On 2/2/23 11:18, Rowland Penny via samba wrote:> On 02/02/2023 10:10, cYuSeDfZfb cYuSeDfZfb via samba wrote: >> My question: is it possible to use winbind with autorid & tdbsam (and >> security = user) to avoid the requirement to generate each user TWICE? > > No, ...there's the "add user script" option, I guess that should to what the OP wants. -slow -- Ralph Boehme, Samba Team https://samba.org/ SerNet Samba Team Lead https://sernet.de/en/team-samba -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20230202/57fbf540/OpenPGP_signature.sig>
cYuSeDfZfb cYuSeDfZfb
2023-Feb-02 11:23 UTC
[Samba] winbind for nsswitch, without AD membership
Hi,
Thanks for the useful parameter. I implemented it in my samba config,
but the script is never called from samba, instead the logon is denied
with NT_STATUS_NO_SUCH_USER. See the following level 3 log:
[2023/02/02 12:13:41.266823, 3]
../../source3/auth/auth.c:201(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[]\[rear-user]@[test02rear-client] with the new password interface
[2023/02/02 12:13:41.266847, 3]
../../source3/auth/auth.c:204(auth_check_ntlm_password)
check_ntlm_password: mapped user is: []\[rear-user]@[test02rear-client]
[2023/02/02 12:13:41.268869, 0]
../../source3/passdb/lookup_sid.c:1642(get_primary_group_sid)
Failed to find a Unix account for rear-user
[2023/02/02 12:13:41.271242, 1]
../../source3/auth/server_info_sam.c:77(make_server_info_sam)
User rear-user in passdb, but getpwnam() fails!
[2023/02/02 12:13:41.271293, 0]
../../source3/auth/check_samsec.c:493(check_sam_security)
check_sam_security: make_server_info_sam() failed with
'NT_STATUS_NO_SUCH_USER'
[2023/02/02 12:13:41.271647, 2]
../../source3/auth/auth.c:345(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [rear-user] ->
[rear-user] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
After I recreate the linux user it all works again.
Here is the relevant part of my smb.conf:
[global]
workgroup = SAMBA
security = user
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
debug level = 3
log file = /var/log/samba/log.%m
max log size = 50
idmap config * : backend = autorid
# to create local linux users, after the samba user authenticated successfully:
add user script = /rear/add_user.sh %u
I have confirmed the validity of the script itself (runnig it as root
with a parameter for username, and the location is correct)
This is on RHEL9, with it's stock 4.16.4.
Is anything else needed to make samba actually run that script?
MJ
On Thu, 2 Feb 2023 at 11:29, Ralph Boehme via samba
<samba at lists.samba.org> wrote:>
> On 2/2/23 11:18, Rowland Penny via samba wrote:
> > On 02/02/2023 10:10, cYuSeDfZfb cYuSeDfZfb via samba wrote:
> >> My question: is it possible to use winbind with autorid &
tdbsam (and
> >> security = user) to avoid the requirement to generate each user
TWICE?
> >
> > No, ...
>
> there's the "add user script" option, I guess that should to
what the OP
> wants.
>
> -slow
>
> --
> Ralph Boehme, Samba Team https://samba.org/
> SerNet Samba Team Lead https://sernet.de/en/team-samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba