[Samba] question "add user script"

Gary Dale garydale at rogers.com
Sat May 9 20:11:46 GMT 2009

murrah boswell wrote:
>> The add user script I use is "/usr/sbin/useradd  -g users %u". The 
>> script should only add one user at a time as far as I know. Here is 
>> what the SWAT documentation has to say about it:
>>  >>>>>>>>>>>>>>
>> add user script (G)
>>        This is the full pathname to a script that will be run /AS 
>> ROOT/ by smbd(8) <http://whenim64:901/swat/help/manpages/smbd.8.html> 
>> under special circumstances described below.
>>    Normally, a Samba server requires that UNIX users are created for
>>    all users accessing files on this server. For sites that use Windows
>>    NT account databases as their primary user database creating these
>>    users and keeping the user list in sync with the Windows NT PDC is
>>    an onerous task. This option allows smbd to create the required UNIX
>>    users /ON DEMAND/ when a user accesses the Samba server.
> I guess I completely misunderstood the functionality of the "add user 
> script" option. Teach me to RTFM.
>>    When the Windows user attempts to access the Samba server, at login
>>    (session setup in the SMB protocol) time, smbd(8)
>>    <http://whenim64:901/swat/help/manpages/smbd.8.html> contacts the
>>    password server
>> <http://whenim64:901/swat/help/manpages/smb.conf.5.html#PASSWORDSERVER>
>>    and attempts to authenticate the given user with the given password.
>>    If the authentication succeeds then |smbd| attempts to find a UNIX
>>    user in the UNIX password database to map the Windows user into. If
> I see here, and in the smb.conf man pages now, that I need to setup a 
> password server for this to work. But I believe there are other issues 
> I need to resolve for my project.
> My objective is to have a LTSP (Linux Terminal Server Project 
> utilizing https://fedorahosted.org/k12linux/wiki/LiveServer) 
> server/client environment in a school system where students can boot 
> off of a USB stick or CD from any workstation or laptop and access 
> group specific samba shares in the environment. Ideally they would be 
> able to access the shares from the on-site school environment and from 
> home (or off-site).
> I still have tons of homework to do on this project, but I do thank 
> you for pointing me to clarification on the "add user script" option.
> One of my thoughts here is to allow a user on an unknown machine to 
> request that their machine be allowed to create a trusted machine 
> account after their username/password has been authenticated and they 
> respond to an email sent to their email address on record. Does this 
> make sense or am I adding too much complexity to the project?
The way Windows operates is that machine accounts need a user with 
Domain Administration privileges to add the machine. This could be done 
by the user requesting access somehow and then using the e-mail reply to 
trigger a script running on a Domain Controller to add the machine account.

However, the user can't log in with their domain account until the 
machine they are on is added to the domain. This makes your idea 
difficult to implement. Possibly setting up a web interface on a Domain 
Controller, letting the user authenticate to it (against the samba 
passwords) and having that send the e-mails for them to reply to.

It sound like it may be doable but it will be complicated.

> Regards,
> Murrah Boswell
>>    this lookup fails, and add user script
>> <http://whenim64:901/swat/help/manpages/smb.conf.5.html#ADDUSERSCRIPT>
>>    is set then |smbd| will call the specified script /AS ROOT/,
>>    expanding any /|%u|/ argument to be the user name to create.
>>    If this script successfully creates the user then |smbd| will
>>    continue on as though the UNIX user already existed. In this way,
>>    UNIX users are dynamically created to match existing Windows NT
>>    accounts.
>>    See also security
>>    <http://whenim64:901/swat/help/manpages/smb.conf.5.html#SECURITY>,
>>    password server
>> <http://whenim64:901/swat/help/manpages/smb.conf.5.html#PASSWORDSERVER>,
>>    delete user script
>> <http://whenim64:901/swat/help/manpages/smb.conf.5.html#DELETEUSERSCRIPT>. 
>>    Default: //|add user script|/ = || /
>>    Example: //|add user script|/ = |/usr/local/samba/bin/add_user %u|/
>> <<<<<<<<<<<<<<<<<
>> Note that the script is not intended to add multiple users nor set 
>> their passwords. It is supposed to add a single Unix user only.

More information about the samba mailing list