How do I change local shell for domain users?

[steelbeak]

I've got a Samba/Winbind machine on a Win2k3 AD domain.

In my /etc/samba/smb.conf I have template shell set to /bin/false to block shell access for domain users.

What I would like to do is provide shell access to a specific set of domain users, but keep everyone else with /bin/false.

How do I change the shell of individual domain accounts for my local box? usermod doesn't work because it only mucks about with /etc/passwd and domain accounts aren't stored there.

wbinfo seems to have options to created/delete local users and groups, but I'm really not sure what that's for. wbinfo doesn't alter /etc/passwd or /etc/group and it seems I can add users with wbinfo -c that are non-existing domain accounts. ... I really don't understand what that's all for.

So at the very least, an explanation on what wbinfo's user/group functions are all about would be appreciated.

But I'd really like to know how I can change the local shell value for specific domain accounts.

Thanks,

-Sb

[nobspangle]

I think the create group and user functions of winbind are for creating local samba users and groups when you are using winbind. The accounts aren't added to /etc/passwd because they are only virtual accounts like the winbind domain accounts. They belong to the computer name domain.

As far as I know all users are given the template shell and there is no way to change it.

[Gentree]

Is this what you are looking for in /etc/samba/smb.conf ?