Web lists-archives.com

[Samba] add machine script not running




Hi.

I'm running samba 3.6.3 (on Ubuntu 12.04). This server is acting as an old style NT4 domain using samba as backend. Machine accounts are created using a script, called by samba (add machine script). Everything is working great.

Now, I want to keep the same thing, but on Ubuntu 16.04, so with samba 4.3.11. Mostly everything is working as expected, except that smbd doesn't execute the add machine script. Instead, it tries to create the machine directly (but not with the correct objectClass, I want to have full control on this part, and just let samba add the sambaSamAccount objectClass and related stuff)

In my logs, even with quite high debug level, I can see the param is correctly read:

[...]
doing parameter add machine script = /usr/local/bin/addworkstation.pl %u
[...]

But the script is not executed. Instead, when samba sees the account doesn't already exist in LDAP, it tries to create it, which is failing (because my ACL in OpenLDAP does not allow it)

See my logs attached

Why doesn't samba execute my add machine script at this point, instead of trying to create it on its own ?

Cheers,
Daniel


--
Daniel Berteaud
FIREWALL-SERVICES SAS.
Société de Services en Logiciels Libres
Tel : 05 56 64 15 32
Visio: https://vroom.fws.fr/dani
Web : http://www.firewall-services.com
[2017/11/15 15:46:35.243257,  5] ../source3/lib/smbldap.c:1249(smbldap_search_ext)
  smbldap_search_ext: base => [dc=fws,dc=fr], filter => [(&(objectClass=sambaGroupMapping)(|(displayName=PROTOWINXP$)(cn=PROTOWINXP$)))], scope => [2]
[2017/11/15 15:46:35.243639,  4] ../source3/passdb/pdb_ldap.c:2437(ldapsam_getgroup)
  ldapsam_getgroup: Did not find group, filter was (&(objectClass=sambaGroupMapping)(|(displayName=PROTOWINXP$)(cn=PROTOWINXP$)))
[2017/11/15 15:46:35.243674,  4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
[2017/11/15 15:46:35.243699,  4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
  pop_sec_ctx (1168, 513) - sec_ctx_stack_ndx = 1
[2017/11/15 15:46:35.243719,  5] ../source3/rpc_server/samr/srv_samr_nt.c:3708(_samr_CreateUser2)
  _samr_CreateUser2: testfws can add this account : True
[2017/11/15 15:46:35.243812,  4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx)
  push_sec_ctx(1168, 513) : sec_ctx_stack_ndx = 2
[2017/11/15 15:46:35.243843,  4] ../source3/smbd/uid.c:491(push_conn_ctx)
  push_conn_ctx(48424) : conn_ctx_stack_ndx = 0
[2017/11/15 15:46:35.243859,  4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2017/11/15 15:46:35.243879,  5] ../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2017/11/15 15:46:35.243899,  5] ../source3/auth/token_util.c:639(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2017/11/15 15:46:35.243936,  5] ../source3/lib/username.c:181(Get_Pwnam_alloc)
  Finding user PROTOWINXP$
[2017/11/15 15:46:35.243953,  5] ../source3/lib/username.c:120(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is protowinxp$
[2017/11/15 15:46:35.244492,  5] ../source3/lib/username.c:159(Get_Pwnam_internals)
  Get_Pwnam_internals did find user [PROTOWINXP$]!
[2017/11/15 15:46:35.244534,  2] ../source3/passdb/pdb_ldap_util.c:280(smbldap_search_domain_info)
  smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=FWS))]
[2017/11/15 15:46:35.244552,  5] ../source3/lib/smbldap.c:1249(smbldap_search_ext)
  smbldap_search_ext: base => [dc=fws,dc=fr], filter => [(&(objectClass=sambaDomain)(sambaDomainName=FWS))], scope => [2]
[2017/11/15 15:46:35.245051,  5] ../source3/lib/smbldap.c:1435(smbldap_modify)
  smbldap_modify: dn => [sambaDomainName=FWS,dc=fws,dc=fr]
[2017/11/15 15:46:35.246322,  5] ../source3/lib/smbldap.c:1249(smbldap_search_ext)
  smbldap_search_ext: base => [dc=fws,dc=fr], filter => [(&(uid=PROTOWINXP$)(objectclass=sambaSamAccount))], scope => [2]
[2017/11/15 15:46:35.246662,  5] ../source3/lib/smbldap.c:1249(smbldap_search_ext)
  smbldap_search_ext: base => [dc=fws,dc=fr], filter => [(&(sambaSID=S-1-5-21-2231268933-358037163-304309857-1179)(objectclass=sambaSamAccount))], scope => [2]
[2017/11/15 15:46:35.247024,  5] ../source3/lib/smbldap.c:1249(smbldap_search_ext)
  smbldap_search_ext: base => [dc=fws,dc=fr], filter => [(uid=PROTOWINXP$)], scope => [2]
  smbldap_search_ext: base => [dc=fws,dc=fr], filter => [(&(sambaSID=S-1-5-21-2231268933-358037163-304309857-1179)(|(objectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))], scope => [2]
[2017/11/15 15:46:35.247634,  3] ../source3/passdb/pdb_ldap.c:2190(ldapsam_add_sam_account)
  ldapsam_add_sam_account: Adding new user
[2017/11/15 15:46:35.247667,  2] ../source3/passdb/pdb_ldap.c:1138(init_ldap_from_sam)
  init_ldap_from_sam: Setting entry for user: PROTOWINXP$
[2017/11/15 15:46:35.247702,  5] ../source3/lib/smbldap.c:1485(smbldap_add)
  smbldap_add: dn => [uid=PROTOWINXP$,ou=workstations,ou=systems,dc=fws,dc=fr]
[2017/11/15 15:46:35.248083,  0] ../source3/passdb/pdb_ldap.c:2243(ldapsam_add_sam_account)
  ldapsam_add_sam_account: failed to modify/add user with uid = PROTOWINXP$ (dn = uid=PROTOWINXP$,ou=workstations,ou=systems,dc=fws,dc=fr)


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba