[Samba] winbind for nsswitch, without AD membership

cYuSeDfZfb cYuSeDfZfb cyusedfzfb at gmail.com
Thu Feb 2 11:23:57 UTC 2023 

Hi,

Thanks for the useful parameter. I implemented it in my samba config,
but the script is never called from samba, instead the logon is denied
with NT_STATUS_NO_SUCH_USER. See the following level 3 log:

[2023/02/02 12:13:41.266823,  3]
../../source3/auth/auth.c:201(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user
[]\[rear-user]@[test02rear-client] with the new password interface
[2023/02/02 12:13:41.266847,  3]
../../source3/auth/auth.c:204(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: []\[rear-user]@[test02rear-client]
[2023/02/02 12:13:41.268869,  0]
../../source3/passdb/lookup_sid.c:1642(get_primary_group_sid)
  Failed to find a Unix account for rear-user
[2023/02/02 12:13:41.271242,  1]
../../source3/auth/server_info_sam.c:77(make_server_info_sam)
  User rear-user in passdb, but getpwnam() fails!
[2023/02/02 12:13:41.271293,  0]
../../source3/auth/check_samsec.c:493(check_sam_security)
  check_sam_security: make_server_info_sam() failed with
'NT_STATUS_NO_SUCH_USER'
[2023/02/02 12:13:41.271647,  2]
../../source3/auth/auth.c:345(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [rear-user] ->
[rear-user] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1

After I recreate the linux user it all works again.

Here is the relevant part of my smb.conf:

[global]
        workgroup = SAMBA
        security = user
        passdb backend = tdbsam
        printing = cups
        printcap name = cups
        load printers = yes
        cups options = raw
        debug level = 3
        log file = /var/log/samba/log.%m
        max log size = 50
        idmap config * : backend = autorid
# to create local linux users, after the samba user authenticated successfully:
        add user script = /rear/add_user.sh %u

I have confirmed the validity of the script itself (runnig it as root
with a parameter for username, and the location is correct)

This is on RHEL9, with it's stock 4.16.4.

Is anything else needed to make samba actually run that script?

MJ

On Thu, 2 Feb 2023 at 11:29, Ralph Boehme via samba
<samba at lists.samba.org> wrote:
>
> On 2/2/23 11:18, Rowland Penny via samba wrote:
> > On 02/02/2023 10:10, cYuSeDfZfb cYuSeDfZfb via samba wrote:
> >> My question: is it possible to use winbind with autorid & tdbsam (and
> >> security = user) to avoid the requirement to generate each user TWICE?
> >
> > No, ...
>
> there's the "add user script" option, I guess that should to what the OP
> wants.
>
> -slow
>
> --
> Ralph Boehme, Samba Team                 https://samba.org/
> SerNet Samba Team Lead      https://sernet.de/en/team-samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list