How to Change Default Shell for Samba4 Domain Account on Linux


1 views

When using a Samba4 domain account for Linux login, you'll notice your user information isn't stored in /etc/passwd like local accounts. This becomes problematic when trying to change your default shell using traditional methods like chsh, which relies on local user database lookups.

For domain accounts, shell information is typically stored in LDAP attributes. The login process involves:

  1. PAM authentication against the domain controller
  2. NSS lookup through nsswitch.conf
  3. Shell assignment based on LDAP attributes

The most reliable method is to modify the loginShell attribute in your LDAP user entry. Here's how to do it:

# First, install ldap-utils if not already present
sudo apt-get install ldap-utils

# Search for your user DN (replace 'username' with your actual username)
ldapsearch -x -H ldap://your-domain-controller -D "cn=admin,dc=yourdomain,dc=com" -W -b "dc=yourdomain,dc=com" "(sAMAccountName=username)"

# Once you have your DN, modify the loginShell attribute
ldapmodify -x -H ldap://your-domain-controller -D "cn=admin,dc=yourdomain,dc=com" -W <<EOF
dn: cn=username,ou=users,dc=yourdomain,dc=com
changetype: modify
replace: loginShell
loginShell: /bin/zsh
EOF

If you don't have LDAP write access, you can create a local override:

# Create or edit /etc/security/pam_shell.conf
echo "username:/bin/zsh" | sudo tee -a /etc/security/pam_shell.conf

# Then modify your PAM configuration to use this module
# Add this line to /etc/pam.d/common-session:
session    required    pam_shell.so

After making changes, verify with:

getent passwd username | cut -d: -f7
  • Ensure nsswitch.conf includes ldap for passwd: passwd: files ldap
  • Check PAM logs if changes don't take effect
  • Restart any active sessions for changes to apply

When working with Samba4 domain accounts, traditional methods like chsh often fail because:

  • User information is stored in LDAP rather than /etc/passwd
  • The PAM/NSS stack needs proper configuration to handle shell changes
  • Samba-tool doesn't directly expose this functionality

The most reliable approach is modifying the LDAP attributes directly:

# First install ldap-utils if needed
sudo apt-get install ldap-utils

# Search for your user DN
ldapsearch -x -H ldap://your.domain.controller -D "cn=admin,dc=domain,dc=com" -W -b "dc=domain,dc=com" "(sAMAccountName=yourusername)"

# Modify the loginShell attribute
ldapmodify -x -H ldap://your.domain.controller -D "cn=admin,dc=domain,dc=com" -W <

While not directly documented, you can use:

samba-tool user edit username

Then manually add or modify the loginShell attribute in the text editor that appears.

After making changes, verify with:

getent passwd username | cut -d: -f7

Or test directly by creating a new session.

Ensure your system is properly configured to read shell attributes from LDAP:

# In /etc/nsswitch.conf
passwd: files ldap

And in your LDAP client configuration:

# In /etc/ldap/ldap.conf
BASE dc=domain,dc=com
URI ldap://your.domain.controller