[Samba] user / machine / group scripts, some work some don't

Michael Schmitt mschmitt at unixkiste.org
Mon Sep 10 03:34:56 GMT 2007

Hi John,

I am glad to report full success and must admit, at the end all is
really easy... if one only knows those tiny "things". It may be that I
did not understand everything in the docs right or that I've read over
some parts but finally adding and deleting groups and users work via
usermanager for domains and via pdbedit, just some very tiny rather
cosmetic issues are left. 

The problem, the solution:
Very interesting, the _real_ problem was with the passwd chat. This is
something I may have read over and I must admit I did not read the
manpage for smb.conf very thoroughly but as this is a VERY massive and
boring to read document... I like to think of it rather as a bit of a
reference than documentation.
One thing I always misunderstood was, the passwd chat is NOT a thing
displayed on the windows' screen somehwere / sometime if a user changes
his password... it is just a guidance for samba what to expect to see if
the passwd program is executed so it can interact properly. Somehow
embarrassing, awkward or just dumb... but that's how it was ;) So this
passwd chat, passwd sync and passwd program was a real myth to me and
over the years many false assumptions were accumulated. Not a big deal
as I did use samba only as a standalone server so far.
Another thing was, you see an error message, you make assumptions, you
google, you get lots of hints, several different and even more
assumptions from other users with similar problems, but absolutely NO
hint about the real problem. After hours (I must admit I spent a way too
much time googleing!) a few minutes of debugging did the trick... and at
the end, not very hard at all!
For example you get an error message "Access denied" (may be "permission
denied", translated from german) on the windows screen, we all know
those errors from Linux or *UNIX in general. Maybe most errors in
unixland are permission related... but in this case it was not an issue
of missing or wrong permissions at all.
I did raise the log level, noticed it added the account, could not
change / set the password and deleted the account afterwards again... a
few moments of thinking including help and thoughts from users on IRC...
and there it was, the myth is gone! Coppy and paste is not a very good
idea after all when it comes to implement samba _right_ ;) This should
be mentioned in the docs a hundred times if you ask me!
Another thing was, I could not delete a user from a specific group...
after _short_ googleing with no luck, thinking, trying out something...
and see, found a bug! deluser on debian stable does not like to delete
root from _any_ group it just complains he is not in that group, but he
is! $EDITOR /etc/group did the trick here. This is just a side-effect
from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=428144 I think. As
deluser is a perl script and I am not very good at reading perl, I did
not investigate this issue any further, I know it works on sid (debian
unstable) so it is fixed already. So... don't add root to any groups you
want to remove him afterwards from, on debian etch... ;)

So in short, I think one small chapter about those scripts including
notes about the distro specific stuff, a bunch of notes about copy and
paste, a joke every once in a while, a remark about locales (passwd does
not look the same in all languages > passwd chat), encourage users to
debug samba themselves, a rant about google and how useless and
confusing it can be, some notes about "user manager for domains" and how
this piece of software works and as a running gag (my personal
favorite): Clear up myths! I have no idea why, but several users
reported usrmgr.exe should be installed on a share on the samba PDC to
get it running... it worked for them. Really, no idea what problem they
had, but I can't think of any reason why this could be true! (I think a
little bit of debugging would have been of help here ;) And if all that
is done, even dumb users like me can set up a samba PDC in less then 2
Minutes (maybe even faster!) and spend the rest of the day in the woods,
at a lake or <insert your favorite place here>.


P.S.: 2 Minutes, excluding reading of course ;)
P.P.S.: Tanze Samba mit mir, tanze Samba die ganze Nacht...

Am Samstag, den 08.09.2007, 23:54 -0500 schrieb John H Terpstra:
> On Saturday 08 September 2007 23:30, Michael Schmitt wrote:
> > Hi List,
> >
> > I have some issues with user manager for domains (srvtools.exe from MS)
> > and the scripts mentioned in the subject. The examples from the samba
> > howto collection seem to cause serious issues here. I am on debian etch
> > and tried to create my own scripts but till now to now avail. With the
> > examples from the docs I could add groups, but could not add users to
> > groups. There was the option -A used but here it seems to be -a refering
> > to the manpage (log was helping here)... anyhow changed to -a and it
> > worked. But adding users does not work at all. Different syntax,
> > different problems, but nothing does work. With the example of the howto
> > collection the user manager gave me "access denied" or similar
> > (translated from german) as I tried to add a user. I tried to use
> > adduser instead of useradd and came to these syntaxes:
> Please check the man page for your distro.  The options to useradd, usremod, 
> groupmod, etc. seem to vary considerably across Linux distros.
> > add user script = /usr/sbin/adduser --ingroup domusers --gecos samba '%
> > u'
> > delete user script = /usr/sbin/deluser '%u'
> > add group script = /usr/sbin/groupadd '%g'
> > delete group script = /usr/sbin/groupdel '%g'
> > add user to group script = /usr/sbin/adduser '%u' '%g'
> Please note that the adduser script is entirely different from the useradd 
> utility. Neither is consistent across implementations. Both vary from Linux 
> distro to distro.  I was unaware of this until last week and am not sure how 
> to handle this in the HOWTO, other than to make a note regarding the problem.
> > add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody
> > '%u'
> >
> > now the adduser syntax gives me loads of this over and over again:
> >
> > Use of uninitialized value in chop at /usr/sbin/adduser line 537.
> > Use of uninitialized value in pattern match (m//) at /usr/sbin/adduser
> > line 538.
> > Enter new UNIX password: Retype new UNIX password: No password supplied
> > Enter new UNIX password: Retype new UNIX password: No password supplied
> > Enter new UNIX password: Retype new UNIX password: No password supplied
> > passwd: Authentication token manipulation error
> > passwd: password unchanged
> >
> > If only all scripts would give me some hints why they don't work. As I
> > see not for all scripts log entries but none work I think everything I
> > tried was wrong.
> This is something you will need to take up with the Linux distro maintainer.
> > Could someone pinpoint me in the right direction or to the right part of
> > the docs? Maybe some insights of how those scripts need to be built?
> The useradd and adduser tools should NOT set the password. That whould be done 
> using the passwd utility.
> - John T.

More information about the samba mailing list