[Samba] user creation with samba-tool issue

Rowland Penny rowlandpenny at googlemail.com
Thu Oct 24 07:50:52 MDT 2013 

On 24/10/13 14:16, dahopkins at comcast.net wrote:
>
> ----- Original Message -----
> On 24/10/13 12:51, dahopkins at comcast.net wrote:
>> ----- Original Message -----
>> On Thu, 2013-10-24 at 02:48 +0000, dahopkins at comcast.net wrote:
>>>>> I am creating a user with samba-tool. I am essentially using the s4user script (very slight mods to echo some data and assign >>>>some site-specific data).
>>>>> The syntax in the script for a test user is
>>>>> samba-tool add user test.user47 Passw0rd!
>>>> Hi
>>>> No, strange. It doesn't work if you specify it on the command line of
>>>> the script but it does if you don't and type a password at the prompt.
>>>> Is specifying the password at user creation time an option for you?
>>>> Steve
>>> I actually didn't try not using a password with the script. I didn't want to delete that line of the script so I just echoed what the password had been set to instead. I'll test removing the password and typing it when prompted by the script. If this works, I guess it will have to be the work-around for the moment .. though doing this for 350+ accounts that need to be created isn't sounding very enticing.
>>> Sincerely,
>>> Dave
>>    
>> Hi, when you try to login, just where are you trying to log into? a
>> windows machine or the samba 4 server?
> We have LTSP servers that users log onto in addition to Windows Terminal Servers, so both Linux and Windows.  Account creation does work and it is possible as root to immediately use
> su - AccountName
> on a Linux system which logs in as that user.  However,
> ssh AccountName at linuxserver
> prompts for a password and that comes back with permission denied. As mentioned, resetting the password in ADUC allows logins to work correctly, whether Linux or Windows.
This is what I am getting when trying to login via ssh, will have to try 
resetting the password in ADUC.
>> Reason for asking is that I am using a similar script around samba-tool
>> and whilst I can login from windows with a domain user & password, I
>> seem to be struggling to login into the samba 4 server via ssh etc.
> I am using nslcd+nscd+k5start and keytab files for the Linux logins which is working well.
>
>> One last thing, I noticed that your script is adding the posixAccount
>> objectClass, you do not need to do this. The posixAccount & posixGroup
>> objectClasses are auxillaries of the 'user' objectClass and as such are
>> never added or required by windows.
> My understanding is that I need these for Linux (e.g. rfc-2307) compliance. I have that specified in the smb.conf file.
>
> Dave
This seems to be everybodies understanding and it is wrong, if you open 
/usr/local/samba/share/setup/ad-schema/MS-AD_Schema_2K8_Classes.txt in 
your favourite editor and search for 'cn: User' you will find 
'auxiliaryClass: shadowAccount, posixAccount'. What this means is the 
mustContain**, systemMustContain**, mayContain**, and
systemMayContain** values of the auxiliary class are added to those of 
the class, or in other words, you get the posix attributes without 
adding the posixAccount objectclass. The same goes for posixGroup, it is 
an auxillary of group.

Rowland

More information about the samba mailing list