samba 3 by example addendum / suggestion, was: Re: [Samba] user / machine / group scripts, some work some don't

Tue Sep 11 23:25:19 GMT 2007

Hi John, hi list (your opinion too please)

"samba3 by example"=s3bx

This is how I want to write that chapter, but for sure it could or
should be integrated in the existig s3bx as best as possible. But I must
admit, even if s3bx is somewhat clearer and better structured compared
to tosharg2 it could be better. Maybe just a good index is missing? Mybe
we should rethink the titles of the chapters to be clearer. So here we
go:

Install samba, maybe leave some short notes about distribution specific
things, drop a valid smb.conf in /etc/samba/ (maybe a heavily documented
one as example including things that are missing in the s3bx chapters,
including things I mentioned in the last mail, maybe with notes about
optional and important parameters, including defaults and if defaults
change if something else is changed). For the begining add two unix
groups. One for users, one for admins, some words about groups in
general including both sides, windows and unix. Map those groups to
Windows accounts, explain exactly what is going on there, what about the
rid for domain admins and the unix gid 0? There may be an error in s3bx.
We do not need to be very verbose here, everything should be documented
in a very basic fashion but somewhat "complete" with notes to
continuative docs, ideally with links to those (footnotes, if ever
printed, for printed docs... no idea). Grant the Domain Admin group all
rights for managing the domain. Some notes about rights and permissions
and about granting rights and especially about granting rights that a
user / a group gets real domain admin rights, including local admin
rights. Btw. I think

net rpc rights grant "<domain>\Domain Admins" SeMachineAccountPrivilege
SePrintOperatorPrivilege SeAddUsersPrivilege SeRemoteShutdownPrivilege
SeDiskOperatorPrivilege  -U root <enter>

should be possible to be abbreviated to something like

net rpc rights grant "<domain>\Domain Admins" SeAll -U root <enter>

or did I miss something in tosharg2?

So, in best cases the linux part is done, nevertheless explain some
basic administrative things you can do on the commandline (pdbedit, net
*, ...), but as "User Manager for Domains" (=UMFD) is somewhat better
for the casual user, or in other words the Linux guys may be on holiday,
what should the Windows guys do in the meantime if they need to manage
accounts? Anyhow, some words about the right srvtools.exe package (I got
at first the wrong one, nothing at all worked!) and where to get it and
about using it... hey, it is just klickibunti (sorry, I did not find a
perfect translation for this german word, maybe you get the point:
click-o-matic, windows-like, colorful-clickable-userinterface,
YouCanBeDumbAsVegetablesToUseThisSystem... whatever prejudice fits best
for you *g*) so not manny words needed, but explain in short words what
is possible and what needs to be done that it will be possible and
what's not possible at all with UMFD. There are many buttons... whoopie!
But most of them seem not to work for me... dunno why... should be
definitely addresed or at least linked to the right place.

Done ;) I wrote this as I did set up another PDC this evening, so fairly
fresh from mind, I hope I did not miss anything, I will see if all works
in a few minutes. I boot the only Windows machine here and try to join
the samba domain controller. But as this is just schematic... please,
what do you think about it?

regards
Michael

Am Sonntag, den 09.09.2007, 23:07 -0500 schrieb John H Terpstra:
> On Sunday 09 September 2007 22:34, Michael Schmitt wrote:
> > Hi John,
> >
> > I am glad to report full success and must admit, at the end all is
> > really easy... if one only knows those tiny "things". It may be that I
> 
> Good. I am happy to hear that you have conquered Samba at last.  Now, while 
> all this is fresh in your mind, why don't you write that chapter you so 
> nicely suggest below. The Samba documentation is user-contributed 
> documentation so you might as well earn your moment of glory in the docs. :-)
> 
> PS: I can identify with your comments - we've all been there at one time or 
> another.
> 
> Cheers,
> John T.
> 
> > did not understand everything in the docs right or that I've read over
> > some parts but finally adding and deleting groups and users work via
> > usermanager for domains and via pdbedit, just some very tiny rather
> > cosmetic issues are left.
> >
> > The problem, the solution:
> > Very interesting, the _real_ problem was with the passwd chat. This is
> > something I may have read over and I must admit I did not read the
> > manpage for smb.conf very thoroughly but as this is a VERY massive and
> > boring to read document... I like to think of it rather as a bit of a
> > reference than documentation.
> > One thing I always misunderstood was, the passwd chat is NOT a thing
> > displayed on the windows' screen somehwere / sometime if a user changes
> > his password... it is just a guidance for samba what to expect to see if
> > the passwd program is executed so it can interact properly. Somehow
> > embarrassing, awkward or just dumb... but that's how it was ;) So this
> > passwd chat, passwd sync and passwd program was a real myth to me and
> > over the years many false assumptions were accumulated. Not a big deal
> > as I did use samba only as a standalone server so far.
> > Another thing was, you see an error message, you make assumptions, you
> > google, you get lots of hints, several different and even more
> > assumptions from other users with similar problems, but absolutely NO
> > hint about the real problem. After hours (I must admit I spent a way too
> > much time googleing!) a few minutes of debugging did the trick... and at
> > the end, not very hard at all!
> > For example you get an error message "Access denied" (may be "permission
> > denied", translated from german) on the windows screen, we all know
> > those errors from Linux or *UNIX in general. Maybe most errors in
> > unixland are permission related... but in this case it was not an issue
> > of missing or wrong permissions at all.
> > I did raise the log level, noticed it added the account, could not
> > change / set the password and deleted the account afterwards again... a
> > few moments of thinking including help and thoughts from users on IRC...
> > and there it was, the myth is gone! Coppy and paste is not a very good
> > idea after all when it comes to implement samba _right_ ;) This should
> > be mentioned in the docs a hundred times if you ask me!
> > Another thing was, I could not delete a user from a specific group...
> > after _short_ googleing with no luck, thinking, trying out something...
> > and see, found a bug! deluser on debian stable does not like to delete
> > root from _any_ group it just complains he is not in that group, but he
> > is! $EDITOR /etc/group did the trick here. This is just a side-effect
> > from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=428144 I think. As
> > deluser is a perl script and I am not very good at reading perl, I did
> > not investigate this issue any further, I know it works on sid (debian
> > unstable) so it is fixed already. So... don't add root to any groups you
> > want to remove him afterwards from, on debian etch... ;)
> >
> > So in short, I think one small chapter about those scripts including
> > notes about the distro specific stuff, a bunch of notes about copy and
> > paste, a joke every once in a while, a remark about locales (passwd does
> > not look the same in all languages > passwd chat), encourage users to
> > debug samba themselves, a rant about google and how useless and
> > confusing it can be, some notes about "user manager for domains" and how
> > this piece of software works and as a running gag (my personal
> > favorite): Clear up myths! I have no idea why, but several users
> > reported usrmgr.exe should be installed on a share on the samba PDC to
> > get it running... it worked for them. Really, no idea what problem they
> > had, but I can't think of any reason why this could be true! (I think a
> > little bit of debugging would have been of help here ;) And if all that
> > is done, even dumb users like me can set up a samba PDC in less then 2
> > Minutes (maybe even faster!) and spend the rest of the day in the woods,
> > at a lake or <insert your favorite place here>.
> >
> > regards
> > Michael
> >
> > P.S.: 2 Minutes, excluding reading of course ;)
> > P.P.S.: Tanze Samba mit mir, tanze Samba die ganze Nacht...
> >
> > Am Samstag, den 08.09.2007, 23:54 -0500 schrieb John H Terpstra:
> > > On Saturday 08 September 2007 23:30, Michael Schmitt wrote:
> > > > Hi List,
> > > >
> > > > I have some issues with user manager for domains (srvtools.exe from MS)
> > > > and the scripts mentioned in the subject. The examples from the samba
> > > > howto collection seem to cause serious issues here. I am on debian etch
> > > > and tried to create my own scripts but till now to now avail. With the
> > > > examples from the docs I could add groups, but could not add users to
> > > > groups. There was the option -A used but here it seems to be -a
> > > > refering to the manpage (log was helping here)... anyhow changed to -a
> > > > and it worked. But adding users does not work at all. Different syntax,
> > > > different problems, but nothing does work. With the example of the
> > > > howto collection the user manager gave me "access denied" or similar
> > > > (translated from german) as I tried to add a user. I tried to use
> > > > adduser instead of useradd and came to these syntaxes:
> > >
> > > Please check the man page for your distro.  The options to useradd,
> > > usremod, groupmod, etc. seem to vary considerably across Linux distros.
> > >
> > > > add user script = /usr/sbin/adduser --ingroup domusers --gecos samba '%
> > > > u'
> > > > delete user script = /usr/sbin/deluser '%u'
> > > > add group script = /usr/sbin/groupadd '%g'
> > > > delete group script = /usr/sbin/groupdel '%g'
> > > > add user to group script = /usr/sbin/adduser '%u' '%g'
> > >
> > > Please note that the adduser script is entirely different from the
> > > useradd utility. Neither is consistent across implementations. Both vary
> > > from Linux distro to distro.  I was unaware of this until last week and
> > > am not sure how to handle this in the HOWTO, other than to make a note
> > > regarding the problem.
> > >
> > > > add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody
> > > > '%u'
> > > >
> > > > now the adduser syntax gives me loads of this over and over again:
> > > >
> > > > Use of uninitialized value in chop at /usr/sbin/adduser line 537.
> > > > Use of uninitialized value in pattern match (m//) at /usr/sbin/adduser
> > > > line 538.
> > > > Enter new UNIX password: Retype new UNIX password: No password supplied
> > > > Enter new UNIX password: Retype new UNIX password: No password supplied
> > > > Enter new UNIX password: Retype new UNIX password: No password supplied
> > > > passwd: Authentication token manipulation error
> > > > passwd: password unchanged
> > > >
> > > > If only all scripts would give me some hints why they don't work. As I
> > > > see not for all scripts log entries but none work I think everything I
> > > > tried was wrong.
> > >
> > > This is something you will need to take up with the Linux distro
> > > maintainer.
> > >
> > > > Could someone pinpoint me in the right direction or to the right part
> > > > of the docs? Maybe some insights of how those scripts need to be built?
> > >
> > > The useradd and adduser tools should NOT set the password. That whould be
> > > done using the passwd utility.
> > >
> > > - John T.
> 
> -- 
> John H Terpstra
> Samba-Team Member
> Phone: +1 (650) 580-8668
> 
> Author:
> The Official Samba-3 HOWTO & Reference Guide, 2 Ed., ISBN: 0131882228
> Samba-3 by Example, 2 Ed., ISBN: 0131882221X
> Hardening Linux, ISBN: 0072254971
> Other books in production.
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba