Hello all, I have never had the need to use the "add user script" functionality but now I do. However, it does not seem to be working. My smb.conf entry is like so: add user script = /remote/configure_scripts/addusers.sh where addusers.sh is a bash script that reads in a text file of usernames, groups, and passwords and adds the users to /etc/passwd, /etc/group/ and /etc/samba/smbpasswd. The addusers.sh works fine from the command line but samba doesn't appear to call it. I see that checks for "add user script" and "add machine script" are in the source code, so did I miss an option when I compiled samba or what else is it that I am missing to get the script to trigger? Also while I am on the subject of the "add user script," would it be possible to pass the username and password from samba to a shell script? In other words, could I have something like add user script = /remote/configure_scripts/addusers.sh %u %p where %p is whatever samba holds the password variable in? But first things first, how can I get the "add user script" functionality to work? Thanks, Murrah Boswell
murrah boswell wrote:> Hello all, > > I have never had the need to use the "add user script" functionality > but now I do. However, it does not seem to be working. My smb.conf > entry is like so: > > add user script = /remote/configure_scripts/addusers.sh > > where addusers.sh is a bash script that reads in a text file of > usernames, groups, and passwords and adds the users to /etc/passwd, > /etc/group/ and /etc/samba/smbpasswd. The addusers.sh works fine from > the command line but samba doesn't appear to call it. > > I see that checks for "add user script" and "add machine script" are > in the source code, so did I miss an option when I compiled samba or > what else is it that I am missing to get the script to trigger? > > > Also while I am on the subject of the "add user script," would it be > possible to pass the username and password from samba to a shell > script? In other words, could I have something like > > add user script = /remote/configure_scripts/addusers.sh %u %p > > where %p is whatever samba holds the password variable in? > > But first things first, how can I get the "add user script" > functionality to work? > > Thanks, > Murrah BoswellThe add user script I use is "/usr/sbin/useradd -g users %u". The script should only add one user at a time as far as I know. Here is what the SWAT documentation has to say about it: >>>>>>>>>>>>>> add user script (G) This is the full pathname to a script that will be run /AS ROOT/ by smbd(8) <http://whenim64:901/swat/help/manpages/smbd.8.html> under special circumstances described below. Normally, a Samba server requires that UNIX users are created for all users accessing files on this server. For sites that use Windows NT account databases as their primary user database creating these users and keeping the user list in sync with the Windows NT PDC is an onerous task. This option allows smbd to create the required UNIX users /ON DEMAND/ when a user accesses the Samba server. In order to use this option, smbd(8) <http://whenim64:901/swat/help/manpages/smbd.8.html> must /NOT/ be set to security = share <http://whenim64:901/swat/help/manpages/smb.conf.5.html#SECURITY> and add user script <http://whenim64:901/swat/help/manpages/smb.conf.5.html#ADDUSERSCRIPT> must be set to a full pathname for a script that will create a UNIX user given one argument of /|%u|/, which expands into the UNIX user name to create. When the Windows user attempts to access the Samba server, at login (session setup in the SMB protocol) time, smbd(8) <http://whenim64:901/swat/help/manpages/smbd.8.html> contacts the password server <http://whenim64:901/swat/help/manpages/smb.conf.5.html#PASSWORDSERVER> and attempts to authenticate the given user with the given password. If the authentication succeeds then |smbd| attempts to find a UNIX user in the UNIX password database to map the Windows user into. If this lookup fails, and add user script <http://whenim64:901/swat/help/manpages/smb.conf.5.html#ADDUSERSCRIPT> is set then |smbd| will call the specified script /AS ROOT/, expanding any /|%u|/ argument to be the user name to create. If this script successfully creates the user then |smbd| will continue on as though the UNIX user already existed. In this way, UNIX users are dynamically created to match existing Windows NT accounts. See also security <http://whenim64:901/swat/help/manpages/smb.conf.5.html#SECURITY>, password server <http://whenim64:901/swat/help/manpages/smb.conf.5.html#PASSWORDSERVER>, delete user script <http://whenim64:901/swat/help/manpages/smb.conf.5.html#DELETEUSERSCRIPT>. Default: //|add user script|/ = || / Example: //|add user script|/ = |/usr/local/samba/bin/add_user %u|/ <<<<<<<<<<<<<<<<< Note that the script is not intended to add multiple users nor set their passwords. It is supposed to add a single Unix user only.
murrah boswell wrote:> >> The add user script I use is "/usr/sbin/useradd -g users %u". The >> script should only add one user at a time as far as I know. Here is >> what the SWAT documentation has to say about it: >> >> >>>>>>>>>>>>>> >> add user script (G) >> This is the full pathname to a script that will be run /AS >> ROOT/ by smbd(8) <http://whenim64:901/swat/help/manpages/smbd.8.html> >> under special circumstances described below. >> >> Normally, a Samba server requires that UNIX users are created for >> all users accessing files on this server. For sites that use Windows >> NT account databases as their primary user database creating these >> users and keeping the user list in sync with the Windows NT PDC is >> an onerous task. This option allows smbd to create the required UNIX >> users /ON DEMAND/ when a user accesses the Samba server. > > I guess I completely misunderstood the functionality of the "add user > script" option. Teach me to RTFM. > >> When the Windows user attempts to access the Samba server, at login >> (session setup in the SMB protocol) time, smbd(8) >> <http://whenim64:901/swat/help/manpages/smbd.8.html> contacts the >> password server >> >> <http://whenim64:901/swat/help/manpages/smb.conf.5.html#PASSWORDSERVER> >> and attempts to authenticate the given user with the given password. >> If the authentication succeeds then |smbd| attempts to find a UNIX >> user in the UNIX password database to map the Windows user into. If > > I see here, and in the smb.conf man pages now, that I need to setup a > password server for this to work. But I believe there are other issues > I need to resolve for my project. > > My objective is to have a LTSP (Linux Terminal Server Project > utilizing https://fedorahosted.org/k12linux/wiki/LiveServer) > server/client environment in a school system where students can boot > off of a USB stick or CD from any workstation or laptop and access > group specific samba shares in the environment. Ideally they would be > able to access the shares from the on-site school environment and from > home (or off-site). > > I still have tons of homework to do on this project, but I do thank > you for pointing me to clarification on the "add user script" option. > > One of my thoughts here is to allow a user on an unknown machine to > request that their machine be allowed to create a trusted machine > account after their username/password has been authenticated and they > respond to an email sent to their email address on record. Does this > make sense or am I adding too much complexity to the project?The way Windows operates is that machine accounts need a user with Domain Administration privileges to add the machine. This could be done by the user requesting access somehow and then using the e-mail reply to trigger a script running on a Domain Controller to add the machine account. However, the user can't log in with their domain account until the machine they are on is added to the domain. This makes your idea difficult to implement. Possibly setting up a web interface on a Domain Controller, letting the user authenticate to it (against the samba passwords) and having that send the e-mails for them to reply to. It sound like it may be doable but it will be complicated.> > > Regards, > Murrah Boswell > >> this lookup fails, and add user script >> >> <http://whenim64:901/swat/help/manpages/smb.conf.5.html#ADDUSERSCRIPT> >> is set then |smbd| will call the specified script /AS ROOT/, >> expanding any /|%u|/ argument to be the user name to create. >> >> If this script successfully creates the user then |smbd| will >> continue on as though the UNIX user already existed. In this way, >> UNIX users are dynamically created to match existing Windows NT >> accounts. >> >> See also security >> <http://whenim64:901/swat/help/manpages/smb.conf.5.html#SECURITY>, >> password server >> >> <http://whenim64:901/swat/help/manpages/smb.conf.5.html#PASSWORDSERVER>, >> delete user script >> >> <http://whenim64:901/swat/help/manpages/smb.conf.5.html#DELETEUSERSCRIPT>. >> >> >> >> Default: //|add user script|/ = || / >> >> Example: //|add user script|/ = |/usr/local/samba/bin/add_user %u|/ >> >> <<<<<<<<<<<<<<<<< >> >> Note that the script is not intended to add multiple users nor set >> their passwords. It is supposed to add a single Unix user only. >> >