samba - Feb 2005 - We need help with a bug....smbldap-installer script (long)

Hi all!

First of all....if you haven't heard of the smbldap-installer
script....allow me to introduce it to you.  Here's the latest announcement
that Matt Oquist posted to the K12OS list (Matt and I are working on this
together....he's the scripter and I'm the tester/documenter)  First the
announcement and then read on below to see what we need help with....and
some questions I have.....

######################
Version 1.2-beta of the smbldap-installer script is available at
http://majen.net/smbldap-installer-1.2-beta.tgz

This version has been updated to include "shell" and "home"
fields in
the input to smbldap-useradd bulk.  This means that you can use
userinfo.start and 'make' to create users just as you could
previously, but if you wish you can also manipulate the input for
smbldap-useradd-bulk yourself.

For example, you could use create-usernames to create your usernames,
and then use a spreadsheet (or whatever else) to add customized home
directories and/or shells.  Then you could give that input to
smbldap-useradd-bulk to create your users on the system.

Both create-usernames and smbldap-useradd-bulk have inline
documentation:
$ create-usernames --help
$ smbldap-useradd-bulk --help

And, as always, you can look in the Makefile to see how it's using the
two scripts.

This is a beta version because:
1. the roving profiles problem we've been discussing is not solved
2. the included Samba-LDAP_smbldap-installer document is not updated
   to reflect the changes to smbldap-useradd-bulk
3. it has not undergone full testing

Please let me know if these changes are the "right changes", and of
course let me know about all the bugs you find.  :)

--matt
#####################

Ok....now for the issues we know about.  First, the script right now is
written to only work with Fedora Core 3 or K12LTSP 4.2 (we had to start
somewhere...if you'd like to alter or repackage for another
distro....PLEASE do and share with us).  Now....everything works in my
test environment and in others...we can add users....Linux users can
authenticate....Windows users can authenticate.....we can join Windows
machines to the domain...BUT we're haveing a problem with roaming
profiles.  The login goes fine so we know the authentication takes
place....but then Windows gives an error that it doesn't have permission
to access the profiles directory and as a result is using a TEMP directory
which will (and indeed does) disappear once the user logs off.  We could
use some help finding out why this is happening.  (We'd like to have it
fixed in time for Linux World in Boston next week)  We are using the
latest version of smbldap-tools in this script (0.86 I believe)

Now for some questions....

There appear to be some issues with the Administrator user this time
around (I have a perfectly working Samba/LDAP server in production at my
school running version 0.84 of smbldap-tools and version 3.0.7-2 of Samba)
and I noticed that John T. had mentioned that smbldap-populate should be
run differently (See below)
#################
Get rid of the "Administrator" account. Use the "root"
account instead.
You 
have ambiguous names that can NOT unambiguously resolve to one identity.

ie: Is uid=0 root or is it Administrator?
    Does uid=0 map to the Administrator SID or to some other SID?

Also, use:
	net rpc join -S 'PDC_Name' -Uroot%secret

PS: It is best to populate your LDAP directory using:
	"smbldap-populate -a root",  not just the default which creates an
	"Administrator" account.

- John T.
################
If I do it this way do I join machines to the domain using "root" as
opposed to administrator?  And when I run smbpasswd -w secretpassword  
will that set it for "root"?

Secondly....I noticed this....

when I run     getent passwd     on my current functioning Samba/LDAP
server (production box...pre smbldap-installer) I get ...

Administrator:x:0:512:Netbios Domain Administrator:/home/:/bin/false

Where as on a machine I just set up with smbldap-installer....I get...

Administrator:x:0:512:Netbios Domain
Administrator:/home/Administrator:/bin/false

Note the difference in "home".  Are you guys seeing this?  I'm
having
issue running programs like gedit as it wants to write to
/home/Administrator, but it isn't there.   I wonder if this is
contributing?

Anyway...I could really use some help trying to debug this
situation....not only for me, but for all of us.  Plus I'm supposed to be
teaching a class about it in 2 weeks....(hence the panicking)....I tested
everything except roaming profiles and never would have even thought to
check if it hadn't been for Jim K.  I have a functioning Samba/LDAP server
already thus I hadn't needed to try it, but I do need to fix this as I run
Windows roaming profiles and will need it to work when I upgrade this
summer.  Arrrgghhh!   Any help gratefully appreciated....If you go to
Linux World I'll buy you a beer.  :-)  


David N. Trask
Technology Teacher/Coordinator
Vassalboro Community School
dtrask@vcs.u52.k12.me.us
(207)923-3100

Can you send a copy of your smb.conf file?

Have you checked the permissions on the "profiles" directory
you've created?
If I'm not mistaken the directory permissions should be 1777.

What is "net groupmap list" reporting?

Thanks


-----Original Message-----
From: samba-bounces+ssimeonidis=computerpower.edu.au@lists.samba.org
[mailto:samba-bounces+ssimeonidis=computerpower.edu.au@lists.samba.org] On
Behalf Of David Trask
Sent: Monday, 7 February 2005 12:43 PM
To: samba@lists.samba.org
Subject: [Samba] We need help with a bug....smbldap-installer script (long)


Hi all!

First of all....if you haven't heard of the smbldap-installer
script....allow me to introduce it to you.  Here's the latest announcement
that Matt Oquist posted to the K12OS list (Matt and I are working on this
together....he's the scripter and I'm the tester/documenter)  First the
announcement and then read on below to see what we need help with....and some
questions I have.....

######################
Version 1.2-beta of the smbldap-installer script is available at
http://majen.net/smbldap-installer-1.2-beta.tgz

This version has been updated to include "shell" and "home"
fields in the input to smbldap-useradd bulk.  This means that you can use
userinfo.start and 'make' to create users just as you could previously,
but if you wish you can also manipulate the input for smbldap-useradd-bulk
yourself.

For example, you could use create-usernames to create your usernames, and then
use a spreadsheet (or whatever else) to add customized home directories and/or
shells.  Then you could give that input to smbldap-useradd-bulk to create your
users on the system.

Both create-usernames and smbldap-useradd-bulk have inline
documentation:
$ create-usernames --help
$ smbldap-useradd-bulk --help

And, as always, you can look in the Makefile to see how it's using the two
scripts.

This is a beta version because:
1. the roving profiles problem we've been discussing is not solved 2. the
included Samba-LDAP_smbldap-installer document is not updated
   to reflect the changes to smbldap-useradd-bulk
3. it has not undergone full testing

Please let me know if these changes are the "right changes", and of
course let me know about all the bugs you find.  :)

--matt
#####################

Ok....now for the issues we know about.  First, the script right now is written
to only work with Fedora Core 3 or K12LTSP 4.2 (we had to start somewhere...if
you'd like to alter or repackage for another distro....PLEASE do and share
with us).  Now....everything works in my test environment and in others...we can
add users....Linux users can authenticate....Windows users can
authenticate.....we can join Windows machines to the domain...BUT we're
haveing a problem with roaming profiles.  The login goes fine so we know the
authentication takes place....but then Windows gives an error that it
doesn't have permission to access the profiles directory and as a result is
using a TEMP directory which will (and indeed does) disappear once the user logs
off.  We could use some help finding out why this is happening.  (We'd like
to have it fixed in time for Linux World in Boston next week)  We are using the
latest version of smbldap-tools in this script (0.86 I believe)

Now for some questions....

There appear to be some issues with the Administrator user this time around (I
have a perfectly working Samba/LDAP server in production at my school running
version 0.84 of smbldap-tools and version 3.0.7-2 of Samba) and I noticed that
John T. had mentioned that smbldap-populate should be run differently (See
below) ################# Get rid of the "Administrator" account. Use
the "root" account instead. You
have ambiguous names that can NOT unambiguously resolve to one identity.

ie: Is uid=0 root or is it Administrator?
    Does uid=0 map to the Administrator SID or to some other SID?

Also, use:
	net rpc join -S 'PDC_Name' -Uroot%secret

PS: It is best to populate your LDAP directory using:
	"smbldap-populate -a root",  not just the default which creates an
	"Administrator" account.

- John T.
################
If I do it this way do I join machines to the domain using "root" as
opposed to administrator?  And when I run smbpasswd -w secretpassword
will that set it for "root"?

Secondly....I noticed this....

when I run     getent passwd     on my current functioning Samba/LDAP
server (production box...pre smbldap-installer) I get ...

Administrator:x:0:512:Netbios Domain Administrator:/home/:/bin/false

Where as on a machine I just set up with smbldap-installer....I get...

Administrator:x:0:512:Netbios Domain
Administrator:/home/Administrator:/bin/false

Note the difference in "home".  Are you guys seeing this?  I'm
having issue running programs like gedit as it wants to write to
/home/Administrator, but it isn't there.   I wonder if this is
contributing?

Anyway...I could really use some help trying to debug this situation....not only
for me, but for all of us.  Plus I'm supposed to be teaching a class about
it in 2 weeks....(hence the panicking)....I tested everything except roaming
profiles and never would have even thought to check if it hadn't been for
Jim K.  I have a functioning Samba/LDAP server already thus I hadn't needed
to try it, but I do need to fix this as I run Windows roaming profiles and will
need it to work when I upgrade this
summer.  Arrrgghhh!   Any help gratefully appreciated....If you go to
Linux World I'll buy you a beer.  :-)  


David N. Trask
Technology Teacher/Coordinator
Vassalboro Community School
dtrask@vcs.u52.k12.me.us
(207)923-3100

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Craig White <craigwhite@azapple.com> on Sunday, February 6, 2005 at 9:57
PM +0000 wrote:
>I admire your efforts but would caution you...
>
>- doesn't make much sense to start programming a solution in which you
>don't have the map in front of you - i.e. a complete how-to, run through
>each step manually and you could even grab everything you did from the
>'history' command
The how-to is included in the package as documentation and is on the web
at http://web.vcs.u52.k12.me.us/linux/smbldap
>
>
>- the concept is interesting in that it attempts to promote the 'lesser
>skilled' into an actual working environment but of course, they
won't be
>able to maintain it.
Why not?  Many folks on the K12OS list have been doing so for a couple
years now since my first how-to.  I've been using it for two years now and
I'm not nearly as skilled as you think.
>
>
>- if I had any quantity of users, I am sure I wouldn't use /home as base
>and thus would be editing /etc/default/useradd and adjust entries in my
>DSA accordingly
What do you consider a "quantity"?  I have 600 users and use
/home....I'm
not sure where you're going with this...what's wrong with /home?  I use
my
Samba/LDAP server for K12LTSP, Windows XP network, and Win 2003 Terminal
server network....works fine.  Although I will say that the newest version
of the smbldap-useradd-bulk script allows folks to get more specific about
the location of home dirs.  For example:  Mrs. Jones class can be located
in  /home/mrsjones/username   Also....don't confuse Matt's annoucement
about the useradd script as being what smbldap-installer is all about. 
The smbldap-useradd-bulk script is and add-on in addition to
smbldap-installer (which sets up the server).
>
>
>- there are so many other files that are involved / impacted by your
>scenario besides the obvious smbldap_conf.pm (or whatever it is called
>these days...I'm still on an older version). Files such
>as /etc/ldap.conf, /etc/nsswitch.conf, slapd.conf and I presume that you
>are going to have people hand edit them and they will pull their hair
>out.
No....the script fills in the values for you and copies the conf files to
the correct locations.  That's precisely what we're trying avoid.  Run
the
script...answer the prompts...and voila!  You have a working Samba/LDAP
server.  We'll even take care of the exporting of /home for you if you
want.  It's one of the prompts.  And yes....the primary audience is not
the uber-geek, but rather the common IT guy employed by a school or a
small to mid-sized company.
>
>
>- I am firmly of the opinion that no one should be running LDAP if they
>can't easily use tools such as ldapmodify and ldapsearch - they
can't
>troubleshoot. There is no shortcut on knowledge on this one.
I agree to some extent, but also feel that even newbies can use LDAP in a
low-mission-critical environment especially if they back up data.  I had a
Samba/LDAP server problem earlier this fall, but since I back up the /home
dirs to another server....I was able to easily rebuild the server....plug
the users back in....copy /home back over....rerun the user creation
script I use  to fix permissions and away we went without skipping a
beat.
>
>
>- You're looking at everything in a vacuum, it's likely people are
going
>to want their server to do things other than be a samba server.
>Integration with openldap - well if they don't understand it, it's
going
>to present a real challenge.
I hear you, but what we're finding is that 90% of the people who asked for
and are using this script (it's been out for about three weeks)....are
folks like me....those who want to provide centralized authentication for
a mixed Linux, Windows, OS X network.  Mail is sometimes figured in, but
often not.
>
>
>- I can see the need for the type of thing you are trying to do but I
>think it has to almost be a distro in and of itself. Probably should
>have a perl program that is web accessible where it writes ALL of the
>config files out and not just populate the DSA. By all, I mean openldap,
>samba, bind, dhcp padl's nsswitch & ldap.conf, obviously the
>smbldap_conf files and of course, this is pretty much a one shot deal.
The script does write out the configs.  Most of the conf files are in the
templates directory....the script prompts for things like domain names,
passwords, etc.  And then writes the configs.  It also backs up your
current configs.  It doesn't do dhcp as that is done when you set up the
server.  

Thanks, but I hope folks will still help us try to get over the roaming
profiles issue.  Baby steps....let's start with this script and grow from
there.  
>
>
>Craig

David N. Trask
Technology Teacher/Coordinator
Vassalboro Community School
dtrask@vcs.u52.k12.me.us
(207)923-3100

Craig White <craigwhite@azapple.com> on Sunday, February 6, 2005 at 11:26
PM +0000 wrote:
>I'm sure I gave you the answers on the profiles issue
You did give me some info and I appreciate that....here's the profiles
section of my smb.conf

[profiles]
   path = /opt/samba/profiles
   writeable = yes
   browseable = no
   #create mode = 0644
   #directory mode = 0755
   # this prevents users from browsing other peoples' profiles
   create mode = 0600
   directory mode = 0700

Note we changed the create mode and directory mode from what was given by
the folks from IDEALX in their example....in an effort to secure things. 
I can see in your example that you did the same.  

Due to the name of the smbldap_conf.pm file I'm aware that you're using
an
older version of smbldap-tools.  This past summer I migrated from RH 9
using an older version of smbldap-tools and Samba 2 to Fedora Core 2 using
Samba 3 and smbldap-tools 0.84 (what I'm using on my production
server....0.86 is what we use in the script).  Things changed dramatically
in the newer versions.  Name changes...and in the latest
version....location changes.  No longer is smbldap-tools located in
/etc/smbldap-tools....nor are the executables located in
/usr/local/sbin.....they are now in /opt/IDEALX/sbin.  Anyway...in version
0.84 there was a "bug" or "feature" where in order to get
smbldap-populate
to work (because of the adding of the Administrator user) you had to go to
smbusers and comment out the line with 

#root = administrator admin

Once one did this...everything worked fine.  I'm wondering if things have
changed with the newer version of smbldap-tools and possibly the later
version of samba in FC3 that make this uneccesary and perhaps
"naughty".
My hunch is the profiles issue is a permissions problem...not in the sense
that the profiles directory is not 1777 (which it is) but rather something
amiss with Administrator.  In earlier versions of Samba and smbldap-tools
(at least in my case) "root" was the user that I used to join Windows
machines to the domain (entered on the Windows machine)....now it is
"Administrator"....but quirky little things are making me wonder if
that's
not the case anymore.

David N. Trask
Technology Teacher/Coordinator
Vassalboro Community School
dtrask@vcs.u52.k12.me.us
(207)923-3100