samba 3 by example addendum / suggestion, was: Re: [Samba] user / machine / group scripts, some work some don't

Wed Sep 12 01:26:46 GMT 2007

As I want it to be proofread by some folks, I think writing it as plain
text and later on converting it to xml would be better?

P.S.: oops... did not notice I did send the mail to you and not to the
list, sorry for that

Am Dienstag, den 11.09.2007, 19:17 -0500 schrieb John H Terpstra:
> On Tuesday 11 September 2007 18:25, Michael Schmitt wrote:
> > Hi John, hi list (your opinion too please)
> 
> OK. Write it! When will it be done? I'm looking forward to it. will you give 
> it to me in XML and ready to roll it into the book?
> 
> - John T.
> 
> >
> > "samba3 by example"=s3bx
> >
> > This is how I want to write that chapter, but for sure it could or
> > should be integrated in the existig s3bx as best as possible. But I must
> > admit, even if s3bx is somewhat clearer and better structured compared
> > to tosharg2 it could be better. Maybe just a good index is missing? Mybe
> > we should rethink the titles of the chapters to be clearer. So here we
> > go:
> >
> > Install samba, maybe leave some short notes about distribution specific
> > things, drop a valid smb.conf in /etc/samba/ (maybe a heavily documented
> > one as example including things that are missing in the s3bx chapters,
> > including things I mentioned in the last mail, maybe with notes about
> > optional and important parameters, including defaults and if defaults
> > change if something else is changed). For the begining add two unix
> > groups. One for users, one for admins, some words about groups in
> > general including both sides, windows and unix. Map those groups to
> > Windows accounts, explain exactly what is going on there, what about the
> > rid for domain admins and the unix gid 0? There may be an error in s3bx.
> > We do not need to be very verbose here, everything should be documented
> > in a very basic fashion but somewhat "complete" with notes to
> > continuative docs, ideally with links to those (footnotes, if ever
> > printed, for printed docs... no idea). Grant the Domain Admin group all
> > rights for managing the domain. Some notes about rights and permissions
> > and about granting rights and especially about granting rights that a
> > user / a group gets real domain admin rights, including local admin
> > rights. Btw. I think
> >
> > net rpc rights grant "<domain>\Domain Admins" SeMachineAccountPrivilege
> > SePrintOperatorPrivilege SeAddUsersPrivilege SeRemoteShutdownPrivilege
> > SeDiskOperatorPrivilege  -U root <enter>
> >
> > should be possible to be abbreviated to something like
> >
> > net rpc rights grant "<domain>\Domain Admins" SeAll -U root <enter>
> >
> > or did I miss something in tosharg2?
> >
> > So, in best cases the linux part is done, nevertheless explain some
> > basic administrative things you can do on the commandline (pdbedit, net
> > *, ...), but as "User Manager for Domains" (=UMFD) is somewhat better
> > for the casual user, or in other words the Linux guys may be on holiday,
> > what should the Windows guys do in the meantime if they need to manage
> > accounts? Anyhow, some words about the right srvtools.exe package (I got
> > at first the wrong one, nothing at all worked!) and where to get it and
> > about using it... hey, it is just klickibunti (sorry, I did not find a
> > perfect translation for this german word, maybe you get the point:
> > click-o-matic, windows-like, colorful-clickable-userinterface,
> > YouCanBeDumbAsVegetablesToUseThisSystem... whatever prejudice fits best
> > for you *g*) so not manny words needed, but explain in short words what
> > is possible and what needs to be done that it will be possible and
> > what's not possible at all with UMFD. There are many buttons... whoopie!
> > But most of them seem not to work for me... dunno why... should be
> > definitely addresed or at least linked to the right place.
> >
> > Done ;) I wrote this as I did set up another PDC this evening, so fairly
> > fresh from mind, I hope I did not miss anything, I will see if all works
> > in a few minutes. I boot the only Windows machine here and try to join
> > the samba domain controller. But as this is just schematic... please,
> > what do you think about it?
> >
> > regards
> > Michael
> >
> > Am Sonntag, den 09.09.2007, 23:07 -0500 schrieb John H Terpstra:
> > > On Sunday 09 September 2007 22:34, Michael Schmitt wrote:
> > > > Hi John,
> > > >
> > > > I am glad to report full success and must admit, at the end all is
> > > > really easy... if one only knows those tiny "things". It may be that I
> > >
> > > Good. I am happy to hear that you have conquered Samba at last.  Now,
> > > while all this is fresh in your mind, why don't you write that chapter
> > > you so nicely suggest below. The Samba documentation is user-contributed
> > > documentation so you might as well earn your moment of glory in the docs.
> > > :-)
> > >
> > > PS: I can identify with your comments - we've all been there at one time
> > > or another.
> > >
> > > Cheers,
> > > John T.
> > >
> > > > did not understand everything in the docs right or that I've read over
> > > > some parts but finally adding and deleting groups and users work via
> > > > usermanager for domains and via pdbedit, just some very tiny rather
> > > > cosmetic issues are left.
> > > >
> > > > The problem, the solution:
> > > > Very interesting, the _real_ problem was with the passwd chat. This is
> > > > something I may have read over and I must admit I did not read the
> > > > manpage for smb.conf very thoroughly but as this is a VERY massive and
> > > > boring to read document... I like to think of it rather as a bit of a
> > > > reference than documentation.
> > > > One thing I always misunderstood was, the passwd chat is NOT a thing
> > > > displayed on the windows' screen somehwere / sometime if a user changes
> > > > his password... it is just a guidance for samba what to expect to see
> > > > if the passwd program is executed so it can interact properly. Somehow
> > > > embarrassing, awkward or just dumb... but that's how it was ;) So this
> > > > passwd chat, passwd sync and passwd program was a real myth to me and
> > > > over the years many false assumptions were accumulated. Not a big deal
> > > > as I did use samba only as a standalone server so far.
> > > > Another thing was, you see an error message, you make assumptions, you
> > > > google, you get lots of hints, several different and even more
> > > > assumptions from other users with similar problems, but absolutely NO
> > > > hint about the real problem. After hours (I must admit I spent a way
> > > > too much time googleing!) a few minutes of debugging did the trick...
> > > > and at the end, not very hard at all!
> > > > For example you get an error message "Access denied" (may be
> > > > "permission denied", translated from german) on the windows screen, we
> > > > all know those errors from Linux or *UNIX in general. Maybe most errors
> > > > in unixland are permission related... but in this case it was not an
> > > > issue of missing or wrong permissions at all.
> > > > I did raise the log level, noticed it added the account, could not
> > > > change / set the password and deleted the account afterwards again... a
> > > > few moments of thinking including help and thoughts from users on
> > > > IRC... and there it was, the myth is gone! Coppy and paste is not a
> > > > very good idea after all when it comes to implement samba _right_ ;)
> > > > This should be mentioned in the docs a hundred times if you ask me!
> > > > Another thing was, I could not delete a user from a specific group...
> > > > after _short_ googleing with no luck, thinking, trying out something...
> > > > and see, found a bug! deluser on debian stable does not like to delete
> > > > root from _any_ group it just complains he is not in that group, but he
> > > > is! $EDITOR /etc/group did the trick here. This is just a side-effect
> > > > from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=428144 I think.
> > > > As deluser is a perl script and I am not very good at reading perl, I
> > > > did not investigate this issue any further, I know it works on sid
> > > > (debian unstable) so it is fixed already. So... don't add root to any
> > > > groups you want to remove him afterwards from, on debian etch... ;)
> > > >
> > > > So in short, I think one small chapter about those scripts including
> > > > notes about the distro specific stuff, a bunch of notes about copy and
> > > > paste, a joke every once in a while, a remark about locales (passwd
> > > > does not look the same in all languages > passwd chat), encourage users
> > > > to debug samba themselves, a rant about google and how useless and
> > > > confusing it can be, some notes about "user manager for domains" and
> > > > how this piece of software works and as a running gag (my personal
> > > > favorite): Clear up myths! I have no idea why, but several users
> > > > reported usrmgr.exe should be installed on a share on the samba PDC to
> > > > get it running... it worked for them. Really, no idea what problem they
> > > > had, but I can't think of any reason why this could be true! (I think a
> > > > little bit of debugging would have been of help here ;) And if all that
> > > > is done, even dumb users like me can set up a samba PDC in less then 2
> > > > Minutes (maybe even faster!) and spend the rest of the day in the
> > > > woods, at a lake or <insert your favorite place here>.
> > > >
> > > > regards
> > > > Michael
> > > >
> > > > P.S.: 2 Minutes, excluding reading of course ;)
> > > > P.P.S.: Tanze Samba mit mir, tanze Samba die ganze Nacht...
> > > >
> > > > Am Samstag, den 08.09.2007, 23:54 -0500 schrieb John H Terpstra:
> > > > > On Saturday 08 September 2007 23:30, Michael Schmitt wrote:
> > > > > > Hi List,
> > > > > >
> > > > > > I have some issues with user manager for domains (srvtools.exe from
> > > > > > MS) and the scripts mentioned in the subject. The examples from the
> > > > > > samba howto collection seem to cause serious issues here. I am on
> > > > > > debian etch and tried to create my own scripts but till now to now
> > > > > > avail. With the examples from the docs I could add groups, but
> > > > > > could not add users to groups. There was the option -A used but
> > > > > > here it seems to be -a refering to the manpage (log was helping
> > > > > > here)... anyhow changed to -a and it worked. But adding users does
> > > > > > not work at all. Different syntax, different problems, but nothing
> > > > > > does work. With the example of the howto collection the user
> > > > > > manager gave me "access denied" or similar (translated from german)
> > > > > > as I tried to add a user. I tried to use adduser instead of useradd
> > > > > > and came to these syntaxes:
> > > > >
> > > > > Please check the man page for your distro.  The options to useradd,
> > > > > usremod, groupmod, etc. seem to vary considerably across Linux
> > > > > distros.
> > > > >
> > > > > > add user script = /usr/sbin/adduser --ingroup domusers --gecos
> > > > > > samba '% u'
> > > > > > delete user script = /usr/sbin/deluser '%u'
> > > > > > add group script = /usr/sbin/groupadd '%g'
> > > > > > delete group script = /usr/sbin/groupdel '%g'
> > > > > > add user to group script = /usr/sbin/adduser '%u' '%g'
> > > > >
> > > > > Please note that the adduser script is entirely different from the
> > > > > useradd utility. Neither is consistent across implementations. Both
> > > > > vary from Linux distro to distro.  I was unaware of this until last
> > > > > week and am not sure how to handle this in the HOWTO, other than to
> > > > > make a note regarding the problem.
> > > > >
> > > > > > add machine script = /usr/sbin/useradd -s /bin/false -d
> > > > > > /var/lib/nobody '%u'
> > > > > >
> > > > > > now the adduser syntax gives me loads of this over and over again:
> > > > > >
> > > > > > Use of uninitialized value in chop at /usr/sbin/adduser line 537.
> > > > > > Use of uninitialized value in pattern match (m//) at
> > > > > > /usr/sbin/adduser line 538.
> > > > > > Enter new UNIX password: Retype new UNIX password: No password
> > > > > > supplied Enter new UNIX password: Retype new UNIX password: No
> > > > > > password supplied Enter new UNIX password: Retype new UNIX
> > > > > > password: No password supplied passwd: Authentication token
> > > > > > manipulation error
> > > > > > passwd: password unchanged
> > > > > >
> > > > > > If only all scripts would give me some hints why they don't work.
> > > > > > As I see not for all scripts log entries but none work I think
> > > > > > everything I tried was wrong.
> > > > >
> > > > > This is something you will need to take up with the Linux distro
> > > > > maintainer.
> > > > >
> > > > > > Could someone pinpoint me in the right direction or to the right
> > > > > > part of the docs? Maybe some insights of how those scripts need to
> > > > > > be built?
> > > > >
> > > > > The useradd and adduser tools should NOT set the password. That
> > > > > whould be done using the passwd utility.
> > > > >
> > > > > - John T.
> > >
> > > --
> > > John H Terpstra
> > > Samba-Team Member
> > > Phone: +1 (650) 580-8668
> > >
> > > Author:
> > > The Official Samba-3 HOWTO & Reference Guide, 2 Ed., ISBN: 0131882228
> > > Samba-3 by Example, 2 Ed., ISBN: 0131882221X
> > > Hardening Linux, ISBN: 0072254971
> > > Other books in production.
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/listinfo/samba
> 
> -- 
> John H Terpstra
> Samba-Team Member
> Phone: +1 (650) 580-8668
> 
> Author:
> The Official Samba-3 HOWTO & Reference Guide, 2 Ed., ISBN: 0131882228
> Samba-3 by Example, 2 Ed., ISBN: 0131882221X
> Hardening Linux, ISBN: 0072254971
> Other books in production.