samba - Feb 2023 - winbind for nsswitch, without AD membership

Hi,

Winbind is not installed and not running, so that's not it.

Anyway, guess we'll have to live with the double user creation.

Thanks for the quick help, Ralph and Rowland.

On Thu, 2 Feb 2023 at 13:47, Ralph Boehme <slow at samba.org>
wrote:
>
> On 2/2/23 12:23, cYuSeDfZfb cYuSeDfZfb wrote:
> > Thanks for the useful parameter. I implemented it in my samba config,
> > but the script is never called from samba, instead the logon is denied
> > with NT_STATUS_NO_SUCH_USER.
>
> the exact mechanics escape my mind, but I noticed that in one place
> where we hook the script we only do it if winbindd is *not* runnning. So
> since you're running Samba as a standalone server, running without
> winbindd might work to some extent.
>
> Alternative iirc the script is also called if you run pdedit or smbpasswd.
>
> -slow
>
> --
> Ralph Boehme, Samba Team                 https://samba.org/
> SerNet Samba Team Lead      https://sernet.de/en/team-samba
>

Ah wait! You're saying that when adding a samba user with "smbpasswd
-a" the script is also called.

And it IS :-) I just checked it.

So no need for double user creation after all!

Thanks!

On Thu, 2 Feb 2023 at 14:39, cYuSeDfZfb cYuSeDfZfb <cyusedfzfb at
gmail.com> wrote:
>
> Hi,
>
> Winbind is not installed and not running, so that's not it.
>
> Anyway, guess we'll have to live with the double user creation.
>
> Thanks for the quick help, Ralph and Rowland.
>
> On Thu, 2 Feb 2023 at 13:47, Ralph Boehme <slow at samba.org> wrote:
> >
> > On 2/2/23 12:23, cYuSeDfZfb cYuSeDfZfb wrote:
> > > Thanks for the useful parameter. I implemented it in my samba
config,
> > > but the script is never called from samba, instead the logon is
denied
> > > with NT_STATUS_NO_SUCH_USER.
> >
> > the exact mechanics escape my mind, but I noticed that in one place
> > where we hook the script we only do it if winbindd is *not* runnning.
So
> > since you're running Samba as a standalone server, running without
> > winbindd might work to some extent.
> >
> > Alternative iirc the script is also called if you run pdedit or
smbpasswd.
> >
> > -slow
> >
> > --
> > Ralph Boehme, Samba Team                 https://samba.org/
> > SerNet Samba Team Lead      https://sernet.de/en/team-samba
> >

On 2/2/23 08:39, cYuSeDfZfb cYuSeDfZfb via samba wrote:
> Hi,
>
> Winbind is not installed and not running, so that's not it.
>
> Anyway, guess we'll have to live with the double user creation.
>
> Thanks for the quick help, Ralph and Rowland.
>
> On Thu, 2 Feb 2023 at 13:47, Ralph Boehme <slow at samba.org> wrote:
>> On 2/2/23 12:23, cYuSeDfZfb cYuSeDfZfb wrote:
>>> Thanks for the useful parameter. I implemented it in my samba
config,
>>> but the script is never called from samba, instead the logon is
denied
>>> with NT_STATUS_NO_SUCH_USER.
>> the exact mechanics escape my mind, but I noticed that in one place
>> where we hook the script we only do it if winbindd is *not* runnning.
So
>> since you're running Samba as a standalone server, running without
>> winbindd might work to some extent.
>>
>> Alternative iirc the script is also called if you run pdedit or
smbpasswd.
>>
>> -slow
>>
>> --
>> Ralph Boehme, Samba Team                 https://samba.org/
>> SerNet Samba Team Lead      https://sernet.de/en/team-samba
>>
Have you considered allowing this node to be an OpenLDAP/Kerberos 
Client, and then cacheing accounts using nss_updatedb in the old school 
manner?