[Samba] Not sure I understand when add user script is called

Andrew Masterson Andrew.Masterson at nuvistaenergy.com
Fri Feb 18 09:38:07 MST 2011

Here's how we do it.  There are a thousand variations on a theme (samba

        path = /data/homes/%D/%S
        valid users = "@XXXXXX+domain admins", %S
        read only = No
        root preexec = /data/Backup/createhomes.sh %D %S

Shell script looks like (creates /data/homes/<DOMAIN NAME>/<USERNAME>)


if [ ! -d /data/homes/$1/$2 ]; then
        mkdir /data/homes/$1/$2
        chmod g+s /data/homes/$1/$2
        chown $2:"domain admins" /data/homes/$1/$2
        chmod 770 /data/homes/$1/$2
        /usr/bin/setfacl -m g:"domain admins":rwx /data/homes/$1/$2
        /usr/bin/setfacl -m u:"$2":rwx /data/homes/$1/$2
exit 0


-----Original Message-----
From: samba-bounces at lists.samba.org
[mailto:samba-bounces at lists.samba.org] On Behalf Of Jack Downes
Sent: Friday, February 18, 2011 12:29 AM
To: samba at lists.samba.org
Subject: [Samba] Not sure I understand when add user script is called

I've built a domain member.  It works pretty good with the exception 
that I want on-the-fly home directories being built.  I'm not sure this 
is doable with a domain member as everything I've tried isn't even 
called - as far as I can tell.  Using log level 3.

If anyone can shed light on how to dynamically create home directories, 
that'd be great.

anyway, here's my latest incarnation of smb.conf.

     display charset = UTF-8
     workgroup = KRH
     realm = KRH.INT
     netbios aliases = hitstor
     server string = HIT anything server
     interfaces =
     bind interfaces only = Yes
     security = ADS
     auth methods = sam, winbind, trustdomain
     password server = kal-dc3.krh.int, kal-dc4.krh.int,
kal-dc2.krh.int, *
     ntlm auth = No
     client NTLMv2 auth = Yes
     log level = 1
     syslog = 0
     log file = /var/log/samba/log.%U
     debug prefix timestamp = Yes
     smb ports = 139
     name resolve order = wins host bcast lmhost
     unix extensions = No
     server signing = auto
     lpq cache time = 10
     max open files = 20000
     socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
     name cache timeout = 60
     load printers = No
     printcap cache time = 60
     show add printer wizard = No
     add user script = /usr/sbin/pw useradd %u -g krh -k 
/usr/local/etc/skel -d /home/KRH
     local master = No
     domain master = No
     dns proxy = No
     wins server =
     utmp = Yes
     nmbd bind explicit broadcast = No
     host msdfs = No
     idmap uid = 10000-20000
     idmap gid = 10000-20000
     template shell = /usr/local/bin/bash
     winbind enum users = Yes
     winbind enum groups = Yes
     winbind use default domain = Yes
     winbind refresh tickets = Yes
     acl group control = Yes
     cups options = raw
     force printername = Yes
     wide links = Yes

     comment = Home Directories
     read only = No
     browseable = No

Here's the /etc/pam.d/system file:
# $FreeBSD: src/etc/pam.d/system,v 2010/06/14 02:09:06 
kensmith Exp $
# System-wide defaults

# auth
auth        sufficient    pam_opie.so        no_warn no_fake_prompts
auth        requisite    pam_opieaccess.so    no_warn allow_local
auth            sufficient      /usr/local/lib/pam_winbind.so
#auth        sufficient    pam_krb5.so        no_warn try_first_pass
#auth        sufficient    pam_ssh.so        no_warn try_first_pass
auth        required    pam_unix.so        no_warn try_first_pass nullok

# account
#account     required    pam_krb5.so
account        required    pam_login_access.so
account        required    pam_unix.so

# session
#session     optional    pam_ssh.so
session        required    pam_lastlog.so        no_fail
session         required       /usr/local/lib/pam_mkhomedir.so 

# password
#password    sufficient    pam_krb5.so        no_warn try_first_pass
password    required    pam_unix.so        no_warn try_first_pass
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list