[Samba] Samba+PDC+LDAP+add user script - problem

Markus Schabel markus.schabel at tgm.ac.at
Fri Jul 5 10:46:02 GMT 2002 

> > Hi!
> >
> > I've a problem, I'm using samba 2.2.5-1 (debian unstable source), which I
> > compiled as the idealx howto explains, and all seems to work fine. Adding
> > Computer Accounts with "smbldap-useradd.pl -w <name>" works fine, but when i
> > specify
> > add user script = /usr/local/sbin/smbldap-useradd.pl -w %
> > in the smb.conf, it works fine for the first computer I add automatically.
But
> > when I add another computer, all is broken. I can't connect to the domain
from
> > the first and from the second computer.
> > What happens, when I add the second computer is, that the password-entries
in
> > the ldap FOR the second computer are stored in the ldap-entries from the
first
> > computer (also the cn and displayNames are overwritten), and the
> > password-entries in the ldap-entrie from the second computer are also
filled,
> > but I've no idea where these hashes come from - they simply don't work,
> because
> > the working entries are changed in the wrong computer-entry in the ldap.
> >
> > But when I run the smbldap-useradd.pl-script as root/administrator (tried
> both)
> > from the shell all works fine.
> >
> > Any ideas where the problem is?
> >
> > greetz
>
> What exactly happens is, that the smbldap-useradd.pl script creates the
> machine-trust-accounts correctly, but when the client generates the
> password-hashes for the PDC, samba inserts these hashes in the wrong
LDAP-entry
> (based on a wrong rid). Any idea how I can solve this?

I've to correct this: smbldap-useradd.pl creates correct accounts from the
shell, but not when called from samba. The problem is, that samba calls this
script as user "administrator" (which is used to add the client to the domain,
uid:998, generated via smbldap-populate.pl), and not as user root as I thougt.
The problem of the smbldap-useradd.pl-script is, that it uses "getpwuid", which
could be only called by root (at least on my debian-woody-box). So each account
gets the start-uid (1000), and the start-rid (3000), which simply doesn't work.

To overcome this problem I've written a little C-Programm, which is setuid, and
called from smbldap-useradd.pl. I've no idea if this works, I'll test it after
the weekend, but if there are any suggestions for a better solution, I'll try
them ;)

Here is the C-Program (ok, a little bit error-processing could be added):

#include <stdio.h>
#include <stdlib.h>
#include <pwd.h>
#include <sys/types.h>

int main( int argc, char *argv[] )
{
        int userid = 1000;

        while ( getpwuid( userid ) != NULL )
        {
                userid++;
        }

        printf( "%d", userid );

        return 0;
}

And the modifications to smbldap-useradd.pl (you can see, there is a call of
getpwuid left, this could be removed by another small c-program [or a modified
version of the progam above]):

*** smbldap-useradd.pl  Wed Jul  3 12:01:19 2002
--- smbldap-useradd.pl       Fri Jul  5 19:34:55 2002
***************
*** 74,83 ****
  my $userUidNumber = $Options{'u'};
  if (!defined($userUidNumber)) {
        # find first unused uid starting from $UID_START
!       while (defined(getpwuid($UID_START))) {
!               $UID_START++;
!       }
!       $userUidNumber = $UID_START;
  } elsif (getpwuid($userUidNumber)) { die "Uid already exists.\n"; }

  if ($nscd_status == 0) {
--- 74,82 ----
  my $userUidNumber = $Options{'u'};
  if (!defined($userUidNumber)) {
        # find first unused uid starting from $UID_START
!       open( FOO, "-|" ) || exec "/usr/local/sbin/getnextuid";
!       $userUidNumber = <FOO>;
!       close FOO;
  } elsif (getpwuid($userUidNumber)) { die "Uid already exists.\n"; }

  if ($nscd_status == 0) {

More information about the samba mailing list