[Samba] Add user script does not trigger

Romain CABASSOT romain.cabassot at magellium.fr
Thu Jul 31 08:02:24 MDT 2014 

Hi,

I have a Samba 3 PDC/BDC with an LDAP backend and a Samba 3 file server configurer as domain member.
All was working fine but now when we create a new domain user and this one try to connect to the file server the add user script does not trigger anymore.
I was trying to solve this problem but it seems I can't make it...

So here is my fileserver configuration :
[global]
        workgroup = MYDOMAIN
        server string = MYSERVER
        security = DOMAIN
        map untrusted to domain = Yes
        log level = 3
        log file = /var/log/samba/%m.log
        max log size = 50
        name resolve order = wins host lmhosts bcast
        server signing = auto
        deadtime = 15
        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536
        load printers = No
        printcap name = /dev/null
        disable spoolss = Yes
        show add printer wizard = No
        add user script = /usr/sbin/useradd -g users -d /data/usr1/%u -m -s /bin/bash %u
        delete user script = /usr/sbin/userdel %u
        os level = 0
        local master = No
        domain master = No
        dns proxy = No
        idmap config * : backend = tdb
        printing = bsd
        print command = lpr -r -P'%p' %s
        lpq command = lpq -P'%p'
        lprm command = lprm -P'%p' %j
        winbind enum users = yes
        winbind enum groups = yes
        # This parameter specifies the number of seconds that Winbind's idmap interface will cache positive SID/uid/gid query results.
        # Default: idmap cache time = 604800 (one week)
        # Ici : 86400 (1 jour)
        idmap cache time = 86400
        # This parameter specifies the number of seconds that Winbind's idmap interface will cache negative SID/uid/gid query results.
        # Default: idmap negative cache time = 120
        idmap negative cache time = 120
        # This parameter specifies the number of seconds the winbindd(8) daemon will cache user and group information before querying a Windows NT server again.
        # This does not apply to authentication requests, these are always evaluated in real time unless the winbind offline logon option has been enabled.
        # Default: winbind cache time = 300
        winbind cache time = 60


[homes]
        comment = Repertoire personnel de %u
        path = /data/usr1/%S
        force group = magellium
        read only = No
        browseable = No
When I try to connect from a Windows ou Linux workstation like this :
[rct at pc029-linux ~]$ smbclient //myserver/rct_test -U rct_test -W mydomain
Enter rct_test's password:
session setup failed: NT_STATUS_LOGON_FAILURE

I can see the following log in the fileserver :
[2014/07/25 17:50:49.528667,  3] auth/auth.c:219(check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [MYDOMAIN]\[rct_test]@[PC029-LINUX] with the new password interface
[2014/07/25 17:50:49.528704,  3] auth/auth.c:222(check_ntlm_password)
  check_ntlm_password:  mapped user is: [MYDOMAIN]\[rct_test]@[PC029-LINUX]
[2014/07/25 17:50:49.532990,  3] auth/auth_util.c:1125(check_account)
  Failed to find authenticated user MYDOMAIN\rct_test via getpwnam(), denying access.
[2014/07/25 17:50:49.533029,  2] auth/auth.c:319(check_ntlm_password)
  check_ntlm_password:  Authentication for user [rct_test] -> [rct_test] FAILED with error NT_STATUS_NO_SUCH_USER
[2014/07/25 17:50:49.533075,  3] smbd/error.c:81(error_packet_set)
  error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2014/07/25 17:50:49.533478,  3] smbd/server_exit.c:181(exit_server_common)
  Server exit (failed to receive smb request)

If I manually execute the add user script the user will be ok to access all the shares he can.

More information about the samba mailing list