[Samba] USAGE OF ADD USER TO GROUP SCRIPT

[hugo]

Hi List

I've started playing with Samba 3.0.20b (compiled with only with
--with-acl-support). It's a fresh install on a clean machine and samba is
setup as a Standalone server, I've tried using the TDBSAM and SMBPASSWD
backends (don't have access to an LDAP server). At the moment I am testing
- I have not got as far as using any of the new privilege options. All
administration of the samba server is done as root (which I've added into
samba). I'm using the simple smb.conf file from the Official Samba Howto -
just with a couple of extra lines added for the scripts e.g. "add user
script", "add user to group script", etc.

I noticed there is a new script option in Samba 3 the "add user to group
script". Naively I assumed this would be called everytime you add a user
to a group within Samba (whether you are using something like MMC from a
Windows machine or using the net rpc groupadd commands from Nix). I am
using the groupmem function from shadow utils so it is smart enough to
remove/add individual groups from a user's unix secondary group list.

As far as I can tell the script is never called. I even resorted to
putting extra debug statements into mapping.c (in groupdb) - now I'm not a
programmer so that could all have been horribly wrong but it compiled and
there's nothing in the logs. I have used a simple shell script that logs
to syslog and calls groupmem and it produces no log info - the script
works manually as it were. Basically I'm pretty sure that the
add-user-to-a-group script does not work (as I expect).

This is where I'm confused: unless you add a user to a group within UNIX
(either a primary or secondary group) then none of the various file
permissions (relying on that group) will work. Doesn't matter if Samba
internally thinks that user <blah> is a member of the "Fancy NTGroup"
ntgroup if the unix incarnation of user <blah> is not a member of the
associated unix group then no-go. I would've thought that
add-user-to-group was a pretty important function


I know I must be missing something from my understanding of it "Add user
to group" is pretty self-explanatory to me but it's not.

Does the script that is pointed to by the "add user to group script"
option have to have some special attributes associated with it? For
example: it will only work if setuid root, or only run if it is called by
a user (within Samba) who has a RID of xxx? Or is it dependant on some
other option within smb.conf (some undocument feature?).

I should say that all the other scripts work, therefore I can add users,
groups, machines and remove (using MMC or net rpc) - when I add/remove a
user samba happily calls the scripts associated with the "add user script"
or the "delete user script" option.

My plan had been to use the new privileges within Samba to delegate
administration to (trusted) end-users so I would not have to dole out the
root password. At the moment I cannot get things to work even as root (not
without the manual fix of running usermod from the shell to sort the group
member ships)

Regards

Hugo