Hey Steve, I knew the error "Can't initialize directory" with the auto-create method of pam+winbind for home directories as well, but I think my setup is a little bit different than yours...
My setup looks like this: - 50 linux-server - 5 AD secondary DC's (Active Directory w2k8 R2) - 1 Master-DC (Active Directory w2k8 R2) The linux-server were setup with RHEL 5 (nearly half of all). Approx. 15 server were setup with Oracle Linux 6.2 (nearly the same like RHEL). Do you use the same Linux-Version for your clients (e.g. servers)? If so just try to put the same pam-lines (/etc/pam.d/system-auth) into the file password-auth file (/etc/pam.d/password-auth). These are my files: --> /etc/pam.d/system-auth <-- #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth sufficient pam_krb5.so use_first_pass auth sufficient pam_smb_auth.so use_first_pass nolocal auth sufficient pam_winbind.so use_first_pass require_membership_of=g-gr-eo-it-io-dc,g-gr-eo-it-ao auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account sufficient pam_krb5.so account sufficient pam_winbind.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password sufficient pam_winbind.so use_authtok password required pam_deny.so session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so session required pam_mkhomedir.so skel=/etc/skel umask=0077 --> /etc/pam.d/password-auth <-- #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth sufficient pam_krb5.so use_first_pass auth sufficient pam_smb_auth.so use_first_pass nolocal auth sufficient pam_winbind.so use_first_pass require_membership_of=g-gr-eo-it-io-dc,g-gr-eo-it-ao auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account sufficient pam_krb5.so account sufficient pam_winbind.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password sufficient pam_winbind.so use_authtok password required pam_deny.so session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so session required pam_mkhomedir.so skel=/etc/skel umask=0077 And my smb.conf looks like this: # GLOBAL PARAMETERS [global] workgroup = <MY-WORKGROUP> realm = <MY-DOMAIN.LCL> password server = * preferred master = no server string = <YOUR> File-Server security = ads encrypt passwords = yes local master = no log level = 1 log file = /var/log/samba/%m max log size = 50 #printcap name = cups #printcap = cups printcap = /dev/null winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nested groups = Yes winbind separator = \\ winbind refresh tickets = yes winbind offline logon = true winbind trusted domains only = no #winbind trusted domains only = yes map untrusted to domain = Yes allow trusted domains = yes obey pam restrictions = no idmap backend = tdb idmap uid = 10000-600000 idmap gid = 10000-600000 #idmap config EOS : tdb #idmap config EOS : 10000-100000 #idmap config DFD : tdb #idmap config DFD : 110000-200000 #idmap config * : backend = tdb #idmap config * : range = 10000-600000 passdb backend = tdbsam ;template primary group = "domain users" #template shell = /bin/false template shell = /bin/bash winbind nss info = rfc2307 client use spnego = yes client ntlmv2 auth = yes restrict anonymous = 2 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 [homes] comment = Heimatverzeichnisse valid users = %S path = /home/<DOMAIN>/ read only = yes browseable = no #verstecke "nicht-lesbare" Verzeichnisse hide unreadable = yes #verstecke "nicht-schreibbare" Dateien u. Ordner hide unwriteable files = yes create mask = 0700 directory mask = 0700 When you login to one of my linux box with a user called "schlegels", the home directory will be created like this: /home/<DOMAIN>/schlegels Oddjobd is not working for me... I don't know exactly if my setup is the same like yours, because I'm not able to read the whole conversation (too many things to do). Cheers and good luck, Steven 2012/8/8 steve <st...@steve-ss.com>: > On 08/08/2012 12:35 AM, Jonathan Buzzard wrote: >> >> steve wrote: >>> >>> On 07/08/12 16:15, Jonathan Buzzard wrote: >>>> >>>> On 07/08/12 15:10, steve wrote: >>>>> >>>>> On 04/08/12 22:06, NdK wrote: >>>>>> >>>>>> Il 04/08/2012 21:13, steve ha scritto: >>>>>> >>>>> >>>>>> Uh? "wide links" seems a bad idea to me... At least from a security >>>>>> perspective. >>>>>> Why a single home directory? We have a single NFS share containing >>>>>> folders for the two domains and inside those a folder for each home. >>>>>> We are trying to migrate away from that, preferring a '[homes]' share >>>>>> where users will place the data they want to have available on every >>>>>> PC. >>>>>> This way even Firefox should work... >>>>>> >>>>> Hi Diego >>>>> We have home directories like: >>>>> home2/staff >>>>> home2/students/7a >>>>> home2/students/7b >>>>> >>>>> Winbind allows only one template homedir and all user home folders must >>>>> reside there (or tell me otherwise). >>>>> >>>>> The only way we can have what we want is: >>>>> 1. use nss-ldapd and store the true uinixHomeDirectory in AD >>>>> 2. winbind. We have a symlink in template homedir to the real data. For >>>>> that we need wide links. >>>>> >>>> >>>> 3. Use winbind to store the true unixHomeDirectory in AD. >>>> >>> >>> Hi >>> If I store unixHomeDirectory in AD, winbind seems to ignore it. As far as >>> it's concerned, all home directories have to be in template homedir. >>> >>> How would I use winbind to store it? This is why we tend toward 1. >>> nss-ldapd pulls all of rfc2307 from AD. winbind seems to recognise only >>> uidNumber and gidNumber. It doesn't sem to give you any control over login >>> shell and unixHomeDirectory. Everyone has the same shell and homedir. >>> >> >> Well it's read only, winbind pulls the information from the AD, but take >> out your template homedir/shell lines from smb.conf and do something like >> >> winbind nss info = rfc2307 >> winbind expand groups = 2 >> winbind nested groups = yes >> winbind enum users = yes >> winbind enum groups = yes >> >> Note you can get nested groups this way, something I don't think nss-ldapd >> provides. It does work I have it in production for over 1500 users right now >> with some 900 active SMB sessions. >> > Hi Jonathan > Is that with Samba3 or 4? I just tried it with Samba4 with unixHomeDirectory > in AD. I removed template homedir =, created the user directory and gave it > the correct permissions, but logging in, winbind tries to create the > directory: > su steve2 > Creating directory ''. > Unable to create and initialize directory ''. > su: Permission denied > > Cheers, > Steve > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba