mathias dufresne
2015-Dec-08 19:29 UTC
[Samba] [Not really Samba] Semantic was Permission Denied
2015-12-08 17:54 GMT+01:00 Rowland penny <rpenny at samba.org>:> On 08/12/15 16:33, mathias dufresne wrote: > >> 2015-12-08 17:15 GMT+01:00 Rowland penny <rpenny at samba.org>: >> >> On 08/12/15 16:02, mathias dufresne wrote: >>> >>> On any Linux system where you want to be able to use AD users as system >>>> users you need to configure PAM. This because it is PAM which discuss >>>> with >>>> the tool you have chosen to retrieve users information from AD and then >>>> build system users with these information. >>>> >>>> It may be better if you stop calling local Unix users 'system users', >>> system users are something else, i.e. 'root' is a system user, as is >>> 'www-data' >>> >> >> System users are users available from system side. >> Local users are users declared in /etc/passwd. >> >> What is the point of your remark? >> > > The point is that 'Unix system users" != 'Unix local users' > > On a Unix system, low ID numbers are used for system users i.e. root, > www-data, ntp etc, these numbers are all under 1000 (used to be 500 on > redhat systems), but they all appear in /etc/passwd. > A Unix local user is a user that has an ID number of 1000 and upwards that > appears in /etc/passwd. You can have a user called fred on two different > Unix machines, but they would not be the same user. This is where AD comes > in, by creating the user 'fred' in AD and giving the user a uidNumber, this > user could log into any domain joined computer and would be the same user. >You wrote: "A Unix local user is a user that has an ID number of 1000 and upwards that appears in /etc/passwd." How do you call a user declared in /etc/passwd with UID superior than 1000? I understand your point of view but you seem to me the one needing to find a new word, not me. Let's forget this "local user" - which does not release you to answer my previous question - and speak about "system users". For me a system is a user available on system side, for command as getent, id... A user which can interact with the system as a user. Still for me, "local users" are anything declared locally regardless of their UID. This because: - they are declared locally - we mainly speak about Samba, as Samba is bound to act as AD, as AD is designed to have an external user database which could be use on system side, we really need a way to describe the difference between all local users and users coming from AD. Here I'm still speaking about users which can interact with the system ("system users" is shorter indeed). This distinction is necessary for us to understand each other and it again more necessary for new comers in Samba or AD world. What for a user reading your mails where you told "A Unix local user is a user that has an ID number of 1000 and upwards that appears in /etc/passwd" and trust you? Should he remove all users in /etc/passwd with uid > 1000 because that's not how thing are nice or should he find a way to keep these users and find a workaround? In AD and any remote user DB there is two kinds of users: local users and remote users. Reuniting both kinds and you get system users. All users which can use the system as a system (shell if they are allowed, getent for lazy test). I really don't understand why you can't stop yourself complaining like that. I was merely trying to describe a not-so-simple concept. All I get was "It may be better if you stop "... Did you really write that to help the original poster? Or just to complain? Words are nothing more than words. They have meaning with context, only. Especially in IT world where all moves so fast, language included. I would end that with: Rowland, please, try to make effort to understand others, try to understand we are not all English native, try to be less rough, accept the idea we (most of us) have to translate. And finally try to understand the way you speak IT in your daily work is not necessarily the same way we speak IT there, or here. We all have to adapt to understand each other. You too. Thank you, with best regards, mathias
Rowland penny
2015-Dec-08 20:14 UTC
[Samba] [Not really Samba] Semantic was Permission Denied
On 08/12/15 19:29, mathias dufresne wrote:> 2015-12-08 17:54 GMT+01:00 Rowland penny <rpenny at samba.org>: > >> On 08/12/15 16:33, mathias dufresne wrote: >> >>> 2015-12-08 17:15 GMT+01:00 Rowland penny <rpenny at samba.org>: >>> >>> On 08/12/15 16:02, mathias dufresne wrote: >>>> On any Linux system where you want to be able to use AD users as system >>>>> users you need to configure PAM. This because it is PAM which discuss >>>>> with >>>>> the tool you have chosen to retrieve users information from AD and then >>>>> build system users with these information. >>>>> >>>>> It may be better if you stop calling local Unix users 'system users', >>>> system users are something else, i.e. 'root' is a system user, as is >>>> 'www-data' >>>> >>> System users are users available from system side. >>> Local users are users declared in /etc/passwd. >>> >>> What is the point of your remark? >>> >> The point is that 'Unix system users" != 'Unix local users' >> >> On a Unix system, low ID numbers are used for system users i.e. root, >> www-data, ntp etc, these numbers are all under 1000 (used to be 500 on >> redhat systems), but they all appear in /etc/passwd. >> A Unix local user is a user that has an ID number of 1000 and upwards that >> appears in /etc/passwd. You can have a user called fred on two different >> Unix machines, but they would not be the same user. This is where AD comes >> in, by creating the user 'fred' in AD and giving the user a uidNumber, this >> user could log into any domain joined computer and would be the same user. >> > You wrote: > "A Unix local user is a user that has an ID number of 1000 and upwards that > appears in /etc/passwd." > How do you call a user declared in /etc/passwd with UID superior than 1000? > > I understand your point of view but you seem to me the one needing to find > a new word, not me.Have you tried reading 'man adduser' ? Add a system user If called with one non-option argument and the --system option, adduser will add a system user. adduser will choose the first available UID from the range specified for system users in the configuration file (FIRST_SYSTEM_UID and LAST_SYSTEM_UID). The configuration file is '/etc/adduser.conf' and from that: FIRST_SYSTEM_UID=100 LAST_SYSTEM_UID=999> > Let's forget this "local user" - which does not release you to answer my > previous question - and speak about "system users". For me a system is a > user available on system side, for command as getent, id... A user which > can interact with the system as a user.Well it might mean that to you, but to me and a lot of others, it doesn't. A 'system user' is a user that controls something like apache, whilst a normal user is one that just logs into the computer and uses it as a workstation. Now this 'normal user' tag is meaningless in AD terms, hence 'local Unix user' or a local user on a Unix machine. Note that I didn't create this name, it is widely used, but not apparently by you> > Still for me, "local users" are anything declared locally regardless of > their UID. > This because: > - they are declared locally > - we mainly speak about Samba, as Samba is bound to act as AD, as AD is > designed to have an external user database which could be use on system > side, we really need a way to describe the difference between all local > users and users coming from AD. Here I'm still speaking about users which > can interact with the system ("system users" is shorter indeed). > This distinction is necessary for us to understand each other and it again > more necessary for new comers in Samba or AD world. > > What for a user reading your mails where you told "A Unix local user is a > user that has an ID number of 1000 and upwards that appears in /etc/passwd" > and trust you?Yes, because it is true.> Should he remove all users in /etc/passwd with uid > 1000 > because that's not how thing are nice or should he find a way to keep these > users and find a workaround?If you follow the wiki, any users with uid of less than 2000 will be ignored by samba. You normally need some 'local Unix users' and if you use 'adduser' to create them, their uids will start at 1000. This is not a problem, as long as the username doesn't exist in AD and smb.conf is setup correctly.> > In AD and any remote user DB there is two kinds of users: local users and > remote users. Reuniting both kinds and you get system users. All users > which can use the system as a system (shell if they are allowed, getent for > lazy test).No, there are AD users, AD users that also Unix users and local Unix users that are unknown to AD.> I really don't understand why you can't stop yourself complaining like > that. I was merely trying to describe a not-so-simple concept. All I get > was "It may be better if you stop "... Did you really write that to help > the original poster? Or just to complain?No, I didn't write that to complain, I was trying to help you understand that to Unix, 'system user' means something other than what you think it does.> Words are nothing more than words. They have meaning with context, only. > Especially in IT world where all moves so fast, language included.I agree with first part, not necessarily with the second, a Unix 'system user' has meant the same for as long as I have been dealing with Unix, which has been a very long time :-)> I would end that with: > Rowland, please, try to make effort to understand others, try to understand > we are not all English native, try to be less rough, accept the idea we > (most of us) have to translate. And finally try to understand the way you > speak IT in your daily work is not necessarily the same way we speak IT > there, or here. We all have to adapt to understand each other. You too.I understand where you are coming from, but English is my mother tongue and I call a spade a spade, not an earth moving device. You also want me to accept your terminology over the terminology I have been using for years, sorry but this isn't going to happen. Rowland> > Thank you, with best regards, > > mathias