samba - Feb 2023 - winbind for nsswitch, without AD membership

Hi,

Thanks for the useful parameter. I implemented it in my samba config,
but the script is never called from samba, instead the logon is denied
with NT_STATUS_NO_SUCH_USER. See the following level 3 log:

[2023/02/02 12:13:41.266823,  3]
../../source3/auth/auth.c:201(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user
[]\[rear-user]@[test02rear-client] with the new password interface
[2023/02/02 12:13:41.266847,  3]
../../source3/auth/auth.c:204(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: []\[rear-user]@[test02rear-client]
[2023/02/02 12:13:41.268869,  0]
../../source3/passdb/lookup_sid.c:1642(get_primary_group_sid)
  Failed to find a Unix account for rear-user
[2023/02/02 12:13:41.271242,  1]
../../source3/auth/server_info_sam.c:77(make_server_info_sam)
  User rear-user in passdb, but getpwnam() fails!
[2023/02/02 12:13:41.271293,  0]
../../source3/auth/check_samsec.c:493(check_sam_security)
  check_sam_security: make_server_info_sam() failed with
'NT_STATUS_NO_SUCH_USER'
[2023/02/02 12:13:41.271647,  2]
../../source3/auth/auth.c:345(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [rear-user] ->
[rear-user] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1

After I recreate the linux user it all works again.

Here is the relevant part of my smb.conf:

[global]
        workgroup = SAMBA
        security = user
        passdb backend = tdbsam
        printing = cups
        printcap name = cups
        load printers = yes
        cups options = raw
        debug level = 3
        log file = /var/log/samba/log.%m
        max log size = 50
        idmap config * : backend = autorid
# to create local linux users, after the samba user authenticated successfully:
        add user script = /rear/add_user.sh %u

I have confirmed the validity of the script itself (runnig it as root
with a parameter for username, and the location is correct)

This is on RHEL9, with it's stock 4.16.4.

Is anything else needed to make samba actually run that script?

MJ

On Thu, 2 Feb 2023 at 11:29, Ralph Boehme via samba
<samba at lists.samba.org> wrote:
>
> On 2/2/23 11:18, Rowland Penny via samba wrote:
> > On 02/02/2023 10:10, cYuSeDfZfb cYuSeDfZfb via samba wrote:
> >> My question: is it possible to use winbind with autorid &
tdbsam (and
> >> security = user) to avoid the requirement to generate each user
TWICE?
> >
> > No, ...
>
> there's the "add user script" option, I guess that should to
what the OP
> wants.
>
> -slow
>
> --
> Ralph Boehme, Samba Team                 https://samba.org/
> SerNet Samba Team Lead      https://sernet.de/en/team-samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On 02/02/2023 11:23, cYuSeDfZfb cYuSeDfZfb via samba
wrote:
> Hi,
> 
> Thanks for the useful parameter. I implemented it in my samba config,
> but the script is never called from samba, instead the logon is denied
> with NT_STATUS_NO_SUCH_USER. See the following level 3 log:
> 
> [2023/02/02 12:13:41.266823,  3]
> ../../source3/auth/auth.c:201(auth_check_ntlm_password)
>    check_ntlm_password:  Checking password for unmapped user
> []\[rear-user]@[test02rear-client] with the new password interface
> [2023/02/02 12:13:41.266847,  3]
> ../../source3/auth/auth.c:204(auth_check_ntlm_password)
>    check_ntlm_password:  mapped user is: []\[rear-user]@[test02rear-client]
> [2023/02/02 12:13:41.268869,  0]
> ../../source3/passdb/lookup_sid.c:1642(get_primary_group_sid)
>    Failed to find a Unix account for rear-user
> [2023/02/02 12:13:41.271242,  1]
> ../../source3/auth/server_info_sam.c:77(make_server_info_sam)
>    User rear-user in passdb, but getpwnam() fails!
> [2023/02/02 12:13:41.271293,  0]
> ../../source3/auth/check_samsec.c:493(check_sam_security)
>    check_sam_security: make_server_info_sam() failed with
> 'NT_STATUS_NO_SUCH_USER'
> [2023/02/02 12:13:41.271647,  2]
> ../../source3/auth/auth.c:345(auth_check_ntlm_password)
>    check_ntlm_password:  Authentication for user [rear-user] ->
> [rear-user] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
> 
> After I recreate the linux user it all works again.
> 
> Here is the relevant part of my smb.conf:
> 
> [global]
>          workgroup = SAMBA
>          security = user
>          passdb backend = tdbsam
>          printing = cups
>          printcap name = cups
>          load printers = yes
>          cups options = raw
>          debug level = 3
>          log file = /var/log/samba/log.%m
>          max log size = 50
>          idmap config * : backend = autorid
> # to create local linux users, after the samba user authenticated
successfully:
>          add user script = /rear/add_user.sh %u
> 
> I have confirmed the validity of the script itself (runnig it as root
> with a parameter for username, and the location is correct)
> 
> This is on RHEL9, with it's stock 4.16.4.
> 
> Is anything else needed to make samba actually run that script?
> 
I honestly didn't think that was going to work, but I had to go out and 
was unable to reply until now.

 From what I understood and confirmed by checking in 'man smb.conf', the
Samba user would have to exist first and then the Unix user would be 
created:

            This option allows smbd to create the required UNIX users ON 
DEMAND when a user accesses the Samba server.

            When the Windows user attempts to access the Samba server, 
at login (session setup in the SMB protocol) time, smbd(8) contacts the 
password server and attempts
            to authenticate the given user with the given password.
            If the authentication succeeds then smbd attempts to find a 
UNIX user in the UNIX password database to map the Windows user into.
            If this lookup fails, and add user script is set then smbd 
will call the specified script AS ROOT, expanding any %u argument to be 
the user name to create.

So a bit of a chicken and egg situation here, if the Samba user exists 
and the Unix user doesn't, smbd can create the Unix user, but, on a 
standalone server, smbpasswd requires the Unix user before it can create 
the Samba user, or am I missing something ?

Rowland

On 2/2/23 12:23, cYuSeDfZfb cYuSeDfZfb wrote:
> Thanks for the useful parameter. I implemented it in my samba config,
> but the script is never called from samba, instead the logon is denied
> with NT_STATUS_NO_SUCH_USER.
the exact mechanics escape my mind, but I noticed that in one place 
where we hook the script we only do it if winbindd is *not* runnning. So 
since you're running Samba as a standalone server, running without 
winbindd might work to some extent.

Alternative iirc the script is also called if you run pdedit or smbpasswd.

-slow

-- 
Ralph Boehme, Samba Team                 https://samba.org/
SerNet Samba Team Lead      https://sernet.de/en/team-samba

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20230202/d8f797db/OpenPGP_signature.sig>