Thank you for your reply.

This unfortunately did not seem to work either. I am rather expecting that the username map will accept my logon as bloggsf, then once logged on the user appears as fredb. When I have logged on though, it is still looking for the wrong home directory, and whoami says the user is bloggsf.

My smb.conf file looks like this;

log level = 10
workgroup = EU
server string = sectest server
log file = /var/log/samba/%m.log
max log size = 50
security = ADS
password server = MY-PDC.EU.MYDOMAIN.LOCAL
username map = /etc/samba/smbusers
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
winbind use default domain = yes

#============================ Share Definitions ==============================
comment = Home Directories
browseable = no
writeable = yes
path = /home/%D/%u
valid users = %u
comment = All Printers
path = /var/spool/samba
browseable = no
printable = yes

My smbusers file looks like this;

# Unix_name = SMB_name1 SMB_name2 ...
root = administrator admin
nobody = guest pcguest smbguest
fredb = EU/bloggsf

I have tried the smbusers file with and without the domain of EU but to no avail.

From what I can see of the user name mapping, it just works, but not for me, so I tend to think I am missing something very obvious, or have made a stupid mistake. Each time I edit smb.conf, or smbusers I stop the winbind, and samba daemons and restart them. The only thing I haven't done is bounce the whole server.

Apart from this I have Kerberos, and PAM configured. I have looked in the log files, but cannot see anything glaringly obvious.

Any more suggestions anybody.

Nerdio 10-24-2011 08:52 AM

Oh and I have also created a local account called fredb, which has a different password to bloggsf.

I can login as fredb, and go to the home directory /home/EU/fredb, which is what I expect, and what I want the account bloggsf to do.

ostrosky.jeremiah 10-25-2011 08:37 AM

I don't know if this option works for individual shares or not but the option 'force user' may help. You would probably have to setup a separate share definition for that though. Then, when bloggsf logs in you can have the user force to be fredb. Probably worth a shot to read up on it.

Nerdio 11-08-2011 07:28 AM

Thanks for your reply, and apologies for the delay in replying.

I have tried this, by adding this to smb.conf

force user = fredb

This did not seem to work either. I still get the error;

Could not chdir to home directory /home/EU/bloggsf: No such file or directory.

I do not seem to be able to make the system translate the user to fredb.

Everything I have read seems to make this seem so simple, and the apparent way to do this is with username map. I can see no evidence to suggest that this is being used at all.

Does anybody have any ideas how to make this work, because I am starting to doubt if I am approaching this from the right direction.

LooseNugget 09-13-2012 09:45 AM

Have you tried creating symlinks for your AD users to the real home directories?

for example: ln -s /home/EU/fredb /home/EU/bloggsf

A bit of a pain, but maybe you can script it

All times are GMT -5. The time now is 05:29 PM.