Transparent Samba Account Creation/Authentication using NT DC

[OMeara, Randy]

	My approach to configuring Samba was that I refused to duplicate the
effort required to manage user accounts under NT.  My resource domain
already had the accounts.  I did everything I could to stay away from manual
(or even programmatic) manipulation of the smbpasswd file.  The smbpasswd
file is not used or required in the following scenario.

	There have been some very important Samba innovations recently, and
more are coming in the very near future.  With 'security = domain' and some
simple scripting via 'add user script = some_script', it is possible to
create *local* Unix accounts on-the-fly.  Passwords are not stored on the
Samba server and authentication is provided by an NT DC.  Voila!  No effort
is required to keep accounts/passwords synced with NT! Of course it's not
quite as simple as this, but very near ;-)  You could move these
auto-created accounts to your NIS database if you wish, but since there are
no Unix-stored passwords, you never have to worry about syncing passwords to
Unix.

	The very act of 'browsing' your Samba server can (under your
control, of course) create a local (Samba-only) user account, create a user
directory, mount that directory (the share appears as the user's name),
establish a disk use quota, and email a message to you that the account was
created.  I think that's pretty slick!  And it's quick!

	I have included with this message my samba_add_user Perl script and
excerpts from smb.conf.  The key elements of the smb.conf file are:
'security = domain', and 'add user script = .../samba_add_user %u'.

	I hope this is useful to you, or at least points the way for you to
refine what I have done.  I am interested in hearing about your experiences
with this.  I have not (yet) checked to see how NT domain groups play into
the way that Samba requests authentication from the NT DC.  I assume that
*any* valid NT domain username/password will pass this authentication
successfully.

	One caveat: if you have specified Logon Workstations restrictions
for an NT account  under NT's User Manager (User Properties, Logon
Workstations), then Samba's method of requesting authentication of that
account from the DC will fail unless the Samba server's netbios name appears
in the list of workstation restrictions.  Why?  I don't know.  I would guess
that the Samba server provides its own name to NT rather than the
originating workstation.  This may be (probably is) a bug in Samba.

	This is all based on Linux 2.2.3 with Samba 2.0.3.

Enjoy!

---
Randy O'Meara
Information Systems
IT Implementation
Lockheed Martin, Santa Cruz Facility


************smb.conf
# Samba config file created using SWAT
# Global parameters
	workgroup = DOM
	server string = DOM,SMB,NFS
	security = DOMAIN
	encrypt passwords = Yes
	map to guest = Bad User
	password server = DOMDC DOMBDC1 DOMBDC2 DOMBDC3
	log file = /var/log/samba/%m
	max log size = 50
	lpq cache time = 0
	socket options = TCP_NODELAY SO_SNDBUF=4096 SO_RCVBUF=4096
	add user script = /usr/local/samba/bin/samba_add_user %u
	wins server = 111.222.333.444
	lock dir = /var/lock/smb
	default service = reference
	guest account = ftp
	invalid users = root
	admin users = su
	mangle case = Yes

[tmp]
	comment = ONE WEEK Max Storage Period!
	path = /x/tmp
	read only = No
	create mask = 0777
	guest ok = Yes

[transfer]
	comment = TWO WEEKS Max Storage Period!
	path = /x/transfer
	read only = No
	create mask = 0777
	guest ok = Yes

[homes]
	comment = home directories
	read only = No
	create mask = 0700
	browseable = No

[cdrom]
	comment = Internal CD-ROM
	path = /cdrom
	guest ok = Yes
	locking = No

[printers]
	comment = All Printers
	path = /usr/spool/samba
	print ok = Yes
	browseable = No

[softlib]
	comment = Software Repository
	path = /x/softlib
	write list = @slib_rw
	read only = No

[admin$]
	comment = Fake NT Admin$ Share
	path = /x/tmp
************end smb.conf

************samba_add_user
#!/usr/bin/perl
#
# Script to add Samba User to local account database.
# rmo -- 4/19/99
#
# This script is invoked from smbd (AS ROOT) when smb.conf:
#   1. 'security' = server OR domain
#   2. smbd is able to authenticate current user via 'password server'
#   3. no local or NIS account exists for the presently connecting user
#   4. 'add user script' specifies this script
#
# invoked as: samba_add_user %u
#  where %u is current user name
#
# This script performs the following actions:
#   1. creates %u local account and home directory via useradd(8).
#   2. establishes user disk quotas via edquota(8).
#   3. logs success/failure via logger(1).
#   4. reports success/failure to 'root' via mail(1).


# Log Options (logger)
$LOG_LEVEL	= "auth.notice";		# Syslog facility.level

# Account Creation Options (useradd)
#
$CMNT		= "created by samba_add_user";	# Comment passwd field
$HOME		= "-m";				# Make home directory
$SHL		= "/bin/false ";		# Default shell

# Quota Options (edquota)
#
$QUOTA_PROFILE	= "qusr1";			# Quota profile

sub dolog {
    # Enter message into syslog
    my $msg = shift;
    my $LOGGER="/usr/bin/logger -t samba_add_user -i -p $LOG_LEVEL";
    `$LOGGER $msg`;
}

sub domail {
    # Report success/failure to 'root' via mail
    my $acct = shift;
    my $sta  = shift;
    my $host = `hostname`;chop($host);
    my $fail = "";
    my $msg =   "Account:       [$acct]\n".
		"Host:          $host\n".
	    	"Cmd:          $0\n".
	    	"Quota Profile: $QUOTA_PROFILE\n".
	    	"\n";
    if ( $sta eq "ok" ) {	# Success
	$msg .= "Account was auto-created when the smbd daemon received\n".
		"a connection request.  The account did not exist and
was\n".
		"created automatically.\n".
		"\n".
		"Please review this new account for rights, groups, and\n".
		"quota at your earliest convenience.\n".
		"\n".
		"Have a pleasant day!\n";
    } else {			# Failure
        $fail = " FAILED!";
	$msg .= "Results:       $sta\n\n";
	$msg .= "Account auto-creation FAILED when the smbd daemon
received\n".
		"a connection request.  The account did not exist and
was\n".
		"NOT  created automatically.\n".
		"\n".
		"Please review the Host syslog and determine the fault
at\n".
		"your earliest convenience.\n".
		"\n".
		"Have a (almost) pleasant day!";
    }
    my $ml = open(MAIL,"| mail root -s \"Samba Account Creation
[$acct]$fail\"");
    if ( $ml ) {
	print MAIL $msg;
	close( MAIL );
    } else {
	dolog( "Failed to open mail pipe!" );
    }
}

sub doacct {
    # Create account
    #
    my $usr = shift;
    my $cmd="/usr/sbin/useradd -c '$CMNT' $HOME -s $SHL $usr 2>&1";

    my @res=`$cmd`;
    my $sta=$?;
    if ( $sta != 0 ) {
	domail( $usr, join(" ", at res) );
	dolog( "[$usr] creation Failure in doacct" );
	exit 1;
    }
}

sub doquota {
    # Establish small Quota
    my $usr = shift;
    my $cmd = "/usr/sbin/edquota -p $QUOTA_PROFILE $usr 2>&1";
    my @res = `$cmd`;
    my $sta = $?;
    if ( $sta == 0 ) {
	domail( $usr, "ok" );
	dolog( "[$usr] creation Success" );
    } else {
	domail( $usr, join(" ", at res) );
	dolog( "[$usr] creation Failure in doquota" );
        exit 2;
    }
}


# The Main Stuff
#
    my $usr = shift;
    dolog( "add [$usr]" );
    doacct( $usr );
    doquota( $usr );
************end samba_add_user