[Samba] user / machine / group scripts, some work some don't

John H Terpstra jht at samba.org
Mon Sep 10 04:07:16 GMT 2007

On Sunday 09 September 2007 22:34, Michael Schmitt wrote:
> Hi John,
> I am glad to report full success and must admit, at the end all is
> really easy... if one only knows those tiny "things". It may be that I

Good. I am happy to hear that you have conquered Samba at last.  Now, while 
all this is fresh in your mind, why don't you write that chapter you so 
nicely suggest below. The Samba documentation is user-contributed 
documentation so you might as well earn your moment of glory in the docs. :-)

PS: I can identify with your comments - we've all been there at one time or 

John T.

> did not understand everything in the docs right or that I've read over
> some parts but finally adding and deleting groups and users work via
> usermanager for domains and via pdbedit, just some very tiny rather
> cosmetic issues are left.
> The problem, the solution:
> Very interesting, the _real_ problem was with the passwd chat. This is
> something I may have read over and I must admit I did not read the
> manpage for smb.conf very thoroughly but as this is a VERY massive and
> boring to read document... I like to think of it rather as a bit of a
> reference than documentation.
> One thing I always misunderstood was, the passwd chat is NOT a thing
> displayed on the windows' screen somehwere / sometime if a user changes
> his password... it is just a guidance for samba what to expect to see if
> the passwd program is executed so it can interact properly. Somehow
> embarrassing, awkward or just dumb... but that's how it was ;) So this
> passwd chat, passwd sync and passwd program was a real myth to me and
> over the years many false assumptions were accumulated. Not a big deal
> as I did use samba only as a standalone server so far.
> Another thing was, you see an error message, you make assumptions, you
> google, you get lots of hints, several different and even more
> assumptions from other users with similar problems, but absolutely NO
> hint about the real problem. After hours (I must admit I spent a way too
> much time googleing!) a few minutes of debugging did the trick... and at
> the end, not very hard at all!
> For example you get an error message "Access denied" (may be "permission
> denied", translated from german) on the windows screen, we all know
> those errors from Linux or *UNIX in general. Maybe most errors in
> unixland are permission related... but in this case it was not an issue
> of missing or wrong permissions at all.
> I did raise the log level, noticed it added the account, could not
> change / set the password and deleted the account afterwards again... a
> few moments of thinking including help and thoughts from users on IRC...
> and there it was, the myth is gone! Coppy and paste is not a very good
> idea after all when it comes to implement samba _right_ ;) This should
> be mentioned in the docs a hundred times if you ask me!
> Another thing was, I could not delete a user from a specific group...
> after _short_ googleing with no luck, thinking, trying out something...
> and see, found a bug! deluser on debian stable does not like to delete
> root from _any_ group it just complains he is not in that group, but he
> is! $EDITOR /etc/group did the trick here. This is just a side-effect
> from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=428144 I think. As
> deluser is a perl script and I am not very good at reading perl, I did
> not investigate this issue any further, I know it works on sid (debian
> unstable) so it is fixed already. So... don't add root to any groups you
> want to remove him afterwards from, on debian etch... ;)
> So in short, I think one small chapter about those scripts including
> notes about the distro specific stuff, a bunch of notes about copy and
> paste, a joke every once in a while, a remark about locales (passwd does
> not look the same in all languages > passwd chat), encourage users to
> debug samba themselves, a rant about google and how useless and
> confusing it can be, some notes about "user manager for domains" and how
> this piece of software works and as a running gag (my personal
> favorite): Clear up myths! I have no idea why, but several users
> reported usrmgr.exe should be installed on a share on the samba PDC to
> get it running... it worked for them. Really, no idea what problem they
> had, but I can't think of any reason why this could be true! (I think a
> little bit of debugging would have been of help here ;) And if all that
> is done, even dumb users like me can set up a samba PDC in less then 2
> Minutes (maybe even faster!) and spend the rest of the day in the woods,
> at a lake or <insert your favorite place here>.
> regards
> Michael
> P.S.: 2 Minutes, excluding reading of course ;)
> P.P.S.: Tanze Samba mit mir, tanze Samba die ganze Nacht...
> Am Samstag, den 08.09.2007, 23:54 -0500 schrieb John H Terpstra:
> > On Saturday 08 September 2007 23:30, Michael Schmitt wrote:
> > > Hi List,
> > >
> > > I have some issues with user manager for domains (srvtools.exe from MS)
> > > and the scripts mentioned in the subject. The examples from the samba
> > > howto collection seem to cause serious issues here. I am on debian etch
> > > and tried to create my own scripts but till now to now avail. With the
> > > examples from the docs I could add groups, but could not add users to
> > > groups. There was the option -A used but here it seems to be -a
> > > refering to the manpage (log was helping here)... anyhow changed to -a
> > > and it worked. But adding users does not work at all. Different syntax,
> > > different problems, but nothing does work. With the example of the
> > > howto collection the user manager gave me "access denied" or similar
> > > (translated from german) as I tried to add a user. I tried to use
> > > adduser instead of useradd and came to these syntaxes:
> >
> > Please check the man page for your distro.  The options to useradd,
> > usremod, groupmod, etc. seem to vary considerably across Linux distros.
> >
> > > add user script = /usr/sbin/adduser --ingroup domusers --gecos samba '%
> > > u'
> > > delete user script = /usr/sbin/deluser '%u'
> > > add group script = /usr/sbin/groupadd '%g'
> > > delete group script = /usr/sbin/groupdel '%g'
> > > add user to group script = /usr/sbin/adduser '%u' '%g'
> >
> > Please note that the adduser script is entirely different from the
> > useradd utility. Neither is consistent across implementations. Both vary
> > from Linux distro to distro.  I was unaware of this until last week and
> > am not sure how to handle this in the HOWTO, other than to make a note
> > regarding the problem.
> >
> > > add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody
> > > '%u'
> > >
> > > now the adduser syntax gives me loads of this over and over again:
> > >
> > > Use of uninitialized value in chop at /usr/sbin/adduser line 537.
> > > Use of uninitialized value in pattern match (m//) at /usr/sbin/adduser
> > > line 538.
> > > Enter new UNIX password: Retype new UNIX password: No password supplied
> > > Enter new UNIX password: Retype new UNIX password: No password supplied
> > > Enter new UNIX password: Retype new UNIX password: No password supplied
> > > passwd: Authentication token manipulation error
> > > passwd: password unchanged
> > >
> > > If only all scripts would give me some hints why they don't work. As I
> > > see not for all scripts log entries but none work I think everything I
> > > tried was wrong.
> >
> > This is something you will need to take up with the Linux distro
> > maintainer.
> >
> > > Could someone pinpoint me in the right direction or to the right part
> > > of the docs? Maybe some insights of how those scripts need to be built?
> >
> > The useradd and adduser tools should NOT set the password. That whould be
> > done using the passwd utility.
> >
> > - John T.

John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

The Official Samba-3 HOWTO & Reference Guide, 2 Ed., ISBN: 0131882228
Samba-3 by Example, 2 Ed., ISBN: 0131882221X
Hardening Linux, ISBN: 0072254971
Other books in production.

More information about the samba mailing list