samba - Dec 2005 - Winbind & adding users... is `useradd` being called? %u parameter?

Hi there,

This is probably a dumb question, so my apologies, but I've set up 
WinBind on my my Samba box & it seems to be authenticating against the 
domain, however new user accounts do not seem to be added.

`wbinfo -u` returns a list of the users on the domain and I seem to 
have setup my IMAP server correctly to authenticate against that (using 
PAM), as I see the following in /var/log/messages when I try to log in 
to my IMAP server:

	Dec 12 11:33:37 baby imapd: Connection, ip=[127.0.0.1]
	Dec 12 11:33:37 baby pam_winbind[32640]: user 'ned' granted access
	Dec 12 11:33:37 baby pam_winbind[32640]: user 'ned' granted access
	Dec 12 11:33:37 baby imapd: networkned: chdir(/home/DOMAIN/ned) 
failed!!
	Dec 12 11:33:37 baby imapd: error: No such file or directory
	Dec 12 11:33:37 baby imapd: LOGIN FAILED, user=networkned, 
ip=[127.0.0.1]
	Dec 12 11:33:37 baby imapd: authentication error: No such file or 
directory

Initially in smb.conf I had simply uncommented the line which says:
   add user script = /usr/sbin/useradd -s /bin/false '%u'
but of course(as pointed out on the IRC channel)  `useradd requires the 
-m flag in order to create a home directory for the user, so I set it 
like this:
   add user script = /usr/sbin/useradd -m -s /bin/false '%u'
but that gives me the same error.

The log shows that the IMAP server is trying to chdir into the home 
directory "/home/DOMAIN/ned", so I'm unclear on how `useradd` is
being
called - is it being called as `/usr/sbin/useradd -m -s /bin/false 
'DOMAIN/ned'` or as something else?

Obviously I would try adding the user manually in order to troubleshoot 
this, but I'd like to establish what '%u' Samba is passing to
`useradd`
first. Consequently I edited the "add user script" as below, but 
nothing is written to /tmp/foo.
   add user script = /root/foo.sh '%u'

	# ls -l /root/foo.sh
	-rwxrwxrwx  1 root root 54 Dec 12 11:31 /root/foo.sh
	# ls -l /tmp/foo
	-rw-rw-rw-  1 root root 15 Dec 12 11:31 /tmp/foo
	# cat /tmp/foo
	gjitijt jgitjt
	# cat /root/foo.sh
	#!/bin/bash
	echo "$@" >> /tmp/foo
	exit 0
	# /root/foo.sh howdy doody
	# cat /tmp/foo
	gjitijt jgitjt
	howdy doody
	#

I've added a subdirectory of /home for the DOMAIN, but that makes no 
difference:

	# ls -ld /home/
	drwxr-xr-x  4 root root 120 Dec 12 11:17 /home/
	baby ~ # ls -l /home/
	total 0
	drwxr-xr-x  2 root     root   48 Dec 12 11:17 DOMAIN
	drwxr-xr-x  3 stroller users 192 Dec  7 12:32 stroller

I'm not an expert at PAM, so maybe that's what I'm doing wrong?

	# cat /etc/pam.d/imap
	auth       required     pam_nologin.so
	auth       required     pam_winbind.so
	account    sufficient   pam_winbind.so
	account    required     pam_stack.so service=system-auth
	session    required     pam_stack.so service=system-auth

I don't see what I'm doing wrong here, so I'd be extremely grateful
for
any suggestions,

Stroller.

Stroller wrote:
> Hi there,
> 
> This is probably a dumb question, so my apologies, but I've set up 
> WinBind on my my Samba box & it seems to be authenticating against the 
> domain, however new user accounts do not seem to be added.
They will never be added : you're using winbind to avoid that !
Don't forget that add user script is used when samba is acting as a 
domain controller, but that's not the case here.
Winbind is used to simulate local unix users instead of create them locally.
> 
> `wbinfo -u` returns a list of the users on the domain and I seem to have 
> setup my IMAP server correctly to authenticate against that (using PAM), 
> as I see the following in /var/log/messages when I try to log in to my 
> IMAP server:
> 
>     Dec 12 11:33:37 baby imapd: Connection, ip=[127.0.0.1]
>     Dec 12 11:33:37 baby pam_winbind[32640]: user 'ned' granted
access
>     Dec 12 11:33:37 baby pam_winbind[32640]: user 'ned' granted
access
>     Dec 12 11:33:37 baby imapd: networkned: chdir(/home/DOMAIN/ned) 
> failed!!
>     Dec 12 11:33:37 baby imapd: error: No such file or directory
>     Dec 12 11:33:37 baby imapd: LOGIN FAILED, user=networkned, 
> ip=[127.0.0.1]
>     Dec 12 11:33:37 baby imapd: authentication error: No such file or 
> directory
> 
> Initially in smb.conf I had simply uncommented the line which says:
>   add user script = /usr/sbin/useradd -s /bin/false '%u'
> but of course(as pointed out on the IRC channel)  `useradd requires the 
> -m flag in order to create a home directory for the user, so I set it 
> like this:
>   add user script = /usr/sbin/useradd -m -s /bin/false '%u'
> but that gives me the same error.
> 
> The log shows that the IMAP server is trying to chdir into the home 
> directory "/home/DOMAIN/ned", so I'm unclear on how `useradd`
is being
> called - is it being called as `/usr/sbin/useradd -m -s /bin/false 
> 'DOMAIN/ned'` or as something else?
See my previous answer ...
If you want your Windows users to log on your Samba server for IMAP, 
create first a home directory with correct permissions ... (i know it 
exists pam_mkhomedir.so, but i've never played with it )
Anyway : why do you want Windows users to log on your imap server ? Have 
you already configured your sendmail (or postfix) MTA server to work 
with Windows users ? Your MTA server will have to know where to look for 
  virtual users and where to drop mails ....
Question is : what's the context of the whole thing ?
> 
> Obviously I would try adding the user manually in order to troubleshoot 
> this, but I'd like to establish what '%u' Samba is passing to
`useradd`
> first. Consequently I edited the "add user script" as below, but
nothing
> is written to /tmp/foo.
>   add user script = /root/foo.sh '%u'
> 
>     # ls -l /root/foo.sh
>     -rwxrwxrwx  1 root root 54 Dec 12 11:31 /root/foo.sh
>     # ls -l /tmp/foo
>     -rw-rw-rw-  1 root root 15 Dec 12 11:31 /tmp/foo
>     # cat /tmp/foo
>     gjitijt jgitjt
>     # cat /root/foo.sh
>     #!/bin/bash
>     echo "$@" >> /tmp/foo
>     exit 0
>     # /root/foo.sh howdy doody
>     # cat /tmp/foo
>     gjitijt jgitjt
>     howdy doody
>     #
> 
> I've added a subdirectory of /home for the DOMAIN, but that makes no 
> difference:
> 
>     # ls -ld /home/
>     drwxr-xr-x  4 root root 120 Dec 12 11:17 /home/
>     baby ~ # ls -l /home/
>     total 0
>     drwxr-xr-x  2 root     root   48 Dec 12 11:17 DOMAIN
>     drwxr-xr-x  3 stroller users 192 Dec  7 12:32 stroller
> 
> I'm not an expert at PAM, so maybe that's what I'm doing wrong?
> 
>     # cat /etc/pam.d/imap
>     auth       required     pam_nologin.so
>     auth       required     pam_winbind.so
>     account    sufficient   pam_winbind.so
>     account    required     pam_stack.so service=system-auth
>     session    required     pam_stack.so service=system-auth
> 
> I don't see what I'm doing wrong here, so I'd be extremely
grateful for
> any suggestions,
> 
> Stroller.
>