[Samba] USAGE OF ADD USER TO GROUP SCRIPT

[Craig White]

On Wed, 2005-11-23 at 19:12 +0000, hugo wrote:
> Hi list
> 
> I've started playing with Samba 3.0.20b (compiled with only with
> --with-acl-support). It's a fresh install on a clean machine and samba is
> setup as a Standalone server, I've tried using the TDBSAM and SMBPASSWD
> backends (don't have access to an LDAP server). At the moment I am testing
> - I have not got as far as using any of the new privilege options. All
> administration of the samba server is done as root (which I've added into
> samba). I'm using the simple smb.conf file from the Official Samba Howto -
> just with a couple of extra lines added for the scripts e.g. "add user
> script", "add user to group script", etc.
> 
> I noticed there is a new script option in Samba 3 the "add user to group
> script". Naively I assumed this would be called everytime you add a user
> to a group within Samba (whether you are using something like MMC from a
> Windows machine or using the net rpc groupadd commands from Nix). I am
> using the groupmem function from shadow utils so it is smart enough to
> remove/add individual groups from a user's unix secondary group list.
> 
> As far as I can tell the script is never called. I even resorted to
> putting extra debug statements into mapping.c (in groupdb) - now I'm not a
> programmer so that could all have been horribly wrong but it compiled and
> there's nothing in the logs. I have used a simple shell script that logs
> to syslog and calls groupmem and it produces no log info - the script
> works manually as it were. Basically I'm pretty sure that the
> add-user-to-a-group script does not work (as I expect).
> 
> This is where I'm confused: unless you add a user to a group within UNIX
> (either a primary or secondary group) then none of the various file
> permissions (relying on that group) will work. Doesn't matter if Samba
> internally thinks that user <blah> is a member of the "Fancy NTGroup"
> ntgroup if the unix incarnation of user <blah> is not a member of the
> associated unix group then no-go. I would've thought that
> add-user-to-group was a pretty important function
> 
> 
> I know I must be missing something from my understanding of it "Add user
> to group" is pretty self-explanatory to me but it's not.
> 
> Does the script that is pointed to by the "add user to group script"
> option have to have some special attributes associated with it? For
> example: it will only work if setuid root, or only run if it is called by
> a user (within Samba) who has a RID of xxx? Or is it dependant on some
> other option within smb.conf (some undocument feature?).
> 
> I should say that all the other scripts work, therefore I can add users,
> groups, machines and remove (using MMC or net rpc) - when I add/remove a
> user samba happily calls the scripts associated with the "add user script"
> or the "delete user script" option.
> 
> My plan had been to use the new privileges within Samba to delegate
> administration to (trusted) end-users so I would not have to dole out the
> root password. At the moment I cannot get things to work even as root (not
> without the manual fix of running usermod from the shell to sort the group
> member ships)
----
what the various scripts do is entirely under your control and they
could actually modify the posix attributes/group memberships if desired.

samba provides the scripts as hooks to the UNIX/Linux system and with
the variables that are passed via the scripts, you should be able to do
what you want.

You probably should be using ldap passdb as once you get through the
learning curve of ldap, you can get single source account management for
both samba and posix attributes.

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.