murrah boswell wrote:
The add user script I use is "/usr/sbin/useradd -g users %u". The
script should only add one user at a time as far as I know. Here is
what the SWAT documentation has to say about it:
>>>>>>>>>>>>>>
add user script (G)
This is the full pathname to a script that will be run /AS
ROOT/ by smbd(8) <http://whenim64:901/swat/help/manpages/smbd.8.html>
under special circumstances described below.
Normally, a Samba server requires that UNIX users are created for
all users accessing files on this server. For sites that use Windows
NT account databases as their primary user database creating these
users and keeping the user list in sync with the Windows NT PDC is
an onerous task. This option allows smbd to create the required UNIX
users /ON DEMAND/ when a user accesses the Samba server.
I guess I completely misunderstood the functionality of the "add user
script" option. Teach me to RTFM.
When the Windows user attempts to access the Samba server, at login
(session setup in the SMB protocol) time, smbd(8)
<http://whenim64:901/swat/help/manpages/smbd.8.html> contacts the
password server
<http://whenim64:901/swat/help/manpages/smb.conf.5.html#PASSWORDSERVER>
and attempts to authenticate the given user with the given password.
If the authentication succeeds then |smbd| attempts to find a UNIX
user in the UNIX password database to map the Windows user into. If
I see here, and in the smb.conf man pages now, that I need to setup a
password server for this to work. But I believe there are other issues
I need to resolve for my project.
My objective is to have a LTSP (Linux Terminal Server Project
utilizing https://fedorahosted.org/k12linux/wiki/LiveServer)
server/client environment in a school system where students can boot
off of a USB stick or CD from any workstation or laptop and access
group specific samba shares in the environment. Ideally they would be
able to access the shares from the on-site school environment and from
home (or off-site).
I still have tons of homework to do on this project, but I do thank
you for pointing me to clarification on the "add user script" option.
One of my thoughts here is to allow a user on an unknown machine to
request that their machine be allowed to create a trusted machine
account after their username/password has been authenticated and they
respond to an email sent to their email address on record. Does this
make sense or am I adding too much complexity to the project?
The way Windows operates is that machine accounts need a user with
Domain Administration privileges to add the machine. This could be done
by the user requesting access somehow and then using the e-mail reply to
trigger a script running on a Domain Controller to add the machine account.
However, the user can't log in with their domain account until the
machine they are on is added to the domain. This makes your idea
difficult to implement. Possibly setting up a web interface on a Domain
Controller, letting the user authenticate to it (against the samba
passwords) and having that send the e-mails for them to reply to.
It sound like it may be doable but it will be complicated.
Regards,
Murrah Boswell
this lookup fails, and add user script
<http://whenim64:901/swat/help/manpages/smb.conf.5.html#ADDUSERSCRIPT>
is set then |smbd| will call the specified script /AS ROOT/,
expanding any /|%u|/ argument to be the user name to create.
If this script successfully creates the user then |smbd| will
continue on as though the UNIX user already existed. In this way,
UNIX users are dynamically created to match existing Windows NT
accounts.
See also security
<http://whenim64:901/swat/help/manpages/smb.conf.5.html#SECURITY>,
password server
<http://whenim64:901/swat/help/manpages/smb.conf.5.html#PASSWORDSERVER>,
delete user script
<http://whenim64:901/swat/help/manpages/smb.conf.5.html#DELETEUSERSCRIPT>.
Default: //|add user script|/ = || /
Example: //|add user script|/ = |/usr/local/samba/bin/add_user %u|/
<<<<<<<<<<<<<<<<<
Note that the script is not intended to add multiple users nor set
their passwords. It is supposed to add a single Unix user only.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
