OMeara, Randy
1999-Apr-28 17:40 UTC
Transparent Samba Account Creation/Authentication using NT DC
My approach to configuring Samba was that I refused to duplicate the effort required to manage user accounts under NT. My resource domain already had the accounts. I did everything I could to stay away from manual (or even programmatic) manipulation of the smbpasswd file. The smbpasswd file is not used or required in the following scenario. There have been some very important Samba innovations recently, and more are coming in the very near future. With 'security = domain' and some simple scripting via 'add user script = some_script', it is possible to create *local* Unix accounts on-the-fly. Passwords are not stored on the Samba server and authentication is provided by an NT DC. Voila! No effort is required to keep accounts/passwords synced with NT! Of course it's not quite as simple as this, but very near ;-) You could move these auto-created accounts to your NIS database if you wish, but since there are no Unix-stored passwords, you never have to worry about syncing passwords to Unix. The very act of 'browsing' your Samba server can (under your control, of course) create a local (Samba-only) user account, create a user directory, mount that directory (the share appears as the user's name), establish a disk use quota, and email a message to you that the account was created. I think that's pretty slick! And it's quick! I have included with this message my samba_add_user Perl script and excerpts from smb.conf. The key elements of the smb.conf file are: 'security = domain', and 'add user script = .../samba_add_user %u'. I hope this is useful to you, or at least points the way for you to refine what I have done. I am interested in hearing about your experiences with this. I have not (yet) checked to see how NT domain groups play into the way that Samba requests authentication from the NT DC. I assume that *any* valid NT domain username/password will pass this authentication successfully. One caveat: if you have specified Logon Workstations restrictions for an NT account under NT's User Manager (User Properties, Logon Workstations), then Samba's method of requesting authentication of that account from the DC will fail unless the Samba server's netbios name appears in the list of workstation restrictions. Why? I don't know. I would guess that the Samba server provides its own name to NT rather than the originating workstation. This may be (probably is) a bug in Samba. This is all based on Linux 2.2.3 with Samba 2.0.3. Enjoy! --- Randy O'Meara Information Systems IT Implementation Lockheed Martin, Santa Cruz Facility ************smb.conf # Samba config file created using SWAT # Global parameters workgroup = DOM server string = DOM,SMB,NFS security = DOMAIN encrypt passwords = Yes map to guest = Bad User password server = DOMDC DOMBDC1 DOMBDC2 DOMBDC3 log file = /var/log/samba/%m max log size = 50 lpq cache time = 0 socket options = TCP_NODELAY SO_SNDBUF=4096 SO_RCVBUF=4096 add user script = /usr/local/samba/bin/samba_add_user %u wins server = 111.222.333.444 lock dir = /var/lock/smb default service = reference guest account = ftp invalid users = root admin users = su mangle case = Yes [tmp] comment = ONE WEEK Max Storage Period! path = /x/tmp read only = No create mask = 0777 guest ok = Yes [transfer] comment = TWO WEEKS Max Storage Period! path = /x/transfer read only = No create mask = 0777 guest ok = Yes [homes] comment = home directories read only = No create mask = 0700 browseable = No [cdrom] comment = Internal CD-ROM path = /cdrom guest ok = Yes locking = No [printers] comment = All Printers path = /usr/spool/samba print ok = Yes browseable = No [softlib] comment = Software Repository path = /x/softlib write list = @slib_rw read only = No [admin$] comment = Fake NT Admin$ Share path = /x/tmp ************end smb.conf ************samba_add_user #!/usr/bin/perl # # Script to add Samba User to local account database. # rmo -- 4/19/99 # # This script is invoked from smbd (AS ROOT) when smb.conf: # 1. 'security' = server OR domain # 2. smbd is able to authenticate current user via 'password server' # 3. no local or NIS account exists for the presently connecting user # 4. 'add user script' specifies this script # # invoked as: samba_add_user %u # where %u is current user name # # This script performs the following actions: # 1. creates %u local account and home directory via useradd(8). # 2. establishes user disk quotas via edquota(8). # 3. logs success/failure via logger(1). # 4. reports success/failure to 'root' via mail(1). # Log Options (logger) $LOG_LEVEL = "auth.notice"; # Syslog facility.level # Account Creation Options (useradd) # $CMNT = "created by samba_add_user"; # Comment passwd field $HOME = "-m"; # Make home directory $SHL = "/bin/false "; # Default shell # Quota Options (edquota) # $QUOTA_PROFILE = "qusr1"; # Quota profile sub dolog { # Enter message into syslog my $msg = shift; my $LOGGER="/usr/bin/logger -t samba_add_user -i -p $LOG_LEVEL"; `$LOGGER $msg`; } sub domail { # Report success/failure to 'root' via mail my $acct = shift; my $sta = shift; my $host = `hostname`;chop($host); my $fail = ""; my $msg = "Account: [$acct]\n". "Host: $host\n". "Cmd: $0\n". "Quota Profile: $QUOTA_PROFILE\n". "\n"; if ( $sta eq "ok" ) { # Success $msg .= "Account was auto-created when the smbd daemon received\n". "a connection request. The account did not exist and was\n". "created automatically.\n". "\n". "Please review this new account for rights, groups, and\n". "quota at your earliest convenience.\n". "\n". "Have a pleasant day!\n"; } else { # Failure $fail = " FAILED!"; $msg .= "Results: $sta\n\n"; $msg .= "Account auto-creation FAILED when the smbd daemon received\n". "a connection request. The account did not exist and was\n". "NOT created automatically.\n". "\n". "Please review the Host syslog and determine the fault at\n". "your earliest convenience.\n". "\n". "Have a (almost) pleasant day!"; } my $ml = open(MAIL,"| mail root -s \"Samba Account Creation [$acct]$fail\""); if ( $ml ) { print MAIL $msg; close( MAIL ); } else { dolog( "Failed to open mail pipe!" ); } } sub doacct { # Create account # my $usr = shift; my $cmd="/usr/sbin/useradd -c '$CMNT' $HOME -s $SHL $usr 2>&1"; my @res=`$cmd`; my $sta=$?; if ( $sta != 0 ) { domail( $usr, join(" ",@res) ); dolog( "[$usr] creation Failure in doacct" ); exit 1; } } sub doquota { # Establish small Quota my $usr = shift; my $cmd = "/usr/sbin/edquota -p $QUOTA_PROFILE $usr 2>&1"; my @res = `$cmd`; my $sta = $?; if ( $sta == 0 ) { domail( $usr, "ok" ); dolog( "[$usr] creation Success" ); } else { domail( $usr, join(" ",@res) ); dolog( "[$usr] creation Failure in doquota" ); exit 2; } } # The Main Stuff # my $usr = shift; dolog( "add [$usr]" ); doacct( $usr ); doquota( $usr ); ************end samba_add_user