samba 3 by example addendum / suggestion,
was: Re: [Samba] user / machine / group scripts, some work some don't
John H Terpstra
jht at samba.org
Wed Sep 12 00:17:26 GMT 2007
On Tuesday 11 September 2007 18:25, Michael Schmitt wrote:
> Hi John, hi list (your opinion too please)
OK. Write it! When will it be done? I'm looking forward to it. will you give
it to me in XML and ready to roll it into the book?
- John T.
> "samba3 by example"=s3bx
> This is how I want to write that chapter, but for sure it could or
> should be integrated in the existig s3bx as best as possible. But I must
> admit, even if s3bx is somewhat clearer and better structured compared
> to tosharg2 it could be better. Maybe just a good index is missing? Mybe
> we should rethink the titles of the chapters to be clearer. So here we
> Install samba, maybe leave some short notes about distribution specific
> things, drop a valid smb.conf in /etc/samba/ (maybe a heavily documented
> one as example including things that are missing in the s3bx chapters,
> including things I mentioned in the last mail, maybe with notes about
> optional and important parameters, including defaults and if defaults
> change if something else is changed). For the begining add two unix
> groups. One for users, one for admins, some words about groups in
> general including both sides, windows and unix. Map those groups to
> Windows accounts, explain exactly what is going on there, what about the
> rid for domain admins and the unix gid 0? There may be an error in s3bx.
> We do not need to be very verbose here, everything should be documented
> in a very basic fashion but somewhat "complete" with notes to
> continuative docs, ideally with links to those (footnotes, if ever
> printed, for printed docs... no idea). Grant the Domain Admin group all
> rights for managing the domain. Some notes about rights and permissions
> and about granting rights and especially about granting rights that a
> user / a group gets real domain admin rights, including local admin
> rights. Btw. I think
> net rpc rights grant "<domain>\Domain Admins" SeMachineAccountPrivilege
> SePrintOperatorPrivilege SeAddUsersPrivilege SeRemoteShutdownPrivilege
> SeDiskOperatorPrivilege -U root <enter>
> should be possible to be abbreviated to something like
> net rpc rights grant "<domain>\Domain Admins" SeAll -U root <enter>
> or did I miss something in tosharg2?
> So, in best cases the linux part is done, nevertheless explain some
> basic administrative things you can do on the commandline (pdbedit, net
> *, ...), but as "User Manager for Domains" (=UMFD) is somewhat better
> for the casual user, or in other words the Linux guys may be on holiday,
> what should the Windows guys do in the meantime if they need to manage
> accounts? Anyhow, some words about the right srvtools.exe package (I got
> at first the wrong one, nothing at all worked!) and where to get it and
> about using it... hey, it is just klickibunti (sorry, I did not find a
> perfect translation for this german word, maybe you get the point:
> click-o-matic, windows-like, colorful-clickable-userinterface,
> YouCanBeDumbAsVegetablesToUseThisSystem... whatever prejudice fits best
> for you *g*) so not manny words needed, but explain in short words what
> is possible and what needs to be done that it will be possible and
> what's not possible at all with UMFD. There are many buttons... whoopie!
> But most of them seem not to work for me... dunno why... should be
> definitely addresed or at least linked to the right place.
> Done ;) I wrote this as I did set up another PDC this evening, so fairly
> fresh from mind, I hope I did not miss anything, I will see if all works
> in a few minutes. I boot the only Windows machine here and try to join
> the samba domain controller. But as this is just schematic... please,
> what do you think about it?
> Am Sonntag, den 09.09.2007, 23:07 -0500 schrieb John H Terpstra:
> > On Sunday 09 September 2007 22:34, Michael Schmitt wrote:
> > > Hi John,
> > >
> > > I am glad to report full success and must admit, at the end all is
> > > really easy... if one only knows those tiny "things". It may be that I
> > Good. I am happy to hear that you have conquered Samba at last. Now,
> > while all this is fresh in your mind, why don't you write that chapter
> > you so nicely suggest below. The Samba documentation is user-contributed
> > documentation so you might as well earn your moment of glory in the docs.
> > :-)
> > PS: I can identify with your comments - we've all been there at one time
> > or another.
> > Cheers,
> > John T.
> > > did not understand everything in the docs right or that I've read over
> > > some parts but finally adding and deleting groups and users work via
> > > usermanager for domains and via pdbedit, just some very tiny rather
> > > cosmetic issues are left.
> > >
> > > The problem, the solution:
> > > Very interesting, the _real_ problem was with the passwd chat. This is
> > > something I may have read over and I must admit I did not read the
> > > manpage for smb.conf very thoroughly but as this is a VERY massive and
> > > boring to read document... I like to think of it rather as a bit of a
> > > reference than documentation.
> > > One thing I always misunderstood was, the passwd chat is NOT a thing
> > > displayed on the windows' screen somehwere / sometime if a user changes
> > > his password... it is just a guidance for samba what to expect to see
> > > if the passwd program is executed so it can interact properly. Somehow
> > > embarrassing, awkward or just dumb... but that's how it was ;) So this
> > > passwd chat, passwd sync and passwd program was a real myth to me and
> > > over the years many false assumptions were accumulated. Not a big deal
> > > as I did use samba only as a standalone server so far.
> > > Another thing was, you see an error message, you make assumptions, you
> > > google, you get lots of hints, several different and even more
> > > assumptions from other users with similar problems, but absolutely NO
> > > hint about the real problem. After hours (I must admit I spent a way
> > > too much time googleing!) a few minutes of debugging did the trick...
> > > and at the end, not very hard at all!
> > > For example you get an error message "Access denied" (may be
> > > "permission denied", translated from german) on the windows screen, we
> > > all know those errors from Linux or *UNIX in general. Maybe most errors
> > > in unixland are permission related... but in this case it was not an
> > > issue of missing or wrong permissions at all.
> > > I did raise the log level, noticed it added the account, could not
> > > change / set the password and deleted the account afterwards again... a
> > > few moments of thinking including help and thoughts from users on
> > > IRC... and there it was, the myth is gone! Coppy and paste is not a
> > > very good idea after all when it comes to implement samba _right_ ;)
> > > This should be mentioned in the docs a hundred times if you ask me!
> > > Another thing was, I could not delete a user from a specific group...
> > > after _short_ googleing with no luck, thinking, trying out something...
> > > and see, found a bug! deluser on debian stable does not like to delete
> > > root from _any_ group it just complains he is not in that group, but he
> > > is! $EDITOR /etc/group did the trick here. This is just a side-effect
> > > from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=428144 I think.
> > > As deluser is a perl script and I am not very good at reading perl, I
> > > did not investigate this issue any further, I know it works on sid
> > > (debian unstable) so it is fixed already. So... don't add root to any
> > > groups you want to remove him afterwards from, on debian etch... ;)
> > >
> > > So in short, I think one small chapter about those scripts including
> > > notes about the distro specific stuff, a bunch of notes about copy and
> > > paste, a joke every once in a while, a remark about locales (passwd
> > > does not look the same in all languages > passwd chat), encourage users
> > > to debug samba themselves, a rant about google and how useless and
> > > confusing it can be, some notes about "user manager for domains" and
> > > how this piece of software works and as a running gag (my personal
> > > favorite): Clear up myths! I have no idea why, but several users
> > > reported usrmgr.exe should be installed on a share on the samba PDC to
> > > get it running... it worked for them. Really, no idea what problem they
> > > had, but I can't think of any reason why this could be true! (I think a
> > > little bit of debugging would have been of help here ;) And if all that
> > > is done, even dumb users like me can set up a samba PDC in less then 2
> > > Minutes (maybe even faster!) and spend the rest of the day in the
> > > woods, at a lake or <insert your favorite place here>.
> > >
> > > regards
> > > Michael
> > >
> > > P.S.: 2 Minutes, excluding reading of course ;)
> > > P.P.S.: Tanze Samba mit mir, tanze Samba die ganze Nacht...
> > >
> > > Am Samstag, den 08.09.2007, 23:54 -0500 schrieb John H Terpstra:
> > > > On Saturday 08 September 2007 23:30, Michael Schmitt wrote:
> > > > > Hi List,
> > > > >
> > > > > I have some issues with user manager for domains (srvtools.exe from
> > > > > MS) and the scripts mentioned in the subject. The examples from the
> > > > > samba howto collection seem to cause serious issues here. I am on
> > > > > debian etch and tried to create my own scripts but till now to now
> > > > > avail. With the examples from the docs I could add groups, but
> > > > > could not add users to groups. There was the option -A used but
> > > > > here it seems to be -a refering to the manpage (log was helping
> > > > > here)... anyhow changed to -a and it worked. But adding users does
> > > > > not work at all. Different syntax, different problems, but nothing
> > > > > does work. With the example of the howto collection the user
> > > > > manager gave me "access denied" or similar (translated from german)
> > > > > as I tried to add a user. I tried to use adduser instead of useradd
> > > > > and came to these syntaxes:
> > > >
> > > > Please check the man page for your distro. The options to useradd,
> > > > usremod, groupmod, etc. seem to vary considerably across Linux
> > > > distros.
> > > >
> > > > > add user script = /usr/sbin/adduser --ingroup domusers --gecos
> > > > > samba '% u'
> > > > > delete user script = /usr/sbin/deluser '%u'
> > > > > add group script = /usr/sbin/groupadd '%g'
> > > > > delete group script = /usr/sbin/groupdel '%g'
> > > > > add user to group script = /usr/sbin/adduser '%u' '%g'
> > > >
> > > > Please note that the adduser script is entirely different from the
> > > > useradd utility. Neither is consistent across implementations. Both
> > > > vary from Linux distro to distro. I was unaware of this until last
> > > > week and am not sure how to handle this in the HOWTO, other than to
> > > > make a note regarding the problem.
> > > >
> > > > > add machine script = /usr/sbin/useradd -s /bin/false -d
> > > > > /var/lib/nobody '%u'
> > > > >
> > > > > now the adduser syntax gives me loads of this over and over again:
> > > > >
> > > > > Use of uninitialized value in chop at /usr/sbin/adduser line 537.
> > > > > Use of uninitialized value in pattern match (m//) at
> > > > > /usr/sbin/adduser line 538.
> > > > > Enter new UNIX password: Retype new UNIX password: No password
> > > > > supplied Enter new UNIX password: Retype new UNIX password: No
> > > > > password supplied Enter new UNIX password: Retype new UNIX
> > > > > password: No password supplied passwd: Authentication token
> > > > > manipulation error
> > > > > passwd: password unchanged
> > > > >
> > > > > If only all scripts would give me some hints why they don't work.
> > > > > As I see not for all scripts log entries but none work I think
> > > > > everything I tried was wrong.
> > > >
> > > > This is something you will need to take up with the Linux distro
> > > > maintainer.
> > > >
> > > > > Could someone pinpoint me in the right direction or to the right
> > > > > part of the docs? Maybe some insights of how those scripts need to
> > > > > be built?
> > > >
> > > > The useradd and adduser tools should NOT set the password. That
> > > > whould be done using the passwd utility.
> > > >
> > > > - John T.
> > --
> > John H Terpstra
> > Samba-Team Member
> > Phone: +1 (650) 580-8668
> > Author:
> > The Official Samba-3 HOWTO & Reference Guide, 2 Ed., ISBN: 0131882228
> > Samba-3 by Example, 2 Ed., ISBN: 0131882221X
> > Hardening Linux, ISBN: 0072254971
> > Other books in production.
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/listinfo/samba
John H Terpstra
Phone: +1 (650) 580-8668
The Official Samba-3 HOWTO & Reference Guide, 2 Ed., ISBN: 0131882228
Samba-3 by Example, 2 Ed., ISBN: 0131882221X
Hardening Linux, ISBN: 0072254971
Other books in production.
More information about the samba