samba - Aug 2011 - tattooing of tdbsam backend with logon script value

All users whose "logon script" values have not been explicitly defined
automagically inherit the value that "logon script" is set to in
smb.conf. And one can change the "logon script" for all such users
simply by changing said value in smb.conf. However, once a logon
script value value has been explicitly defined for a user this
inheritance ability (as the explicit definition should not be
overwritten) seems forever lost. I have not found a method to undo
this tattooed state to allow for the automagic inheritance of the
smb.conf "logon script" value. Therefore said users, who have once had
an explicitly defined "logon script" value can (seemingly) no longer
returned to the state where they use whatever "logon script" is
defined in smb.conf.

Is there a way to reset said users, removing the tattooing effect?

Thanks,

Chris

On 07/08/11 00:23, Chris Smith wrote:
> All users whose "logon script" values have not been explicitly
defined
> automagically inherit the value that "logon script" is set to in
> smb.conf. And one can change the "logon script" for all such
users
> simply by changing said value in smb.conf. However, once a logon
> script value value has been explicitly defined for a user this
> inheritance ability (as the explicit definition should not be
> overwritten) seems forever lost. I have not found a method to undo
> this tattooed state to allow for the automagic inheritance of the
> smb.conf "logon script" value. Therefore said users, who have
once had
> an explicitly defined "logon script" value can (seemingly) no
longer
> returned to the state where they use whatever "logon script" is
> defined in smb.conf.
>
> Is there a way to reset said users, removing the tattooing effect?
>
> Thanks,
>
> Chris
Hi Chris
If this is still relavent to you, I've found a work around.
The tdbtool dump of the user entry looked identical to the original
after doing this. My user was logged out at the time.

Note the users current settings (including SID)
#pdbedit -Lvu bill

Delete their account:
#pdbedit -x -u bill

Recreate it:
#smbpasswd -a bill

Change their SID to their old one:
#pdbedit -r -u bill -U S-9-9-99-SCRAMBLED-SCRAMBLED-SCRAMBLED-FAKE

You'd also obviously change any other cusom settings they had.

This has worked for me with no noticable side effects, but it feels
very hackish, maybe others have a better way.

Also, a bit of background info I found while trying to fix this problem.
Looking at the passdb.tdb with tbdtool, you can see that there is one 
extra byte (Ox01) in an entry with the logon script set to '' , compared
to a 'fresh' entry (that does use the smb.conf default    logonscript)
It would be much nicer if pdbedit had an option to reset this ... hint hint)

tdbtool has a very rustic interface, a particular quirk is that you need 
to append '\0' to the key name to find the user entry.

#tdbtool /var/lib/samba/passdb.tdb
>show USER_bill\0
If you could figure out how to drive tdbtool's 'store KEY DATA ' you
would probably be able to modify the entry in one step, but this seems
a even more hackish.

Hope this helped

Pat

On 10:09:50 wrote Chris Smith:
> All users whose "logon script" values have not been explicitly
> defined automagically inherit the value that "logon script" is
set
> to in smb.conf. And one can change the "logon script" for all
such
> users simply by changing said value in smb.conf. However, once a
> logon script value value has been explicitly defined for a user this
> inheritance ability (as the explicit definition should not be
> overwritten) seems forever lost. I have not found a method to undo
> this tattooed state to allow for the automagic inheritance of the
> smb.conf "logon script" value. Therefore said users, who have
once
> had an explicitly defined "logon script" value can (seemingly) no
> longer returned to the state where they use whatever "logon
script"
> is defined in smb.conf.
> 
> Is there a way to reset said users, removing the tattooing effect?
Set the value of "logon script" to the empty string "".

# pdbedit -S "" <user>

This works with ldapsam and should also work with tdbsam.

> 
> Thanks,
> 
> Chris

-- 

Regards
	Harry Jede