Greetings! I have the following configuration: Two PDCs with Fedora Core 4: PDC1 and PDC2. PDC1 trusts PDC2, respectively PDC2 is trusted to PDC1. I join an XP workstation to PDC2. After restart i can see both domains in the login screen domain combo box. I can logon to PDC2 , but not to PDC1, since the PDC2's /etc/passwd lacks the username from PDC1 i am trying to log in with. To correct this i edit smb.conf adding this line: add user script = /usr/sbin/useradd %u -g users -s /bin/false -d /dev/null After another unsuccessful login to PDC1 (with username ivan for example) in the PDC2's log (/var/log/samba/winxp.log) can be seen the following lines: useradd: unable to lock password file useradd ....gave 1 When i try to access a share on PDC2 with a PDC1 user (ivan for example), useradd is executed successfully, and user ivan is added to /etc/passwd. I found out that during login "add user script = /usr/sbin/useradd %u ......" is executed with user nobody, and this user has no right to execute useradd, hence an error occurs. After that i added user nobody in the /etc/sudoers so he could execute sudo on PDC2: visudo -f sudoers %nobody ALL=/usr/sbin/useradd And edited smb.conf on PDC2 like this: add user script = sudo -u root /usr/sbin/useradd %u ...... Now the logging to PDC1 works fine, but this is not normal, maybe it's a big security hole! My question is: Is this a bug in samba, why when mapping a drive useradd runs as root (as described in the samba manual), but when logging, it runs as user nobody who has no right to execute useradd? If am wrong - correct me, or point me to another solution, I don't want use winbind. Thanks in advance :-)
The best solution is to run winbindd on a DC to handle the trusted users and groups. Why don't you want to run winbindd?
(In reply to comment #1) > The best solution is to run winbindd on a DC to handle the > trusted users and groups. Why don't you want to run winbindd? > Why..? Well, because I don't want complicate matters with a winbind... Maybe is it the best solution, but I think myself that is too difficult, too many problems, errors and etc...! I read about winbind and tried it, but without success, example problems as: wbinfo -u/g "Error looking up domain users" and etc.. I don't know, what when and where must do it ?, I'm already confused "add user script" run as nobody - Will be fixed this bug in future? I thing if this bug fixed, that solution will be the best!!!
(In reply to comment #2) [...] > wbinfo -u/g > "Error looking up domain users" > and etc.. > I don't know, what when and where must do it ?, I'm already confused > Has the server running winbindd joined its own domain? "wbinfo -t" should return "checking the trust secret via RPC calls succeeded" in this case. I had the same problem (see bug #2282) and the winbind-solution works here.
comment #1 said it. Any other attempt to do this is wrong.