[Samba] tattooing of tdbsam backend with logon script value

Pat Emblen samba at talbragar.com.au
Fri Oct 14 21:56:29 MDT 2011

On 07/08/11 00:23, Chris Smith wrote:
> All users whose "logon script" values have not been explicitly defined
> automagically inherit the value that "logon script" is set to in
> smb.conf. And one can change the "logon script" for all such users
> simply by changing said value in smb.conf. However, once a logon
> script value value has been explicitly defined for a user this
> inheritance ability (as the explicit definition should not be
> overwritten) seems forever lost. I have not found a method to undo
> this tattooed state to allow for the automagic inheritance of the
> smb.conf "logon script" value. Therefore said users, who have once had
> an explicitly defined "logon script" value can (seemingly) no longer
> returned to the state where they use whatever "logon script" is
> defined in smb.conf.
> Is there a way to reset said users, removing the tattooing effect?
> Thanks,
> Chris

Hi Chris
If this is still relavent to you, I've found a work around.
The tdbtool dump of the user entry looked identical to the original
after doing this. My user was logged out at the time.

Note the users current settings (including SID)
#pdbedit -Lvu bill

Delete their account:
#pdbedit -x -u bill

Recreate it:
#smbpasswd -a bill

Change their SID to their old one:
#pdbedit -r -u bill -U S-9-9-99-SCRAMBLED-SCRAMBLED-SCRAMBLED-FAKE

You'd also obviously change any other cusom settings they had.

This has worked for me with no noticable side effects, but it feels
very hackish, maybe others have a better way.

Also, a bit of background info I found while trying to fix this problem.
Looking at the passdb.tdb with tbdtool, you can see that there is one 
extra byte (Ox01) in an entry with the logon script set to '' , compared 
to a 'fresh' entry (that does use the smb.conf default    logonscript)
It would be much nicer if pdbedit had an option to reset this ... hint hint)

tdbtool has a very rustic interface, a particular quirk is that you need 
to append '\0' to the key name to find the user entry.

#tdbtool /var/lib/samba/passdb.tdb
>show USER_bill\0

If you could figure out how to drive tdbtool's 'store KEY DATA ' you
would probably be able to modify the entry in one step, but this seems
a even more hackish.

Hope this helped


More information about the samba mailing list