Hallo, I need some help: Upgrading from 3.5 to 3.6 with a change from passdb backend smbpasswd to tdbsam the macro substitutions for 'Logon Script' does not work anymore. Samba 3.5.20 as PDC, in smb.conf following definition: logon script = %u.bat %g %m This allowed cascading batch files for user.bat, group.bat and machine.bat. pdbedit shows, that the macros for user and group are expanded (machine cannot be expanded locally): test # pdbedit -Lvw --------------- Unix username: root NT username: Account Flags: [U ] User SID: S-1-5-21-747218240-736168617-286591561-1000 Primary Group SID: S-1-5-21-747218240-736168617-286591561-512 Full Name: root Home Directory: \\test\root HomeDir Drive: x: Logon Script: root.bat root ============= Profile Path: \\test\root\profile Domain: TESTD Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set: Wed, 17 Jul 2013 19:58:35 CEST Password can change: Wed, 17 Jul 2013 19:58:35 CEST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF --------------- Unix username: tb NT username: Account Flags: [U ] User SID: S-1-5-21-747218240-736168617-286591561-5002 Primary Group SID: S-1-5-21-747218240-736168617-286591561-513 Full Name: tb Home Directory: \\test\tb HomeDir Drive: x: Logon Script: tb.bat users ============ Profile Path: \\test\tb\profile Domain: TESTD Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set: Wed, 17 Jul 2013 19:58:44 CEST Password can change: Wed, 17 Jul 2013 19:58:44 CEST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF --------------- Unix username: win7$ NT username: Account Flags: [W ] User SID: S-1-5-21-747218240-736168617-286591561-5008 Primary Group SID: S-1-5-21-747218240-736168617-286591561-515 Full Name: machine_account Home Directory: HomeDir Drive: (null) Logon Script: Profile Path: Domain: TESTD Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set: Wed, 17 Jul 2013 20:02:40 CEST Password can change: Wed, 17 Jul 2013 20:02:40 CEST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF With 3.6.16 pdbedit shows, that are the macros are not expanded anymore and yes, no logon script is running anymore in the domain :( test # pdbedit -Lvw --------------- Unix username: root NT username: Account Flags: [U ] User SID: S-1-5-21-747218240-736168617-286591561-1000 Primary Group SID: S-1-5-21-747218240-736168617-286591561-512 Full Name: root Home Directory: \\test\root HomeDir Drive: x: Logon Script: %u.bat %g Profile Path: \\test\root\profile Domain: TESTD Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set: Wed, 17 Jul 2013 19:58:35 CEST Password can change: Wed, 17 Jul 2013 19:58:35 CEST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF --------------- Unix username: tb NT username: Account Flags: [U ] User SID: S-1-5-21-747218240-736168617-286591561-5002 Primary Group SID: S-1-5-21-747218240-736168617-286591561-513 Full Name: tb Home Directory: \\test\tb HomeDir Drive: x: Logon Script: %u.bat %g Profile Path: \\test\tb\profile Domain: TESTD Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set: Wed, 17 Jul 2013 19:58:44 CEST Password can change: Wed, 17 Jul 2013 19:58:44 CEST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF --------------- Unix username: win7$ NT username: Account Flags: [W ] User SID: S-1-5-21-747218240-736168617-286591561-5008 Primary Group SID: S-1-5-21-747218240-736168617-286591561-515 Full Name: machine_account Home Directory: \\test\win7_ HomeDir Drive: x: Logon Script: %u.bat %g Profile Path: \\test\win7_\profile Domain: TESTD Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set: Wed, 17 Jul 2013 20:02:40 CEST Password can change: Wed, 17 Jul 2013 20:02:40 CEST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF Imagine a real big domain with a lot of users: You have to edit 'Logon Script' for each user now with pdbedit :( There were no definitions for that in smbpasswd from 3.5.20 (the old flat file cannot store this) and there are no informations for that in the new tdbsam with 3.6.16: test # tdbdump /etc/passdb.tdb { key(13) = "RID_000003e8\00" data(5) = "root\00" } { key(8) = "USER_tb\00" data(199) = "\00\00\00\00\FF\FF\FF\7F\FF\FF\FF\7F\00\00\00\00T\DB\E6QT\DB\E6Q\FF\FF\FF\7F\03\00\00\00tb\00\06\00\00\00TESTD\00\01\00\00\00\00\03\00\00\00tb\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00\8A\13\00\00\01\02\00\00\10\00\00\00\E9U\9Bm\E3\98/\01\AA\D3\B45\B5\14\04\EE\10\00\00\00e\0F\FDu\93\FE\8CH4\1B<\EA\1B\EE\CA\92\00\00\00\00\10\00\00\00\A8\00\15\00\00\00 \00\00\00\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\EC\04\00\00" } { key(19) = "INFO/minor_version\00" data(4) = "\00\00\00\00" } { key(9) = "NEXT_RID\00" data(4) = "\EA\03\00\00" } { key(13) = "RID_0000138a\00" data(3) = "tb\00" } { key(13) = "INFO/version\00" data(4) = "\04\00\00\00" } { key(10) = "USER_root\00" data(203) = "\00\00\00\00\FF\FF\FF\7F\FF\FF\FF\7F\00\00\00\00K\DB\E6QK\DB\E6Q\FF\FF\FF\7F\05\00\00\00root\00\06\00\00\00TESTD\00\01\00\00\00\00\05\00\00\00root\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00\E8\03\00\00\00\02\00\00\10\00\00\00\C2&[#sN\0D\AC\AA\D3\B45\B5\14\04\EE\10\00\00\00i\94<^c\B4\D2\C1\04\DB\BC\C1Q8\B7+\00\00\00\00\10\00\00\00\A8\00\15\00\00\00 \00\00\00\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\EC\04\00\00" } { key(11) = "USER_win7$\00" data(199) = "\00\00\00\00\FF\FF\FF\7F\FF\FF\FF\7F\00\00\00\00@\DC\E6Q@\DC\E6Q\FF\FF\FF\7F\06\00\00\00win7$\00\06\00\00\00TESTD\00\01\00\00\00\00\10\00\00\00machine_account\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00\90\13\00\00\03\02\00\00\00\00\00\00\10\00\00\00a\E1\0E\F9\07Io\F6\07\E3\C1(d8\15\A9\00\00\00\00\80\00\00\00\A8\00\15\00\00\00 \00\00\00\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\EC\04\00\00" } { key(13) = "RID_00001390\00" data(6) = "win7$\00" } Thats why the information comes from smb.conf but the macro definitions are not expanded anymore. What can I do? I want to change the outdated Samba version 3.5.x for our users from eisfair.org to 3.6.x, but this is a show stopper for me. der tom
Am 17.07.2013 18:40, samba-bugs@samba.org wrote: > Upgrading from 3.5 to 3.6 with a change from passdb backend smbpasswd to tdbsam > the macro substitutions for 'Logon Script' does not work anymore. This must have something to do with the passdb backend tdbsam. If switching back to smbpasswd as backend, macros are expanded: passdb backend = smbpasswd test # cat /etc/smbpasswd root:0:C2265B23734E0DACAAD3B435B51404EE:69943C5E63B4D2C104DBBCC15138B72B:[U ]:LCT-51E6DB4B: tb:2001:E9559B6DE3982F01AAD3B435B51404EE:650FFD7593FE8C48341B3CEA1BEECA92:[U ]:LCT-51E6DB54: WIN7$:2004:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:61E10EF907496FF607E3C128643815A9:[W ]:LCT-51E6DC40: test # pdbedit -Lvw --------------- Unix username: root NT username: Account Flags: [U ] User SID: S-1-5-21-747218240-736168617-286591561-1000 Primary Group SID: S-1-5-21-747218240-736168617-286591561-512 Full Name: root Home Directory: \\test\root HomeDir Drive: x: Logon Script: root.bat root Profile Path: \\test\root\profile Domain: TESTD Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set: Wed, 17 Jul 2013 19:58:35 CEST Password can change: Wed, 17 Jul 2013 19:58:35 CEST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF --------------- Unix username: tb NT username: Account Flags: [U ] User SID: S-1-5-21-747218240-736168617-286591561-5002 Primary Group SID: S-1-5-21-747218240-736168617-286591561-513 Full Name: tb Home Directory: \\test\tb HomeDir Drive: x: Logon Script: tb.bat users Profile Path: \\test\tb\profile Domain: TESTD Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set: Wed, 17 Jul 2013 19:58:44 CEST Password can change: Wed, 17 Jul 2013 19:58:44 CEST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF --------------- Unix username: win7$ NT username: Account Flags: [W ] User SID: S-1-5-21-747218240-736168617-286591561-5008 Primary Group SID: S-1-5-21-747218240-736168617-286591561-515 Full Name: machine_account Home Directory: HomeDir Drive: (null) Logon Script: Profile Path: Domain: TESTD Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set: Wed, 17 Jul 2013 20:02:40 CEST Password can change: Wed, 17 Jul 2013 20:02:40 CEST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF The question is now: Why tdbsam is not honoring macros?
Am 17.07.2013 19:40, schrieb samba-bugs@samba.org: > The question is now: > Why tdbsam is not honoring macros? The question is in fact: Why tdbsam is not honoring the lower case macros %u and %g (which smbpasswd is honoring)? My tests showing: If setting logon script = %U.bat %G %m (%u and %g upper case, %m lower case), then the macros are processed with tdbsam as passdb backend: test # pdbedit -Lvw --------------- Unix username: root NT username: Account Flags: [U ] User SID: S-1-5-21-747218240-736168617-286591561-1000 Primary Group SID: S-1-5-21-747218240-736168617-286591561-512 Full Name: root Home Directory: \\test\root HomeDir Drive: x: Logon Script: root.bat root Profile Path: \\test\root\profile Domain: TESTD Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set: Wed, 17 Jul 2013 19:58:35 CEST Password can change: Wed, 17 Jul 2013 19:58:35 CEST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF --------------- Unix username: tb NT username: Account Flags: [U ] User SID: S-1-5-21-747218240-736168617-286591561-5002 Primary Group SID: S-1-5-21-747218240-736168617-286591561-513 Full Name: tb Home Directory: \\test\tb HomeDir Drive: x: Logon Script: tb.bat users Profile Path: \\test\tb\profile Domain: TESTD Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set: Wed, 17 Jul 2013 19:58:44 CEST Password can change: Wed, 17 Jul 2013 19:58:44 CEST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF --------------- Unix username: win7$ NT username: Account Flags: [W ] User SID: S-1-5-21-747218240-736168617-286591561-5008 Primary Group SID: S-1-5-21-747218240-736168617-286591561-515 Full Name: machine_account Home Directory: \\test\win7_ HomeDir Drive: x: Logon Script: win7_.bat machines Profile Path: \\test\win7_\profile Domain: TESTD Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set: Wed, 17 Jul 2013 20:02:40 CEST Password can change: Wed, 17 Jul 2013 20:02:40 CEST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF But the lower case und upper case macros are not the same. From http://www.samba.org/samba/docs/man/manpages/smb.conf.5.html upper case: =========== %U session username (the username that the client wanted, not necessarily the same as the one they got). %G primary group name of %U. lower case: =========== %u username of the current service, if any. %g primary group name of %u. I don't understand, why there is such a difference with the passdb backends smbpasswd and tdbsam. This makes a switch to tdbsam with existing smb.conf files impossible.
The problem with %U is (and _thats why_ we used %u with passdb backend smbpasswd and want to do this also with tdbsam): If you have a lot of mapped users (you know, Windows users tend to create Windows login names with spaces in it), Samba is a PDC and you are excessively working with logon scripts, then you have the problem, that your login scripts are not running anymore, because a mapped user 'Jim Knopf' (Windows name) -> jim (Unix name) has to have a login script jim.bat with smbpasswd and %u (no problem) and a login script Jim Knopf.bat with tdbsam and %U. If switching now to tdbsam for every mapped user such a login script does not exist (the existing script is jim.bat) and if such a login script _would_ exist, it could not run because it had a space in the name. If I were a C programmer, I could change the code myself. I searched a lot and found in source3/passdb/passdb.c some lines like this: if (logon_script) { fstrcpy( tmp_string, logon_script ); if (expand_explicit) { standard_sub_basic( username, domain, tmp_string, sizeof(tmp_string) ); } pdb_set_logon_script(sampass, tmp_string, PDB_SET); } else { pdb_set_logon_script(sampass, talloc_sub_basic(sampass, username, domain, lp_logon_script()), PDB_DEFAULT); } I found out, that standard_sub_basic is using talloc_sub_basic. talloc_sub_basic does not honor %u (substitute.c). There is a function talloc_sub_specified in substitute.c, which honors %u and %U, %g and %G and so on. Can I use this function in passdb.c and how? Thank you for your help.
The smbpasswd leaves the filling of the logon script and so on to a generic function of passdb, while tdbsam uses its own unmarshalling routines that do things slightly differently. As you already figured out, there is a difference in the usage of the substitution functions In case of smbpasswd, the following is used: pdb_set_logon_script(user, talloc_sub_specified(user, lp_logon_script(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid), PDB_DEFAULT); while tdbsam uses this: if (logon_script) { fstrcpy( tmp_string, logon_script ); if (expand_explicit) { standard_sub_basic( username, domain, tmp_string, sizeof(tmp_string) ); } pdb_set_logon_script(sampass, tmp_string, PDB_SET); } else { pdb_set_logon_script(sampass, talloc_sub_basic(sampass, username, domain, lp_logon_script()), PDB_DEFAULT); } So that part would need to be adopted to talloc_sub_specified, but from a quick glance I am not sure if the additional parameters that talloc_sub_specified needs will be available at this spot or not.
Am 22.07.2013 23:49, schrieb samba-bugs@samba.org: > So that part would need to be adopted to talloc_sub_specified, but from a quick > glance I am not sure if the additional parameters that talloc_sub_specified > needs will be available at this spot or not. Thank you for trying to help me. But I don't understand C and cannot make this work :(
I did not expect you to be able to fix it, it was more meant to be a quick comment why this does not work with the tdbsam backend. After looking a bit more deeper into the code, it will probably not be an easy task to make it work for this backend so there will be probably no fix available in the near future. Could you stick with the smbpasswd backend for a while until this gets fixed? This should still be configurable in 3.6, although the defaults have changed.
BTW: as listed in smb.conf, logon path only takes the *standard substitutions*. %u and %g are not in that list, only %U and %G. According to your previous post, those are working for you. So although it worked with the smbpasswd backend, it does not work with pdb_tdb and pdb_ldap (while it will probably work in the domain member case with winbind). So according to the docs, everything is fine. But I suspect that this will not help you.
Am 25.07.2013 23:00, schrieb samba-bugs@samba.org: > Could you stick with the smbpasswd backend for a while until this gets fixed? > This should still be configurable in 3.6, although the defaults have changed. Yes, I will do so. I don't want to break existing configurations with the switch to tdbsam - thats why I asked for help here.
Am 25.07.2013 23:10, schrieb samba-bugs@samba.org: > BTW: as listed in smb.conf, logon path only takes the *standard substitutions*. That's not true for smbpasswd ;) > %u and %g are not in that list, only %U and %G. According to your previous > post, those are working for you. > So although it worked with the smbpasswd backend, it does not work with pdb_tdb > and pdb_ldap (while it will probably work in the domain member case with > winbind). > > So according to the docs, everything is fine. But I suspect that this will not > help you. No, sorry, this do not help. In https://bugzilla.samba.org/show_bug.cgi?id=10029#c3 I described, why this is not the case.