[Samba] Add user script does not trigger

Harry Jede walk2sun at arcor.de
Thu Jul 31 10:26:08 MDT 2014 

On 18:16:29 wrote Romain CABASSOT:
> Hi,
> 
> I have a Samba 3 PDC/BDC with an LDAP backend and a Samba 3 file
> server configurer as domain member. All was working fine but now
> when we create a new domain user and this one try to connect to the
> file server the add user script does not trigger anymore. I was
> trying to solve this problem but it seems I can't make it...
> 
> So here is my fileserver configuration :
> [global]
>         workgroup = MYDOMAIN
>         server string = MYSERVER
>         security = DOMAIN
>         map untrusted to domain = Yes
>         log level = 3
>         log file = /var/log/samba/%m.log
>         max log size = 50
>         name resolve order = wins host lmhosts bcast
>         server signing = auto
>         deadtime = 15
>         socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536
> SO_SNDBUF=65536 load printers = No
>         printcap name = /dev/null
>         disable spoolss = Yes
>         show add printer wizard = No
>         add user script = /usr/sbin/useradd -g users -d /data/usr1/%u
> -m -s /bin/bash %u delete user script = /usr/sbin/userdel %u
>         os level = 0
>         local master = No
>         domain master = No
>         dns proxy = No
>         idmap config * : backend = tdb
>         printing = bsd
>         print command = lpr -r -P'%p' %s
>         lpq command = lpq -P'%p'
>         lprm command = lprm -P'%p' %j
>         winbind enum users = yes
>         winbind enum groups = yes
>         # This parameter specifies the number of seconds that
> Winbind's idmap interface will cache positive SID/uid/gid query
> results. # Default: idmap cache time = 604800 (one week)
>         # Ici : 86400 (1 jour)
>         idmap cache time = 86400
>         # This parameter specifies the number of seconds that
> Winbind's idmap interface will cache negative SID/uid/gid query
> results. # Default: idmap negative cache time = 120
>         idmap negative cache time = 120
>         # This parameter specifies the number of seconds the
> winbindd(8) daemon will cache user and group information before
> querying a Windows NT server again. # This does not apply to
> authentication requests, these are always evaluated in real time
> unless the winbind offline logon option has been enabled. # Default:
> winbind cache time = 300
>         winbind cache time = 60
> 
> 
> [homes]
>         comment = Repertoire personnel de %u
>         path = /data/usr1/%S
>         force group = magellium
>         read only = No
>         browseable = No
> When I try to connect from a Windows ou Linux workstation like this :
> [rct at pc029-linux ~]$ smbclient //myserver/rct_test -U rct_test -W
> mydomain Enter rct_test's password:
> session setup failed: NT_STATUS_LOGON_FAILURE
> 
> I can see the following log in the fileserver :
> [2014/07/25 17:50:49.528667,  3] auth/auth.c:219(check_ntlm_password)
>   check_ntlm_password:  Checking password for unmapped user
> [MYDOMAIN]\[rct_test]@[PC029-LINUX] with the new password interface
> [2014/07/25 17:50:49.528704,  3]
> auth/auth.c:222(check_ntlm_password) check_ntlm_password:  mapped
> user is: [MYDOMAIN]\[rct_test]@[PC029-LINUX] [2014/07/25
> 17:50:49.532990,  3] auth/auth_util.c:1125(check_account) Failed to
> find authenticated user MYDOMAIN\rct_test via getpwnam(), denying
> access. [2014/07/25 17:50:49.533029,  2]
> auth/auth.c:319(check_ntlm_password) check_ntlm_password: 
> Authentication for user [rct_test] -> [rct_test] FAILED with error
> NT_STATUS_NO_SUCH_USER [2014/07/25 17:50:49.533075,  3]
> smbd/error.c:81(error_packet_set) error packet at
> smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX)
> NT_STATUS_LOGON_FAILURE [2014/07/25 17:50:49.533478,  3]
> smbd/server_exit.c:181(exit_server_common) Server exit (failed to
> receive smb request)
> 
> If I manually execute the add user script the user will be ok to
> access all the shares he can.
I assume you made two mistakes.

1. Your file server is a member of a domain. So the user database is on 
your PDC and you should not add users on your file server. Remove the 
"add user script" from file servers smb.conf

2. You use winbind on the fileserver to retrieve users & groups from 
your PDC. winbind handles spaces in names in a special way. Spaces are 
are translated to underscores. Read man smb.conf for more info. Look at 
your log above for rct<space<test and rct<underscore>test.


-- 

Regards
	Harry Jede

More information about the samba mailing list