[Samba] tattooing of tdbsam backend with logon script value
samba at talbragar.com.au
Fri Oct 14 21:56:29 MDT 2011
On 07/08/11 00:23, Chris Smith wrote:
> All users whose "logon script" values have not been explicitly defined
> automagically inherit the value that "logon script" is set to in
> smb.conf. And one can change the "logon script" for all such users
> simply by changing said value in smb.conf. However, once a logon
> script value value has been explicitly defined for a user this
> inheritance ability (as the explicit definition should not be
> overwritten) seems forever lost. I have not found a method to undo
> this tattooed state to allow for the automagic inheritance of the
> smb.conf "logon script" value. Therefore said users, who have once had
> an explicitly defined "logon script" value can (seemingly) no longer
> returned to the state where they use whatever "logon script" is
> defined in smb.conf.
> Is there a way to reset said users, removing the tattooing effect?
If this is still relavent to you, I've found a work around.
The tdbtool dump of the user entry looked identical to the original
after doing this. My user was logged out at the time.
Note the users current settings (including SID)
#pdbedit -Lvu bill
Delete their account:
#pdbedit -x -u bill
#smbpasswd -a bill
Change their SID to their old one:
#pdbedit -r -u bill -U S-9-9-99-SCRAMBLED-SCRAMBLED-SCRAMBLED-FAKE
You'd also obviously change any other cusom settings they had.
This has worked for me with no noticable side effects, but it feels
very hackish, maybe others have a better way.
Also, a bit of background info I found while trying to fix this problem.
Looking at the passdb.tdb with tbdtool, you can see that there is one
extra byte (Ox01) in an entry with the logon script set to '' , compared
to a 'fresh' entry (that does use the smb.conf default logonscript)
It would be much nicer if pdbedit had an option to reset this ... hint hint)
tdbtool has a very rustic interface, a particular quirk is that you need
to append '\0' to the key name to find the user entry.
If you could figure out how to drive tdbtool's 'store KEY DATA ' you
would probably be able to modify the entry in one step, but this seems
a even more hackish.
Hope this helped
More information about the samba