David Trask
2005-Feb-07 01:42 UTC
[Samba] We need help with a bug....smbldap-installer script (long)
Hi all!
First of all....if you haven't heard of the smbldap-installer
script....allow me to introduce it to you. Here's the latest announcement
that Matt Oquist posted to the K12OS list (Matt and I are working on this
together....he's the scripter and I'm the tester/documenter) First the
announcement and then read on below to see what we need help with....and
some questions I have.....
######################
Version 1.2-beta of the smbldap-installer script is available at
http://majen.net/smbldap-installer-1.2-beta.tgz
This version has been updated to include "shell" and "home"
fields in
the input to smbldap-useradd bulk. This means that you can use
userinfo.start and 'make' to create users just as you could
previously, but if you wish you can also manipulate the input for
smbldap-useradd-bulk yourself.
For example, you could use create-usernames to create your usernames,
and then use a spreadsheet (or whatever else) to add customized home
directories and/or shells. Then you could give that input to
smbldap-useradd-bulk to create your users on the system.
Both create-usernames and smbldap-useradd-bulk have inline
documentation:
$ create-usernames --help
$ smbldap-useradd-bulk --help
And, as always, you can look in the Makefile to see how it's using the
two scripts.
This is a beta version because:
1. the roving profiles problem we've been discussing is not solved
2. the included Samba-LDAP_smbldap-installer document is not updated
to reflect the changes to smbldap-useradd-bulk
3. it has not undergone full testing
Please let me know if these changes are the "right changes", and of
course let me know about all the bugs you find. :)
--matt
#####################
Ok....now for the issues we know about. First, the script right now is
written to only work with Fedora Core 3 or K12LTSP 4.2 (we had to start
somewhere...if you'd like to alter or repackage for another
distro....PLEASE do and share with us). Now....everything works in my
test environment and in others...we can add users....Linux users can
authenticate....Windows users can authenticate.....we can join Windows
machines to the domain...BUT we're haveing a problem with roaming
profiles. The login goes fine so we know the authentication takes
place....but then Windows gives an error that it doesn't have permission
to access the profiles directory and as a result is using a TEMP directory
which will (and indeed does) disappear once the user logs off. We could
use some help finding out why this is happening. (We'd like to have it
fixed in time for Linux World in Boston next week) We are using the
latest version of smbldap-tools in this script (0.86 I believe)
Now for some questions....
There appear to be some issues with the Administrator user this time
around (I have a perfectly working Samba/LDAP server in production at my
school running version 0.84 of smbldap-tools and version 3.0.7-2 of Samba)
and I noticed that John T. had mentioned that smbldap-populate should be
run differently (See below)
#################
Get rid of the "Administrator" account. Use the "root"
account instead.
You
have ambiguous names that can NOT unambiguously resolve to one identity.
ie: Is uid=0 root or is it Administrator?
Does uid=0 map to the Administrator SID or to some other SID?
Also, use:
net rpc join -S 'PDC_Name' -Uroot%secret
PS: It is best to populate your LDAP directory using:
"smbldap-populate -a root", not just the default which creates an
"Administrator" account.
- John T.
################
If I do it this way do I join machines to the domain using "root" as
opposed to administrator? And when I run smbpasswd -w secretpassword
will that set it for "root"?
Secondly....I noticed this....
when I run getent passwd on my current functioning Samba/LDAP
server (production box...pre smbldap-installer) I get ...
Administrator:x:0:512:Netbios Domain Administrator:/home/:/bin/false
Where as on a machine I just set up with smbldap-installer....I get...
Administrator:x:0:512:Netbios Domain
Administrator:/home/Administrator:/bin/false
Note the difference in "home". Are you guys seeing this? I'm
having
issue running programs like gedit as it wants to write to
/home/Administrator, but it isn't there. I wonder if this is
contributing?
Anyway...I could really use some help trying to debug this
situation....not only for me, but for all of us. Plus I'm supposed to be
teaching a class about it in 2 weeks....(hence the panicking)....I tested
everything except roaming profiles and never would have even thought to
check if it hadn't been for Jim K. I have a functioning Samba/LDAP server
already thus I hadn't needed to try it, but I do need to fix this as I run
Windows roaming profiles and will need it to work when I upgrade this
summer. Arrrgghhh! Any help gratefully appreciated....If you go to
Linux World I'll buy you a beer. :-)
David N. Trask
Technology Teacher/Coordinator
Vassalboro Community School
dtrask@vcs.u52.k12.me.us
(207)923-3100
Steve Simeonidis
2005-Feb-07 01:55 UTC
[Samba] We need help with a bug....smbldap-installer script (long)
Can you send a copy of your smb.conf file?
Have you checked the permissions on the "profiles" directory
you've created?
If I'm not mistaken the directory permissions should be 1777.
What is "net groupmap list" reporting?
Thanks
-----Original Message-----
From: samba-bounces+ssimeonidis=computerpower.edu.au@lists.samba.org
[mailto:samba-bounces+ssimeonidis=computerpower.edu.au@lists.samba.org] On
Behalf Of David Trask
Sent: Monday, 7 February 2005 12:43 PM
To: samba@lists.samba.org
Subject: [Samba] We need help with a bug....smbldap-installer script (long)
Hi all!
First of all....if you haven't heard of the smbldap-installer
script....allow me to introduce it to you. Here's the latest announcement
that Matt Oquist posted to the K12OS list (Matt and I are working on this
together....he's the scripter and I'm the tester/documenter) First the
announcement and then read on below to see what we need help with....and some
questions I have.....
######################
Version 1.2-beta of the smbldap-installer script is available at
http://majen.net/smbldap-installer-1.2-beta.tgz
This version has been updated to include "shell" and "home"
fields in the input to smbldap-useradd bulk. This means that you can use
userinfo.start and 'make' to create users just as you could previously,
but if you wish you can also manipulate the input for smbldap-useradd-bulk
yourself.
For example, you could use create-usernames to create your usernames, and then
use a spreadsheet (or whatever else) to add customized home directories and/or
shells. Then you could give that input to smbldap-useradd-bulk to create your
users on the system.
Both create-usernames and smbldap-useradd-bulk have inline
documentation:
$ create-usernames --help
$ smbldap-useradd-bulk --help
And, as always, you can look in the Makefile to see how it's using the two
scripts.
This is a beta version because:
1. the roving profiles problem we've been discussing is not solved 2. the
included Samba-LDAP_smbldap-installer document is not updated
to reflect the changes to smbldap-useradd-bulk
3. it has not undergone full testing
Please let me know if these changes are the "right changes", and of
course let me know about all the bugs you find. :)
--matt
#####################
Ok....now for the issues we know about. First, the script right now is written
to only work with Fedora Core 3 or K12LTSP 4.2 (we had to start somewhere...if
you'd like to alter or repackage for another distro....PLEASE do and share
with us). Now....everything works in my test environment and in others...we can
add users....Linux users can authenticate....Windows users can
authenticate.....we can join Windows machines to the domain...BUT we're
haveing a problem with roaming profiles. The login goes fine so we know the
authentication takes place....but then Windows gives an error that it
doesn't have permission to access the profiles directory and as a result is
using a TEMP directory which will (and indeed does) disappear once the user logs
off. We could use some help finding out why this is happening. (We'd like
to have it fixed in time for Linux World in Boston next week) We are using the
latest version of smbldap-tools in this script (0.86 I believe)
Now for some questions....
There appear to be some issues with the Administrator user this time around (I
have a perfectly working Samba/LDAP server in production at my school running
version 0.84 of smbldap-tools and version 3.0.7-2 of Samba) and I noticed that
John T. had mentioned that smbldap-populate should be run differently (See
below) ################# Get rid of the "Administrator" account. Use
the "root" account instead. You
have ambiguous names that can NOT unambiguously resolve to one identity.
ie: Is uid=0 root or is it Administrator?
Does uid=0 map to the Administrator SID or to some other SID?
Also, use:
net rpc join -S 'PDC_Name' -Uroot%secret
PS: It is best to populate your LDAP directory using:
"smbldap-populate -a root", not just the default which creates an
"Administrator" account.
- John T.
################
If I do it this way do I join machines to the domain using "root" as
opposed to administrator? And when I run smbpasswd -w secretpassword
will that set it for "root"?
Secondly....I noticed this....
when I run getent passwd on my current functioning Samba/LDAP
server (production box...pre smbldap-installer) I get ...
Administrator:x:0:512:Netbios Domain Administrator:/home/:/bin/false
Where as on a machine I just set up with smbldap-installer....I get...
Administrator:x:0:512:Netbios Domain
Administrator:/home/Administrator:/bin/false
Note the difference in "home". Are you guys seeing this? I'm
having issue running programs like gedit as it wants to write to
/home/Administrator, but it isn't there. I wonder if this is
contributing?
Anyway...I could really use some help trying to debug this situation....not only
for me, but for all of us. Plus I'm supposed to be teaching a class about
it in 2 weeks....(hence the panicking)....I tested everything except roaming
profiles and never would have even thought to check if it hadn't been for
Jim K. I have a functioning Samba/LDAP server already thus I hadn't needed
to try it, but I do need to fix this as I run Windows roaming profiles and will
need it to work when I upgrade this
summer. Arrrgghhh! Any help gratefully appreciated....If you go to
Linux World I'll buy you a beer. :-)
David N. Trask
Technology Teacher/Coordinator
Vassalboro Community School
dtrask@vcs.u52.k12.me.us
(207)923-3100
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
David Trask
2005-Feb-07 04:08 UTC
[Samba] We need help with a bug....smbldap-installer script (long)
Craig White <craigwhite@azapple.com> on Sunday, February 6, 2005 at 9:57 PM +0000 wrote:>I admire your efforts but would caution you... > >- doesn't make much sense to start programming a solution in which you >don't have the map in front of you - i.e. a complete how-to, run through >each step manually and you could even grab everything you did from the >'history' commandThe how-to is included in the package as documentation and is on the web at http://web.vcs.u52.k12.me.us/linux/smbldap> > >- the concept is interesting in that it attempts to promote the 'lesser >skilled' into an actual working environment but of course, they won't be >able to maintain it.Why not? Many folks on the K12OS list have been doing so for a couple years now since my first how-to. I've been using it for two years now and I'm not nearly as skilled as you think.> > >- if I had any quantity of users, I am sure I wouldn't use /home as base >and thus would be editing /etc/default/useradd and adjust entries in my >DSA accordinglyWhat do you consider a "quantity"? I have 600 users and use /home....I'm not sure where you're going with this...what's wrong with /home? I use my Samba/LDAP server for K12LTSP, Windows XP network, and Win 2003 Terminal server network....works fine. Although I will say that the newest version of the smbldap-useradd-bulk script allows folks to get more specific about the location of home dirs. For example: Mrs. Jones class can be located in /home/mrsjones/username Also....don't confuse Matt's annoucement about the useradd script as being what smbldap-installer is all about. The smbldap-useradd-bulk script is and add-on in addition to smbldap-installer (which sets up the server).> > >- there are so many other files that are involved / impacted by your >scenario besides the obvious smbldap_conf.pm (or whatever it is called >these days...I'm still on an older version). Files such >as /etc/ldap.conf, /etc/nsswitch.conf, slapd.conf and I presume that you >are going to have people hand edit them and they will pull their hair >out.No....the script fills in the values for you and copies the conf files to the correct locations. That's precisely what we're trying avoid. Run the script...answer the prompts...and voila! You have a working Samba/LDAP server. We'll even take care of the exporting of /home for you if you want. It's one of the prompts. And yes....the primary audience is not the uber-geek, but rather the common IT guy employed by a school or a small to mid-sized company.> > >- I am firmly of the opinion that no one should be running LDAP if they >can't easily use tools such as ldapmodify and ldapsearch - they can't >troubleshoot. There is no shortcut on knowledge on this one.I agree to some extent, but also feel that even newbies can use LDAP in a low-mission-critical environment especially if they back up data. I had a Samba/LDAP server problem earlier this fall, but since I back up the /home dirs to another server....I was able to easily rebuild the server....plug the users back in....copy /home back over....rerun the user creation script I use to fix permissions and away we went without skipping a beat.> > >- You're looking at everything in a vacuum, it's likely people are going >to want their server to do things other than be a samba server. >Integration with openldap - well if they don't understand it, it's going >to present a real challenge.I hear you, but what we're finding is that 90% of the people who asked for and are using this script (it's been out for about three weeks)....are folks like me....those who want to provide centralized authentication for a mixed Linux, Windows, OS X network. Mail is sometimes figured in, but often not.> > >- I can see the need for the type of thing you are trying to do but I >think it has to almost be a distro in and of itself. Probably should >have a perl program that is web accessible where it writes ALL of the >config files out and not just populate the DSA. By all, I mean openldap, >samba, bind, dhcp padl's nsswitch & ldap.conf, obviously the >smbldap_conf files and of course, this is pretty much a one shot deal.The script does write out the configs. Most of the conf files are in the templates directory....the script prompts for things like domain names, passwords, etc. And then writes the configs. It also backs up your current configs. It doesn't do dhcp as that is done when you set up the server. Thanks, but I hope folks will still help us try to get over the roaming profiles issue. Baby steps....let's start with this script and grow from there.> > >CraigDavid N. Trask Technology Teacher/Coordinator Vassalboro Community School dtrask@vcs.u52.k12.me.us (207)923-3100
David Trask
2005-Feb-07 05:38 UTC
[Samba] We need help with a bug....smbldap-installer script (long)
Craig White <craigwhite@azapple.com> on Sunday, February 6, 2005 at 11:26 PM +0000 wrote:>I'm sure I gave you the answers on the profiles issueYou did give me some info and I appreciate that....here's the profiles section of my smb.conf [profiles] path = /opt/samba/profiles writeable = yes browseable = no #create mode = 0644 #directory mode = 0755 # this prevents users from browsing other peoples' profiles create mode = 0600 directory mode = 0700 Note we changed the create mode and directory mode from what was given by the folks from IDEALX in their example....in an effort to secure things. I can see in your example that you did the same. Due to the name of the smbldap_conf.pm file I'm aware that you're using an older version of smbldap-tools. This past summer I migrated from RH 9 using an older version of smbldap-tools and Samba 2 to Fedora Core 2 using Samba 3 and smbldap-tools 0.84 (what I'm using on my production server....0.86 is what we use in the script). Things changed dramatically in the newer versions. Name changes...and in the latest version....location changes. No longer is smbldap-tools located in /etc/smbldap-tools....nor are the executables located in /usr/local/sbin.....they are now in /opt/IDEALX/sbin. Anyway...in version 0.84 there was a "bug" or "feature" where in order to get smbldap-populate to work (because of the adding of the Administrator user) you had to go to smbusers and comment out the line with #root = administrator admin Once one did this...everything worked fine. I'm wondering if things have changed with the newer version of smbldap-tools and possibly the later version of samba in FC3 that make this uneccesary and perhaps "naughty". My hunch is the profiles issue is a permissions problem...not in the sense that the profiles directory is not 1777 (which it is) but rather something amiss with Administrator. In earlier versions of Samba and smbldap-tools (at least in my case) "root" was the user that I used to join Windows machines to the domain (entered on the Windows machine)....now it is "Administrator"....but quirky little things are making me wonder if that's not the case anymore. David N. Trask Technology Teacher/Coordinator Vassalboro Community School dtrask@vcs.u52.k12.me.us (207)923-3100