The Samba-Bugzilla – Bug 3538
"add user script = /usr/sbin/useradd ..." run as nobody
Last modified: 2009-05-27 03:51:07 UTC
I have the following configuration:
Two PDCs with Fedora Core 4: PDC1 and PDC2.
PDC1 trusts PDC2, respectively PDC2 is trusted to PDC1.
I join an XP workstation to PDC2. After restart i can see both domains in the login screen domain combo box.
I can logon to PDC2 , but not to PDC1, since the PDC2's /etc/passwd lacks the username from PDC1 i am trying to log in with. To correct this i edit smb.conf adding this line:
add user script = /usr/sbin/useradd %u -g users -s /bin/false -d /dev/null
After another unsuccessful login to PDC1 (with username ivan for example) in the PDC2's log (/var/log/samba/winxp.log) can be seen the following lines:
useradd: unable to lock password file
useradd ....gave 1
When i try to access a share on PDC2 with a PDC1 user (ivan for example), useradd is executed successfully, and user ivan is added to /etc/passwd.
I found out that during login "add user script = /usr/sbin/useradd %u ......" is executed with user nobody, and this user has no right to execute useradd, hence an error occurs.
After that i added user nobody in the /etc/sudoers so he could execute sudo on PDC2:
visudo -f sudoers
And edited smb.conf on PDC2 like this:
add user script = sudo -u root /usr/sbin/useradd %u ......
Now the logging to PDC1 works fine, but this is not normal, maybe it's a big security hole!
My question is:
Is this a bug in samba, why when mapping a drive useradd runs as root (as described in the samba manual), but when logging, it runs as user nobody who has no right to execute useradd?
If am wrong - correct me, or point me to another solution, I don't want use winbind.
Thanks in advance :-)
The best solution is to run winbindd on a DC to handle the
trusted users and groups. Why don't you want to run winbindd?
(In reply to comment #1)
> The best solution is to run winbindd on a DC to handle the
> trusted users and groups. Why don't you want to run winbindd?
Well, because I don't want complicate matters with a winbind...
Maybe is it the best solution, but I think myself that is too difficult, too many problems, errors and etc...! I read about winbind and tried it, but without success, example problems as:
"Error looking up domain users"
I don't know, what when and where must do it ?, I'm already confused
"add user script" run as nobody - Will be fixed this bug in future?
I thing if this bug fixed, that solution will be the best!!!
(In reply to comment #2)
> wbinfo -u/g
> "Error looking up domain users"
> and etc..
> I don't know, what when and where must do it ?, I'm already confused
Has the server running winbindd joined its own domain?
"wbinfo -t" should return "checking the trust secret via RPC calls succeeded"
in this case.
I had the same problem (see bug #2282) and the winbind-solution works here.