[Samba] winbind for nsswitch, without AD membership
Rowland Penny
rpenny at samba.org
Thu Feb 2 11:55:50 UTC 2023
On 02/02/2023 11:23, cYuSeDfZfb cYuSeDfZfb via samba wrote:
> Hi,
>
> Thanks for the useful parameter. I implemented it in my samba config,
> but the script is never called from samba, instead the logon is denied
> with NT_STATUS_NO_SUCH_USER. See the following level 3 log:
>
> [2023/02/02 12:13:41.266823, 3]
> ../../source3/auth/auth.c:201(auth_check_ntlm_password)
> check_ntlm_password: Checking password for unmapped user
> []\[rear-user]@[test02rear-client] with the new password interface
> [2023/02/02 12:13:41.266847, 3]
> ../../source3/auth/auth.c:204(auth_check_ntlm_password)
> check_ntlm_password: mapped user is: []\[rear-user]@[test02rear-client]
> [2023/02/02 12:13:41.268869, 0]
> ../../source3/passdb/lookup_sid.c:1642(get_primary_group_sid)
> Failed to find a Unix account for rear-user
> [2023/02/02 12:13:41.271242, 1]
> ../../source3/auth/server_info_sam.c:77(make_server_info_sam)
> User rear-user in passdb, but getpwnam() fails!
> [2023/02/02 12:13:41.271293, 0]
> ../../source3/auth/check_samsec.c:493(check_sam_security)
> check_sam_security: make_server_info_sam() failed with
> 'NT_STATUS_NO_SUCH_USER'
> [2023/02/02 12:13:41.271647, 2]
> ../../source3/auth/auth.c:345(auth_check_ntlm_password)
> check_ntlm_password: Authentication for user [rear-user] ->
> [rear-user] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
>
> After I recreate the linux user it all works again.
>
> Here is the relevant part of my smb.conf:
>
> [global]
> workgroup = SAMBA
> security = user
> passdb backend = tdbsam
> printing = cups
> printcap name = cups
> load printers = yes
> cups options = raw
> debug level = 3
> log file = /var/log/samba/log.%m
> max log size = 50
> idmap config * : backend = autorid
> # to create local linux users, after the samba user authenticated successfully:
> add user script = /rear/add_user.sh %u
>
> I have confirmed the validity of the script itself (runnig it as root
> with a parameter for username, and the location is correct)
>
> This is on RHEL9, with it's stock 4.16.4.
>
> Is anything else needed to make samba actually run that script?
>
I honestly didn't think that was going to work, but I had to go out and
was unable to reply until now.
From what I understood and confirmed by checking in 'man smb.conf', the
Samba user would have to exist first and then the Unix user would be
created:
This option allows smbd to create the required UNIX users ON
DEMAND when a user accesses the Samba server.
When the Windows user attempts to access the Samba server,
at login (session setup in the SMB protocol) time, smbd(8) contacts the
password server and attempts
to authenticate the given user with the given password.
If the authentication succeeds then smbd attempts to find a
UNIX user in the UNIX password database to map the Windows user into.
If this lookup fails, and add user script is set then smbd
will call the specified script AS ROOT, expanding any %u argument to be
the user name to create.
So a bit of a chicken and egg situation here, if the Samba user exists
and the Unix user doesn't, smbd can create the Unix user, but, on a
standalone server, smbpasswd requires the Unix user before it can create
the Samba user, or am I missing something ?
Rowland
More information about the samba
mailing list