[Samba] [Not really Samba] Semantic was Permission Denied

Rowland penny rpenny at samba.org
Tue Dec 8 20:14:12 UTC 2015 

On 08/12/15 19:29, mathias dufresne wrote:
> 2015-12-08 17:54 GMT+01:00 Rowland penny <rpenny at samba.org>:
>
>> On 08/12/15 16:33, mathias dufresne wrote:
>>
>>> 2015-12-08 17:15 GMT+01:00 Rowland penny <rpenny at samba.org>:
>>>
>>> On 08/12/15 16:02, mathias dufresne wrote:
>>>> On any Linux system where you want to be able to use AD users as system
>>>>> users you need to configure PAM. This because it is PAM which discuss
>>>>> with
>>>>> the tool you have chosen to retrieve users information from AD and then
>>>>> build system users with these information.
>>>>>
>>>>> It may be better if you stop calling local Unix users 'system users',
>>>> system users are something else, i.e. 'root' is a system user, as is
>>>> 'www-data'
>>>>
>>> System users are users available from system side.
>>> Local users are users declared in /etc/passwd.
>>>
>>> What is the point of your remark?
>>>
>> The point is that 'Unix system users" != 'Unix local users'
>>
>> On a Unix system, low ID numbers are used for system users i.e. root,
>> www-data, ntp etc, these numbers are all under 1000 (used to be 500 on
>> redhat systems), but they all appear in /etc/passwd.
>> A Unix local user is a user that has an ID number of 1000 and upwards that
>> appears in /etc/passwd. You can have a user called fred on two different
>> Unix machines, but they would not be the same user. This is where AD comes
>> in, by creating the user 'fred' in AD and giving the user a uidNumber, this
>> user could log into any domain joined computer and would be the same user.
>>
> You wrote:
> "A Unix local user is a user that has an ID number of 1000 and upwards that
> appears in /etc/passwd."
> How do you call a user declared in /etc/passwd with UID superior than 1000?
>
> I understand your point of view but you seem to me the one needing to find
> a new word, not me.

Have you tried reading 'man adduser' ?

    Add a system user
        If called with one non-option argument and the --system option, 
adduser
        will add a system user.

        adduser  will  choose  the first available UID from the range 
specified
        for system  users  in  the  configuration  file 
(FIRST_SYSTEM_UID  and
        LAST_SYSTEM_UID).

The configuration file is '/etc/adduser.conf' and from that:

FIRST_SYSTEM_UID=100
LAST_SYSTEM_UID=999


>
> Let's forget this "local user" - which does not release you to answer my
> previous question - and speak about "system users". For me a system is a
> user available on system side, for command as getent, id... A user which
> can interact with the system as a user.

Well it might mean that to you, but to me and a lot of others, it 
doesn't. A 'system user' is a user that controls something like apache, 
whilst a normal user is one that just logs into the computer and uses it 
as a workstation. Now this 'normal user' tag is meaningless in AD terms, 
hence 'local Unix user' or a local user on a Unix machine. Note that I 
didn't create this name, it is widely used, but not apparently by you

>
> Still for me, "local users" are anything declared locally regardless of
> their UID.
> This because:
> - they are declared locally
> - we mainly speak about Samba, as Samba is bound to act as AD, as AD is
> designed to have an external user database which could be use on system
> side, we really need a way to describe the difference between all local
> users and users coming from AD. Here I'm still speaking about users which
> can interact with the system ("system users" is shorter indeed).
> This distinction is necessary for us to understand each other and it again
> more necessary for new comers in Samba or AD world.
>
> What for a user reading your mails where you told "A Unix local user is a
> user that has an ID number of 1000 and upwards that appears in /etc/passwd"
> and trust you?

Yes, because it is true.

> Should he remove all users in /etc/passwd with uid > 1000
> because that's not how thing are nice or should he find a way to keep these
> users and find a workaround?

If you follow the wiki, any users with uid of less than 2000 will be 
ignored by samba. You normally need some 'local Unix users' and if you 
use 'adduser' to create them, their uids will start at 1000. This is not 
a problem, as long as the username doesn't exist in AD and smb.conf is 
setup correctly.

>
> In AD and any remote user DB there is two kinds of users: local users and
> remote users. Reuniting both kinds and you get system users. All users
> which can use the system as a system (shell if they are allowed, getent for
> lazy test).

No, there are AD users, AD users that also Unix users and local Unix 
users that are unknown to AD.

> I really don't understand why you can't stop yourself complaining like
> that. I was merely trying to describe a not-so-simple concept. All I get
> was "It may be better if you stop "... Did you really write that to help
> the original poster? Or just to complain?

No, I didn't write that to complain, I was trying to help you understand 
that to Unix, 'system user' means something other than what you think it 
does.

> Words are nothing more than words. They have meaning with context, only.
> Especially in IT world where all moves so fast, language included.

I agree with first part, not necessarily with the second, a Unix 'system 
user' has meant the same for as long as I have been dealing with Unix, 
which has been a very long time :-)

> I would end that with:
> Rowland, please, try to make effort to understand others, try to understand
> we are not all English native, try to be less rough, accept the idea we
> (most of us) have to translate. And finally try to understand the way you
> speak IT in your daily work is not necessarily the same way we speak IT
> there, or here. We all have to adapt to understand each other. You too.

I understand where you are coming from, but English is my mother tongue 
and I call a spade a spade, not an earth moving device. You also want me 
to accept your terminology over the terminology I have been using for 
years, sorry but this isn't going to happen.

Rowland

>
> Thank you, with best regards,
>
> mathias

More information about the samba mailing list