Bug 10029 - Macro substitution for 'Logon Script' does not work anymore
Macro substitution for 'Logon Script' does not work anymore
Status: NEW
Product: Samba 3.6
Classification: Unclassified
Component: Domain Control
3.6.16
All All
: P5 critical
: ---
Assigned To: Guenther Deschner
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-17 16:40 UTC by Thomas Bork
Modified: 2013-08-04 19:40 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Bork 2013-07-17 16:40:19 UTC
Hallo,

I need some help:
Upgrading from 3.5 to 3.6 with a change from passdb backend smbpasswd to tdbsam the macro substitutions for 'Logon Script' does not work anymore.

Samba 3.5.20 as PDC, in smb.conf following definition:

logon script = %u.bat %g %m

This allowed cascading batch files for user.bat, group.bat and machine.bat.
pdbedit shows, that the macros for user and group are expanded (machine cannot be expanded locally):

test # pdbedit -Lvw
---------------
Unix username:        root
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-747218240-736168617-286591561-1000
Primary Group SID:    S-1-5-21-747218240-736168617-286591561-512
Full Name:            root
Home Directory:       \\test\root
HomeDir Drive:        x:
Logon Script:         root.bat root
                      =============
Profile Path:         \\test\root\profile
Domain:               TESTD
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Wed, 17 Jul 2013 19:58:35 CEST
Password can change:  Wed, 17 Jul 2013 19:58:35 CEST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
---------------
Unix username:        tb
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-747218240-736168617-286591561-5002
Primary Group SID:    S-1-5-21-747218240-736168617-286591561-513
Full Name:            tb
Home Directory:       \\test\tb
HomeDir Drive:        x:
Logon Script:         tb.bat users
                      ============
Profile Path:         \\test\tb\profile
Domain:               TESTD
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Wed, 17 Jul 2013 19:58:44 CEST
Password can change:  Wed, 17 Jul 2013 19:58:44 CEST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
---------------
Unix username:        win7$
NT username:
Account Flags:        [W          ]
User SID:             S-1-5-21-747218240-736168617-286591561-5008
Primary Group SID:    S-1-5-21-747218240-736168617-286591561-515
Full Name:            machine_account
Home Directory:
HomeDir Drive:        (null)
Logon Script:
Profile Path:
Domain:               TESTD
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Wed, 17 Jul 2013 20:02:40 CEST
Password can change:  Wed, 17 Jul 2013 20:02:40 CEST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF


With 3.6.16 pdbedit shows, that are the macros are not expanded anymore and yes, no logon script is running anymore in the domain :(

test # pdbedit -Lvw
---------------
Unix username:        root
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-747218240-736168617-286591561-1000
Primary Group SID:    S-1-5-21-747218240-736168617-286591561-512
Full Name:            root
Home Directory:       \\test\root
HomeDir Drive:        x:
Logon Script:         %u.bat %g
Profile Path:         \\test\root\profile
Domain:               TESTD
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Wed, 17 Jul 2013 19:58:35 CEST
Password can change:  Wed, 17 Jul 2013 19:58:35 CEST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
---------------
Unix username:        tb
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-747218240-736168617-286591561-5002
Primary Group SID:    S-1-5-21-747218240-736168617-286591561-513
Full Name:            tb
Home Directory:       \\test\tb
HomeDir Drive:        x:
Logon Script:         %u.bat %g
Profile Path:         \\test\tb\profile
Domain:               TESTD
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Wed, 17 Jul 2013 19:58:44 CEST
Password can change:  Wed, 17 Jul 2013 19:58:44 CEST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
---------------
Unix username:        win7$
NT username:
Account Flags:        [W          ]
User SID:             S-1-5-21-747218240-736168617-286591561-5008
Primary Group SID:    S-1-5-21-747218240-736168617-286591561-515
Full Name:            machine_account
Home Directory:       \\test\win7_
HomeDir Drive:        x:
Logon Script:         %u.bat %g
Profile Path:         \\test\win7_\profile
Domain:               TESTD
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Wed, 17 Jul 2013 20:02:40 CEST
Password can change:  Wed, 17 Jul 2013 20:02:40 CEST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF


Imagine a real big domain with a lot of users:
You have to edit 'Logon Script' for each user now with pdbedit :(

There were no definitions for that in smbpasswd from 3.5.20 (the old flat file cannot store this) and there are no informations for that in the new tdbsam with 3.6.16:


test # tdbdump /etc/passdb.tdb
{
key(13) = "RID_000003e8\00"
data(5) = "root\00"
}
{
key(8) = "USER_tb\00"
data(199) = "\00\00\00\00\FF\FF\FF\7F\FF\FF\FF\7F\00\00\00\00T\DB\E6QT\DB\E6Q\FF\FF\FF\7F\03\00\00\00tb\00\06\00\00\00TESTD\00\01\00\00\00\00\03\00\00\00tb\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00\8A\13\00\00\01\02\00\00\10\00\00\00\E9U\9Bm\E3\98/\01\AA\D3\B45\B5\14\04\EE\10\00\00\00e\0F\FDu\93\FE\8CH4\1B<\EA\1B\EE\CA\92\00\00\00\00\10\00\00\00\A8\00\15\00\00\00 \00\00\00\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\EC\04\00\00"
}
{
key(19) = "INFO/minor_version\00"
data(4) = "\00\00\00\00"
}
{
key(9) = "NEXT_RID\00"
data(4) = "\EA\03\00\00"
}
{
key(13) = "RID_0000138a\00"
data(3) = "tb\00"
}
{
key(13) = "INFO/version\00"
data(4) = "\04\00\00\00"
}
{
key(10) = "USER_root\00"
data(203) = "\00\00\00\00\FF\FF\FF\7F\FF\FF\FF\7F\00\00\00\00K\DB\E6QK\DB\E6Q\FF\FF\FF\7F\05\00\00\00root\00\06\00\00\00TESTD\00\01\00\00\00\00\05\00\00\00root\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00\E8\03\00\00\00\02\00\00\10\00\00\00\C2&[#sN\0D\AC\AA\D3\B45\B5\14\04\EE\10\00\00\00i\94<^c\B4\D2\C1\04\DB\BC\C1Q8\B7+\00\00\00\00\10\00\00\00\A8\00\15\00\00\00 \00\00\00\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\EC\04\00\00"
}
{
key(11) = "USER_win7$\00"
data(199) = "\00\00\00\00\FF\FF\FF\7F\FF\FF\FF\7F\00\00\00\00@\DC\E6Q@\DC\E6Q\FF\FF\FF\7F\06\00\00\00win7$\00\06\00\00\00TESTD\00\01\00\00\00\00\10\00\00\00machine_account\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00\90\13\00\00\03\02\00\00\00\00\00\00\10\00\00\00a\E1\0E\F9\07Io\F6\07\E3\C1(d8\15\A9\00\00\00\00\80\00\00\00\A8\00\15\00\00\00 \00\00\00\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\EC\04\00\00"
}
{
key(13) = "RID_00001390\00"
data(6) = "win7$\00"
}


Thats why the information comes from smb.conf but the macro definitions are not expanded anymore.

What can I do? I want to change the outdated Samba version 3.5.x for our users from eisfair.org to 3.6.x, but this is a show stopper for me.

der tom
Comment 1 Thomas Bork 2013-07-17 17:40:42 UTC
Am 17.07.2013 18:40, samba-bugs@samba.org wrote:

> Upgrading from 3.5 to 3.6 with a change from passdb backend smbpasswd to tdbsam
> the macro substitutions for 'Logon Script' does not work anymore.

This must have something to do with the passdb backend tdbsam.
If switching back to smbpasswd as backend, macros are expanded:

passdb backend = smbpasswd

test # cat /etc/smbpasswd
root:0:C2265B23734E0DACAAD3B435B51404EE:69943C5E63B4D2C104DBBCC15138B72B:[U 
          ]:LCT-51E6DB4B:
tb:2001:E9559B6DE3982F01AAD3B435B51404EE:650FFD7593FE8C48341B3CEA1BEECA92:[U 
          ]:LCT-51E6DB54:
WIN7$:2004:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:61E10EF907496FF607E3C128643815A9:[W 
          ]:LCT-51E6DC40:
test # pdbedit -Lvw
---------------
Unix username:        root
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-747218240-736168617-286591561-1000
Primary Group SID:    S-1-5-21-747218240-736168617-286591561-512
Full Name:            root
Home Directory:       \\test\root
HomeDir Drive:        x:
Logon Script:         root.bat root
Profile Path:         \\test\root\profile
Domain:               TESTD
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Wed, 17 Jul 2013 19:58:35 CEST
Password can change:  Wed, 17 Jul 2013 19:58:35 CEST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
---------------
Unix username:        tb
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-747218240-736168617-286591561-5002
Primary Group SID:    S-1-5-21-747218240-736168617-286591561-513
Full Name:            tb
Home Directory:       \\test\tb
HomeDir Drive:        x:
Logon Script:         tb.bat users
Profile Path:         \\test\tb\profile
Domain:               TESTD
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Wed, 17 Jul 2013 19:58:44 CEST
Password can change:  Wed, 17 Jul 2013 19:58:44 CEST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
---------------
Unix username:        win7$
NT username:
Account Flags:        [W          ]
User SID:             S-1-5-21-747218240-736168617-286591561-5008
Primary Group SID:    S-1-5-21-747218240-736168617-286591561-515
Full Name:            machine_account
Home Directory:
HomeDir Drive:        (null)
Logon Script:
Profile Path:
Domain:               TESTD
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Wed, 17 Jul 2013 20:02:40 CEST
Password can change:  Wed, 17 Jul 2013 20:02:40 CEST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF


The question is now:
Why tdbsam is not honoring macros?
Comment 2 Thomas Bork 2013-07-18 08:26:05 UTC
Am 17.07.2013 19:40, schrieb samba-bugs@samba.org:

> The question is now:
> Why tdbsam is not honoring macros?

The question is in fact:

Why tdbsam is not honoring the lower case macros %u and %g (which 
smbpasswd is honoring)?

My tests showing:

If setting

logon script = %U.bat %G %m

(%u and %g upper case, %m lower case), then the macros are processed 
with tdbsam as passdb backend:

test # pdbedit -Lvw
---------------
Unix username:        root
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-747218240-736168617-286591561-1000
Primary Group SID:    S-1-5-21-747218240-736168617-286591561-512
Full Name:            root
Home Directory:       \\test\root
HomeDir Drive:        x:
Logon Script:         root.bat root
Profile Path:         \\test\root\profile
Domain:               TESTD
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Wed, 17 Jul 2013 19:58:35 CEST
Password can change:  Wed, 17 Jul 2013 19:58:35 CEST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
---------------
Unix username:        tb
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-747218240-736168617-286591561-5002
Primary Group SID:    S-1-5-21-747218240-736168617-286591561-513
Full Name:            tb
Home Directory:       \\test\tb
HomeDir Drive:        x:
Logon Script:         tb.bat users
Profile Path:         \\test\tb\profile
Domain:               TESTD
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Wed, 17 Jul 2013 19:58:44 CEST
Password can change:  Wed, 17 Jul 2013 19:58:44 CEST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
---------------
Unix username:        win7$
NT username:
Account Flags:        [W          ]
User SID:             S-1-5-21-747218240-736168617-286591561-5008
Primary Group SID:    S-1-5-21-747218240-736168617-286591561-515
Full Name:            machine_account
Home Directory:       \\test\win7_
HomeDir Drive:        x:
Logon Script:         win7_.bat machines
Profile Path:         \\test\win7_\profile
Domain:               TESTD
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Wed, 17 Jul 2013 20:02:40 CEST
Password can change:  Wed, 17 Jul 2013 20:02:40 CEST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF


But the lower case und upper case macros are not the same. From

http://www.samba.org/samba/docs/man/manpages/smb.conf.5.html

upper case:
===========
%U
session username (the username that the client wanted, not necessarily 
the same as the one they got).

%G
primary group name of %U.


lower case:
===========
%u
username of the current service, if any.

%g
primary group name of %u.


I don't understand, why there is such a difference with the passdb 
backends smbpasswd and tdbsam. This makes a switch to tdbsam with 
existing smb.conf files impossible.
Comment 3 Thomas Bork 2013-07-19 17:47:54 UTC
The problem with %U is (and _thats why_ we used %u with passdb backend 
smbpasswd and want to do this also with tdbsam):

If you have a lot of mapped users (you know, Windows users tend to 
create Windows login names with spaces in it), Samba is a PDC and you 
are excessively working with logon scripts, then you have the problem, 
that your login scripts are not running anymore, because a mapped user

'Jim Knopf' (Windows name) -> jim (Unix name)

has to have a login script jim.bat with smbpasswd and %u (no problem) 
and a login script Jim Knopf.bat with tdbsam and %U.

If switching now to tdbsam for every mapped user such a login script 
does not exist (the existing script is jim.bat) and if such a login 
script _would_ exist, it could not run because it had a space in the name.

If I were a C programmer, I could change the code myself. I searched a 
lot and found in source3/passdb/passdb.c some lines like this:

         if (logon_script) {
                 fstrcpy( tmp_string, logon_script );
                 if (expand_explicit) {
                         standard_sub_basic( username, domain, tmp_string,
                                             sizeof(tmp_string) );
                 }
                 pdb_set_logon_script(sampass, tmp_string, PDB_SET);
         }
         else {
                 pdb_set_logon_script(sampass,
                         talloc_sub_basic(sampass, username, domain,
                                          lp_logon_script()),
                         PDB_DEFAULT);
         }

I found out, that standard_sub_basic is using talloc_sub_basic. 
talloc_sub_basic does not honor %u (substitute.c).

There is a function talloc_sub_specified in substitute.c, which honors 
%u and %U, %g and %G and so on.

Can I use this function in passdb.c and how? Thank you for your help.
Comment 4 Christian Ambach 2013-07-22 21:49:57 UTC
The smbpasswd leaves the filling of the logon script and so on to a generic function of passdb, while tdbsam uses its own unmarshalling routines that do things slightly differently.

As you already figured out, there is a difference in the usage of the substitution functions

In case of smbpasswd, the following is used:
                pdb_set_logon_script(user, talloc_sub_specified(user, 
                        lp_logon_script(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid), 
                        PDB_DEFAULT);

while tdbsam uses this:
        if (logon_script) {                                        
                fstrcpy( tmp_string, logon_script );
                if (expand_explicit) {                             
                        standard_sub_basic( username, domain, tmp_string,
                                            sizeof(tmp_string) );
                }                                                  
                pdb_set_logon_script(sampass, tmp_string, PDB_SET);
        }
        else {               
                pdb_set_logon_script(sampass,                      
                        talloc_sub_basic(sampass, username, domain,
                                         lp_logon_script()),
                        PDB_DEFAULT);                              
        }
 
So that part would need to be adopted to talloc_sub_specified, but from a quick glance I am not sure if the additional parameters that talloc_sub_specified needs will be available at this spot or not.
Comment 5 Thomas Bork 2013-07-23 17:41:24 UTC
Am 22.07.2013 23:49, schrieb samba-bugs@samba.org:

> So that part would need to be adopted to talloc_sub_specified, but from a quick
> glance I am not sure if the additional parameters that talloc_sub_specified
> needs will be available at this spot or not.

Thank you for trying to help me. But I don't understand C and cannot 
make this work :(
Comment 6 Christian Ambach 2013-07-25 20:59:58 UTC
I did not expect you to be able to fix it, it was more meant to be a quick comment why this does not work with the tdbsam backend.
After looking a bit more deeper into the code, it will probably not be an easy task to make it work for this backend so there will be probably no fix available in the near future.
Could you stick with the smbpasswd backend for a while until this gets fixed? This should still be configurable in 3.6, although the defaults have changed.
Comment 7 Christian Ambach 2013-07-25 21:10:20 UTC
BTW: as listed in smb.conf, logon path only takes the *standard substitutions*. %u and %g are not in that list, only %U and %G. According to your previous post, those are working for you.
So although it worked with the smbpasswd backend, it does not work with pdb_tdb and pdb_ldap (while it will probably work in the domain member case with winbind).

So according to the docs, everything is fine. But I suspect that this will not help you.
Comment 8 Thomas Bork 2013-07-25 21:36:15 UTC
Am 25.07.2013 23:00, schrieb samba-bugs@samba.org:

> Could you stick with the smbpasswd backend for a while until this gets fixed?
> This should still be configurable in 3.6, although the defaults have changed.

Yes, I will do so. I don't want to break existing configurations with 
the switch to tdbsam - thats why I asked for help here.
Comment 9 Thomas Bork 2013-07-25 21:45:02 UTC
Am 25.07.2013 23:10, schrieb samba-bugs@samba.org:

> BTW: as listed in smb.conf, logon path only takes the *standard substitutions*.

That's not true for smbpasswd ;)

> %u and %g are not in that list, only %U and %G. According to your previous
> post, those are working for you.
> So although it worked with the smbpasswd backend, it does not work with pdb_tdb
> and pdb_ldap (while it will probably work in the domain member case with
> winbind).
>
> So according to the docs, everything is fine. But I suspect that this will not
> help you.

No, sorry, this do not help. In

https://bugzilla.samba.org/show_bug.cgi?id=10029#c3

I described, why this is not the case.