[Samba] winbind for nsswitch, without AD membership

Rowland Penny rpenny at samba.org
Thu Feb 2 11:55:50 UTC 2023 


On 02/02/2023 11:23, cYuSeDfZfb cYuSeDfZfb via samba wrote:
> Hi,
> 
> Thanks for the useful parameter. I implemented it in my samba config,
> but the script is never called from samba, instead the logon is denied
> with NT_STATUS_NO_SUCH_USER. See the following level 3 log:
> 
> [2023/02/02 12:13:41.266823,  3]
> ../../source3/auth/auth.c:201(auth_check_ntlm_password)
>    check_ntlm_password:  Checking password for unmapped user
> []\[rear-user]@[test02rear-client] with the new password interface
> [2023/02/02 12:13:41.266847,  3]
> ../../source3/auth/auth.c:204(auth_check_ntlm_password)
>    check_ntlm_password:  mapped user is: []\[rear-user]@[test02rear-client]
> [2023/02/02 12:13:41.268869,  0]
> ../../source3/passdb/lookup_sid.c:1642(get_primary_group_sid)
>    Failed to find a Unix account for rear-user
> [2023/02/02 12:13:41.271242,  1]
> ../../source3/auth/server_info_sam.c:77(make_server_info_sam)
>    User rear-user in passdb, but getpwnam() fails!
> [2023/02/02 12:13:41.271293,  0]
> ../../source3/auth/check_samsec.c:493(check_sam_security)
>    check_sam_security: make_server_info_sam() failed with
> 'NT_STATUS_NO_SUCH_USER'
> [2023/02/02 12:13:41.271647,  2]
> ../../source3/auth/auth.c:345(auth_check_ntlm_password)
>    check_ntlm_password:  Authentication for user [rear-user] ->
> [rear-user] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
> 
> After I recreate the linux user it all works again.
> 
> Here is the relevant part of my smb.conf:
> 
> [global]
>          workgroup = SAMBA
>          security = user
>          passdb backend = tdbsam
>          printing = cups
>          printcap name = cups
>          load printers = yes
>          cups options = raw
>          debug level = 3
>          log file = /var/log/samba/log.%m
>          max log size = 50
>          idmap config * : backend = autorid
> # to create local linux users, after the samba user authenticated successfully:
>          add user script = /rear/add_user.sh %u
> 
> I have confirmed the validity of the script itself (runnig it as root
> with a parameter for username, and the location is correct)
> 
> This is on RHEL9, with it's stock 4.16.4.
> 
> Is anything else needed to make samba actually run that script?
> 

I honestly didn't think that was going to work, but I had to go out and 
was unable to reply until now.

 From what I understood and confirmed by checking in 'man smb.conf', the 
Samba user would have to exist first and then the Unix user would be 
created:

            This option allows smbd to create the required UNIX users ON 
DEMAND when a user accesses the Samba server.

            When the Windows user attempts to access the Samba server, 
at login (session setup in the SMB protocol) time, smbd(8) contacts the 
password server and attempts
            to authenticate the given user with the given password.
            If the authentication succeeds then smbd attempts to find a 
UNIX user in the UNIX password database to map the Windows user into.
            If this lookup fails, and add user script is set then smbd 
will call the specified script AS ROOT, expanding any %u argument to be 
the user name to create.

So a bit of a chicken and egg situation here, if the Samba user exists 
and the Unix user doesn't, smbd can create the Unix user, but, on a 
standalone server, smbpasswd requires the Unix user before it can create 
the Samba user, or am I missing something ?

Rowland

More information about the samba mailing list