LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 10-20-2011, 02:54 AM   #1
Nerdio
LQ Newbie
 
Registered: Sep 2011
Posts: 27

Rep: Reputation: Disabled
Samba home directory mapping


I have configured Samba on a RHEL 3 server, and am able to authenticate on that server against our Windows 2003 Active Directory. What I want to be able to do is then force the home directory for my AD login to be a home directory with a different name.

For example AD login name = bloggsf maps to a user directory of /home/EU/fredb.

(The reason why I want to do this is because our existing RHEL server has local accounts that have different names to the users domain accounts, and we want to rationalise this and centralise security. But we don't want to have to rename and move all of the home directories).

Anyway, in my smb.conf file, I have added this;

username map = /etc/samba/smbusers

And in that file I have this;

# Unix_name = SMB_name1 SMB_name2 ...
root = administrator admin
nobody = guest pcguest smbguest
!fredb = bloggsf

But when I login as bloggsf, I get this;

Could not chdir to home directory /home/EU/bloggsf: No such file or directory

Which is quite simply because that directory does not exist.

I have created a home directory of /home/EU/fredb, and I have created a 'local' user of fredb, which can login locally and goes to the right home directory.

I amusing windbind, so in my smbusers file I don't think I need an FQDN on the AD name.

This feels so close, but I am missing something. Can anyone offer me some advice/help please.

Thanks in anticipation
 
Old 10-20-2011, 07:00 AM   #2
ostrosky.jeremiah
LQ Newbie
 
Registered: Aug 2011
Location: Pittsburgh, Pa
Distribution: Centos 6.4
Posts: 29

Rep: Reputation: Disabled
from the smb.conf man page:

force user (S)

This specifies a UNIX user name that will be assigned as the default user for all users connecting to this service. This is useful for sharing files. You should also use it carefully as using it incorrectly can cause security problems.

This user name only gets used once a connection is established. Thus clients still need to connect as a valid user and supply a valid password. Once connected, all file operations will be performed as the "forced user", no matter what username the client connected as. This can be very useful.

In Samba 2.0.5 and above this parameter also causes the primary group of the forced user to be used as the primary group for all file activity. Prior to 2.0.5 the primary group was left as the primary group of the connecting user (this was a bug).

Default: force user =

Example: force user = auser

I'm not sure if this works or not but sounds good in theory. Maybe using 'force user = %u' would work in your [homes] share if you list 'path = /home/%u'. Give it a shot and let's see what happens
 
Old 10-20-2011, 08:07 AM   #3
Nerdio
LQ Newbie
 
Registered: Sep 2011
Posts: 27

Original Poster
Rep: Reputation: Disabled
If I understand this correctly, this is not quite what I want.

I have multiple users, all who have home directories already on the server, but with a 'Linux User Name' that is different to the 'AD User Name' they logged in with. I therefore wanted to be able to map each user uniquely, rather than map all users to one (which I think is what you are suggesting - sorry if I misunderstood that).

The smbusers file seems to express exactly what I want, in that it maps the logged in user name to some other user name, but this does not seem to determine the home directory as I had hoped.
 
Old 10-21-2011, 01:19 AM   #4
ostrosky.jeremiah
LQ Newbie
 
Registered: Aug 2011
Location: Pittsburgh, Pa
Distribution: Centos 6.4
Posts: 29

Rep: Reputation: Disabled
I could be wrong in how I suggested to accomplish this but I think we're on the same page. I'm suggesting using the %u macro in your [homes] share definitions so that once the AD user has been mapped to the Linux user via smbuser, that username (%u) will be used for the home directory. for instance, in the [homes] share section, using something like 'path = /home/%u'. If it works how I think it does, the AD name (bloggs) will already be mapped to the unix name (fredb) and it should substitude 'fredb' in place of the %u macro (or, whatever user logged in).
 
Old 10-21-2011, 03:29 AM   #5
Nerdio
LQ Newbie
 
Registered: Sep 2011
Posts: 27

Original Poster
Rep: Reputation: Disabled
Thanks for your reply. What you are suggesting is along the lines of how I hoped it would work. However, if I add the 'path' to the [homes] section, it still insists when I login that the home directory is /home/EU/bloggsf. I have tried putting rubbish in the smbusers file for the mapping, and for the 'path' and 'template homedir' in smb.conf but the path for the missing home directory in the error never changes. I think I have tried all combinations.

It seems now, that the home directory is being defined elsewhere, but I cannot see where. Unfortunately I cannot devote too much time to this each day, so progress on my side is slow .

Any further suggestions of things to check/test would be appreciated. It feels like I am missing something obvious.
 
Old 10-21-2011, 09:38 AM   #6
ostrosky.jeremiah
LQ Newbie
 
Registered: Aug 2011
Location: Pittsburgh, Pa
Distribution: Centos 6.4
Posts: 29

Rep: Reputation: Disabled
There's an option of registry based configs that may work. You can probably look into it and define the share in a registry key on the Windows machine. However, this would only work if the user uses the same workstation all the time as the config settings are stored locally.
 
Old 10-21-2011, 09:57 AM   #7
Nerdio
LQ Newbie
 
Registered: Sep 2011
Posts: 27

Original Poster
Rep: Reputation: Disabled
The users will be logging into the RHEL server directly via a Putty session. The credentials are authenticated against AD on a Windows PDC. So I am not sure how this would help, or am I not understanding something.
 
Old 10-21-2011, 01:19 PM   #8
Nerdio
LQ Newbie
 
Registered: Sep 2011
Posts: 27

Original Poster
Rep: Reputation: Disabled
I have had another look at this, and re-run getent passwd, which as I understand returns all the configured users. In my case then this will return users on the local machine, and those retrieved from Active Directory. When I run getent passwd, the home directory it comes back with is /home/EU/bloggsf. I am presuming then that this has come from AD, and has not been updated based on my smbusers configuration. Is this a correct assumption? If so how do I go about updating it.
 
Old 10-21-2011, 03:33 PM   #9
ostrosky.jeremiah
LQ Newbie
 
Registered: Aug 2011
Location: Pittsburgh, Pa
Distribution: Centos 6.4
Posts: 29

Rep: Reputation: Disabled
I think I was incorrect in what option to use. Looking into it a little further, you should try something along the lines of the following:


[global]
username map = /etc/samba/smbusers #containing 'bloggsf = fredb'

[homes]
path = /home/EU/%u #or whatever path to the homes directories
valid users = %u


Or, could always go the more tedious route and just create a unix user bloggsf if you don't end up getting the username mappings to work. But I guess that could always be a last resort.

Last edited by ostrosky.jeremiah; 10-21-2011 at 06:28 PM.
 
Old 10-24-2011, 08:45 AM   #10
Nerdio
LQ Newbie
 
Registered: Sep 2011
Posts: 27

Original Poster
Rep: Reputation: Disabled
Thank you for your reply.

This unfortunately did not seem to work either. I am rather expecting that the username map will accept my logon as bloggsf, then once logged on the user appears as fredb. When I have logged on though, it is still looking for the wrong home directory, and whoami says the user is bloggsf.

My smb.conf file looks like this;


[global]
log level = 10
workgroup = EU
server string = sectest server
realm = EU.MYDOMAIN.LOCAL
log file = /var/log/samba/%m.log
max log size = 50
security = ADS
password server = MY-PDC.EU.MYDOMAIN.LOCAL
username map = /etc/samba/smbusers
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
winbind use default domain = yes

#============================ Share Definitions ==============================
[homes]
comment = Home Directories
browseable = no
writeable = yes
path = /home/%D/%u
valid users = %u
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
printable = yes


My smbusers file looks like this;

# Unix_name = SMB_name1 SMB_name2 ...
root = administrator admin
nobody = guest pcguest smbguest
fredb = EU/bloggsf


I have tried the smbusers file with and without the domain of EU but to no avail.

From what I can see of the user name mapping, it just works, but not for me, so I tend to think I am missing something very obvious, or have made a stupid mistake. Each time I edit smb.conf, or smbusers I stop the winbind, and samba daemons and restart them. The only thing I haven't done is bounce the whole server.

Apart from this I have Kerberos, and PAM configured. I have looked in the log files, but cannot see anything glaringly obvious.

Any more suggestions anybody.
 
Old 10-24-2011, 08:52 AM   #11
Nerdio
LQ Newbie
 
Registered: Sep 2011
Posts: 27

Original Poster
Rep: Reputation: Disabled
Oh and I have also created a local account called fredb, which has a different password to bloggsf.

I can login as fredb, and go to the home directory /home/EU/fredb, which is what I expect, and what I want the account bloggsf to do.
 
Old 10-25-2011, 08:37 AM   #12
ostrosky.jeremiah
LQ Newbie
 
Registered: Aug 2011
Location: Pittsburgh, Pa
Distribution: Centos 6.4
Posts: 29

Rep: Reputation: Disabled
I don't know if this option works for individual shares or not but the option 'force user' may help. You would probably have to setup a separate share definition for that though. Then, when bloggsf logs in you can have the user force to be fredb. Probably worth a shot to read up on it.
 
Old 11-08-2011, 07:28 AM   #13
Nerdio
LQ Newbie
 
Registered: Sep 2011
Posts: 27

Original Poster
Rep: Reputation: Disabled
Thanks for your reply, and apologies for the delay in replying.

I have tried this, by adding this to smb.conf

[bloggsf]
force user = fredb


This did not seem to work either. I still get the error;

Could not chdir to home directory /home/EU/bloggsf: No such file or directory.

I do not seem to be able to make the system translate the user to fredb.

Everything I have read seems to make this seem so simple, and the apparent way to do this is with username map. I can see no evidence to suggest that this is being used at all.

Does anybody have any ideas how to make this work, because I am starting to doubt if I am approaching this from the right direction.
 
Old 09-13-2012, 09:45 AM   #14
LooseNugget
LQ Newbie
 
Registered: Sep 2012
Posts: 1

Rep: Reputation: Disabled
Have you tried creating symlinks for your AD users to the real home directories?

for example: ln -s /home/EU/fredb /home/EU/bloggsf

A bit of a pain, but maybe you can script it
 
  


Reply

Tags
home, map, samba


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Samba : Mapping User home direcories, and forcing UID's and GID's Nerdio Linux - Server 2 10-20-2011 02:56 AM
phpldapadmin group mapping and user home directory niraj.kumar Linux - Server 5 05-11-2009 04:06 PM
Crazy Problem with Samba home directory mapping. avinash.rao Ubuntu 1 08-14-2008 02:04 AM
Mapping a SAMBA directory.. arzer Linux - Networking 5 10-26-2006 03:56 AM
Mapping Homes directory in Samba mheymann Linux - Networking 1 08-05-2005 01:34 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 09:11 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration