So, you have a new roundcube e-mail frontend, you have migrated your users to a new system, they can authenticate to the IMAP server just fine and log-in but how will you manage to create Samba users for your e-mail users? What happens if you have hundreds of users? Unfortunately, Samba is able to synchronize with shadow passwords but Samba and shadow passwords are incompatible such that you would need to get the plain-text password and then create a Samba user and then enable them manually. This can be a painful task for a large amount of users, let alone the inconvenience of having to ask your users for their passwords so you can create their Samba accounts.

With a small trick, we can hack around roundcube in order to add a few lines that when a user has successfully authenticated, their samba account will be created. After that, it is just a matter of sitting back and watching your Samba user and password database fill up with accounts.

The setup requires that:

• you have a working setup of roundcube
• Samba and UNIX passwords synchronization is enabled in /etc/samba/smb.conf

Edit /etc/sudoers.d/roundcube and add the following line:

www-data  ALL=(root) NOPASSWD: /usr/bin/smbpasswd
www-data  ALL=(root) NOPASSWD: /usr/bin/pdbedit

This will allow the account that apache runs on (in this case www-data) to execute the command /usr/bin/smbpasswd and /usr/bin/pdbedit as root without supplying a password. This is alright for now because after your Samba user database has filled up, you can disable this entire system because you will have to create accounts manually from then on anyway.

Change directory to your roundcube root and edit the file include/rcmail.php. Inside that file, you will find something along the lines of:

        // login succeeded
        if (is_object($user) && $user->ID) {
            // Configure environment
            $this->set_user($user);
            $this->set_storage_prop();
 
            // set session vars
            $_SESSION['user_id']      = $user->ID;
            $_SESSION['username']     = $user->data['username'];
            $_SESSION['storage_host'] = $host;
            $_SESSION['storage_port'] = $port;
            $_SESSION['storage_ssl']  = $ssl;
            $_SESSION['password']     = $this->encrypt($pass);
            $_SESSION['login_time']   = time();

Now, immediately after that, add the following lines:

            exec("(echo '".$pass."'; echo '".$pass."') | sudo /usr/bin/smbpasswd -a -s '".$user->data['username']."'");
            exec("sudo /usr/bin/smbpasswd -e '".$user->data['username']."'");
            exec("(echo '".$pass."'; echo '".$pass."') | sudo /usr/bin/pdbedit -a -u '".$user->data['username']."'");

and save the file. These three commands will perform the following actions in order:

1. It will add the user to the Samba password database.
2. The user will then be enabled.
3. In case the password changed, pdbedit will forcibly set the password to the new password.

Now let your users log-in and log-out as usual and using pdbedit (in case your Samba user database is set to tdbsam) you can list the newly created accounts. Issue:

pdbedit -L

from time to time and see what accounts have already been created.