samba - Jan 2005 - Problems on HP-UX 11i with 'user add script'

This one doesn't make any sense to me. What's worse, it seems to 
occasionally work and sometimes not. I am attempting to log into a domain 
(DOMA let's say) and I only have an account on DOMB. When DOMA's Samba
PDC
attempts to create a UNIX account for me, this is what happens:

[2005/01/04 15:47:15, 3] auth/auth_util.c:smb_create_user(53)
   smb_create_user: Running the command `/usr/sbin/useradd -g guestsmb -c
"<Samba tmpwacc Temp Guest Account>" -s /bin/false tmpwacc'
gave 1
[2005/01/04 15:47:15, 3] auth/auth_util.c:make_server_info_info3(1127)
   User tmpwacc does not exist, trying to add it
Permission Denied
[2005/01/04 15:47:15, 3] auth/auth_util.c:smb_create_user(53)
   smb_create_user: Running the command `/usr/sbin/useradd -g guestsmb -c
"<Samba tmpwacc Temp Guest Account>" -s /bin/false tmpwacc'
gave 1
Permission Denied
[2005/01/04 15:47:15, 3] auth/auth_util.c:smb_create_user(53)
   smb_create_user: Running the command `/usr/sbin/useradd -g guestsmb -c
"<Samba tmpwacc Temp Guest Account>" -s /bin/false tmpwacc'
gave 1
[2005/01/04 15:47:15, 0] auth/auth_util.c:make_server_info_info3(1134)
   make_server_info_info3: pdb_init_sam failed!
[2005/01/04 15:47:15, 0] libsmb/samlogon_cache.c:netsamlogon_cache_store(123)
   netsamlogon_cache_store: cannot open netsamlogon_cache.tdb for write!
[2005/01/04 15:47:15, 2] auth/auth.c:check_ntlm_password(310)
   check_ntlm_password:  Authentication for user [tmpwacc] -> [tmpwacc]
FAILED with error NT_STATUS_NO_SUCH_USER

...when running that command from a shell, it does not exit 1. I can't 
figure out why it does that, or why there is a problem with the 
netsamlogon_cache.tdb. I read something about requiring Winbindd, but I 
don't see how my situation (two Samba PDC's with a trust relationship 
between the two different domains) requires Winbindd, unless Winbindd 
running would keep me from having to do 'add user script' work (simply 
using the same accounting info via NSS that it is getting from Samba).

Can someone shed some light on this for me? The docs are not making it 
clearer.

---- _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  |  | Ryan Novosielski - User Support Spec. III
|$&| |__| |  | |__/ | \| _|  | novosirj@umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent. | IST/ACS - NJMS Medical Science Bldg - C630

On Tuesday 04 January 2005 14:49, Ryan Novosielski
wrote:
>
> Can someone shed some light on this for me? The docs are not making it
> clearer.
Ryan, please clarify which documentation has failed to live up to your 
expectations. I am in the process of updating the Samba docs and would like 
to get it right for once (I'd really like to get a score of 10 out of 10 - I
do not want another fail). Please can you help me. I'll do my best to help 
you over the hump also.

- John T.
-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.

On Tuesday 04 January 2005 14:49, Ryan Novosielski
wrote:
> This one doesn't make any sense to me. What's worse, it seems to
> occasionally work and sometimes not. I am attempting to log into a domain
> (DOMA let's say) and I only have an account on DOMB. When DOMA's
Samba PDC
> attempts to create a UNIX account for me, this is what happens:
>
...
> ...when running that command from a shell, it does not exit 1. I can't
> figure out why it does that, or why there is a problem with the
> netsamlogon_cache.tdb. I read something about requiring Winbindd, but I
> don't see how my situation (two Samba PDC's with a trust
relationship
> between the two different domains) requires Winbindd, unless Winbindd
> running would keep me from having to do 'add user script' work
(simply
> using the same accounting info via NSS that it is getting from Samba).
>
> Can someone shed some light on this for me? The docs are not making it
> clearer.
Let's consider an example:

DOMA has a user 'freddy' with UID=2349
DOMB has a user 'freddy' with UID=5412

DOMA\freddy has SID='S-1-5-21-12345678-12345678-12345678-4698
DOMB\freddy has SID='S-1-5-21-87654321-87654321-87654321-10824

There is a two-way trust relationship between DOMA and DOMB. The method for 
establishing interdomain trusts is documented in the Samba-HOWTO-Collection. 
There is a chapter on it.

DOMA\freddy is an entirely different person from DOMB\freddy. One is the CEO 
and the other the janitor. I guess the CEO of DOMA would not like the janitor 
of DOMB to have access to his files.

What happens with your method? My guess:
DOMB\freddy accesses DOMA and inherits DOMA\freddy file access permissions.
After all, what is there to distinguish DOMA\freddy from DOMAB\freddy - they 
will have the same account name because you will not create a new account by 
calling the user add script if the local account already exists. In other 
words DOMA\freddy is the same user as DOMB\freddy in your configuration.

With winbind, DOMB\freddy will on access to the DOMA domain be allocated a UID 
out of the IDMAP UID pool, and for all intents and purposes will be an 
entirely different user from DOMA\freddy.

Does that clear up why you need to use winbind? The other reason is that 
winbind caches the domain credentials for each trusted domain thus making the 
entire network operation more efficient.

I hope this helps. This should be in the HOWTO-Collection - if not it must be 
added. I'll check and update this too.

- John T.
-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.