[Samba] Samba v3.0.23a BROKE my network
Chris Hall
chris.hall at halldom.com
Wed Jan 24 19:01:04 GMT 2007
On Wed, 24 Jan 2007 you wrote
>On Wed, Jan 24, 2007 at 03:59:30PM +0000, Chris Hall wrote:
>> * if a change is made that invalidates existing configurations
>> the documentation SHOULD SAY THAT, and it SHOULD SAY WHAT CHANGES
>> ARE REQUIRED.
>I know this will not relieve you frustration, but Jerry has
>put a big paragraph in the file WHATSNEW.txt under the
>heading
>
>User and Group changes
>======================
>
>We have it made very explicit that there are big changes
>coming with this release.
>
>Do you have any recommendation how we should this get across
>to our users more effectively?
OK...
Although I put the documentation issue first, I think it is more
important that the software check for this kind of configuration issue,
and report it clearly.
In short, I think this is more a software than a documentation issue.
However, the documentation did not lead me very quickly to the solution
:-(
First, I just did a "yum update" which updated samba and that broke the
network. So, by the time I read the release notes the horse had already
bolted and I was left wondering why the stable door was off its hinges.
Second, I was upgrading from .14 to .23a, so I had to wade through a
fair amount of release notes.
Third, I could find nothing that seemed related to the symptom I had,
namely that users could not log in !
Now, I agree that there's a big warning in the release notes under the
heading "User and Group Changes", as you say. And yes, in the end this
lead me to the section in the HOWTO that says it is necessary to set up
groupmap entries for Domain Admins, Domain User and Domain Guests. (But
not Domain Computers ?)
I can, through a glass darkly, see that explicitly mapping ntgroups/SIDs
to unix groups should be useful. Why things worked fine without such
mapping before is perhaps more of a puzzle than why it is required now.
But this is not really the point.
I don't suppose I'm the only samba user who has never needed to worry
about the groupmap mechanism, and for whom it has remained a perfect
mystery.
I had a configuration that worked pre .23 but now suddenly did not work.
What I needed to know was that with .23 it is ESSENTIAL that groupmap
settings are made for a small number of groups.
Even better, it would have been good to know that without those groupmap
settings, users would not be able to log on.
I have read and reread the release notes.
(http://www.samba.org/samba/history/samba-3.0.23.html)
Even now I know the answer, I still do not see anything there that tells
me:
From v3.0.23 onwards it is essential to map a small number of
nt groups to the equivalent unix groups on the samba server. If these
mappings are not made you will find that users will not be able to
log on and machine trust accounts will be unusable.
The nt groups that must be mapped are: Domain Admins, Domain Users and
Domain Guests. To set up the mapping you need to:
net groupmap add ntgroup="Domain Admins" rid=512 unixgroup=? type=d
net groupmap add ntgroup="Domain Users" rid=513 unixgroup=? type=d
net groupmap add ntgroup="Domain Guests" rid=514 unixgroup=? type=d
where '?' is the unix group to map to in each case. 'net groupmap
list' will show the current groupmap. The groupmap is stored once it
has been set up.
For more about group mapping see the HOWTO, Chapter 12, GROUP MAPPING:
MS WINDOWS AND UNIX.
I don't know if other bad things happen if this groupmap is not set up,
so this is not guaranteed to be complete.
So, I would say:
1. the software should check that the configuration is complete, and
make sensible noises if it is not. The trap I fell into has no
business being there in the first place.
Developers need to avoid constructing pitfalls, or at the very
least put up some form of safety barrier.
2. Having to take special steps to document a pitfall is a sure sign
there's something wrong with the software !
3. The documentation needs to be direct and from the users', not the
developers', perspective.
I'm sure there are lots of interesting things to say about how the
software now deals with groups, and how that solves various
problems -- and this will make sense to people who have some idea
what it is about, particularly the wizards who develop these
things.
In general users are not interested in how the software has been
improved. Users are only interested in what a given change means
to them, which can be broken into (a) description of problem,
(b) resolution of problem.
- the description needs to be complete enough for users who have
encountered (and may understand) the problem to recognise it,
and enough for other users to know that it is not something
they care about.
- the resolution needs to concentrate on the user visible effects
and any action the user needs to take.
In this case what we have is a side effect of other improvements:
some extra configuration is required. The release notes needed to
say just that. So... following the pattern above, (a) the problem
is that to get over issues with group handling it is necessary to
have explicit group mappings, without which a number of bad things
happen, (b) the resolution is for the user to specify a minimum set
of mappings.
[The fact that the problem here is self-inflicted is another sure
sign that the software is at fault !]
4. Think of the user as an intelligent person who has been asleep for
two hundred years. Now you need to teach them how to drive. They
won't need to know how a car works, just how to operate it and keep
it running. They understand the language well enough, but there's
a whole new chunk of vocabulary that may mean nothing (think wing
mirror) or something quite different (think bonnet or choke).
Further, when you get out onto the road there's a whole slew of
concepts to be mastered.
HTH
Chris
--
Chris Hall @ Home +44 (0)7970 277 383
More information about the samba
mailing list