samba - Dec 2015 - [Not really Samba] Semantic was Permission Denied

2015-12-08 17:54 GMT+01:00 Rowland penny <rpenny at samba.org>:
> On 08/12/15 16:33, mathias dufresne wrote:
>
>> 2015-12-08 17:15 GMT+01:00 Rowland penny <rpenny at samba.org>:
>>
>> On 08/12/15 16:02, mathias dufresne wrote:
>>>
>>> On any Linux system where you want to be able to use AD users as
system
>>>> users you need to configure PAM. This because it is PAM which
discuss
>>>> with
>>>> the tool you have chosen to retrieve users information from AD
and then
>>>> build system users with these information.
>>>>
>>>> It may be better if you stop calling local Unix users
'system users',
>>> system users are something else, i.e. 'root' is a system
user, as is
>>> 'www-data'
>>>
>>
>> System users are users available from system side.
>> Local users are users declared in /etc/passwd.
>>
>> What is the point of your remark?
>>
>
> The point is that 'Unix system users" != 'Unix local
users'
>
> On a Unix system, low ID numbers are used for system users i.e. root,
> www-data, ntp etc, these numbers are all under 1000 (used to be 500 on
> redhat systems), but they all appear in /etc/passwd.
> A Unix local user is a user that has an ID number of 1000 and upwards that
> appears in /etc/passwd. You can have a user called fred on two different
> Unix machines, but they would not be the same user. This is where AD comes
> in, by creating the user 'fred' in AD and giving the user a
uidNumber, this
> user could log into any domain joined computer and would be the same user.
>
You wrote:
"A Unix local user is a user that has an ID number of 1000 and upwards that
appears in /etc/passwd."
How do you call a user declared in /etc/passwd with UID superior than 1000?

I understand your point of view but you seem to me the one needing to find
a new word, not me.

Let's forget this "local user" - which does not release you to
answer my
previous question - and speak about "system users". For me a system is
a
user available on system side, for command as getent, id... A user which
can interact with the system as a user.

Still for me, "local users" are anything declared locally regardless
of
their UID.
This because:
- they are declared locally
- we mainly speak about Samba, as Samba is bound to act as AD, as AD is
designed to have an external user database which could be use on system
side, we really need a way to describe the difference between all local
users and users coming from AD. Here I'm still speaking about users which
can interact with the system ("system users" is shorter indeed).
This distinction is necessary for us to understand each other and it again
more necessary for new comers in Samba or AD world.

What for a user reading your mails where you told "A Unix local user is a
user that has an ID number of 1000 and upwards that appears in /etc/passwd"
and trust you? Should he remove all users in /etc/passwd with uid > 1000
because that's not how thing are nice or should he find a way to keep these
users and find a workaround?

In AD and any remote user DB there is two kinds of users: local users and
remote users. Reuniting both kinds and you get system users. All users
which can use the system as a system (shell if they are allowed, getent for
lazy test).

I really don't understand why you can't stop yourself complaining like
that. I was merely trying to describe a not-so-simple concept. All I get
was "It may be better if you stop "... Did you really write that to
help
the original poster? Or just to complain?

Words are nothing more than words. They have meaning with context, only.
Especially in IT world where all moves so fast, language included.

I would end that with:
Rowland, please, try to make effort to understand others, try to understand
we are not all English native, try to be less rough, accept the idea we
(most of us) have to translate. And finally try to understand the way you
speak IT in your daily work is not necessarily the same way we speak IT
there, or here. We all have to adapt to understand each other. You too.

Thank you, with best regards,

mathias

On 08/12/15 19:29, mathias dufresne wrote:
> 2015-12-08 17:54 GMT+01:00 Rowland penny <rpenny at samba.org>:
>
>> On 08/12/15 16:33, mathias dufresne wrote:
>>
>>> 2015-12-08 17:15 GMT+01:00 Rowland penny <rpenny at
samba.org>:
>>>
>>> On 08/12/15 16:02, mathias dufresne wrote:
>>>> On any Linux system where you want to be able to use AD users
as system
>>>>> users you need to configure PAM. This because it is PAM
which discuss
>>>>> with
>>>>> the tool you have chosen to retrieve users information from
AD and then
>>>>> build system users with these information.
>>>>>
>>>>> It may be better if you stop calling local Unix users
'system users',
>>>> system users are something else, i.e. 'root' is a
system user, as is
>>>> 'www-data'
>>>>
>>> System users are users available from system side.
>>> Local users are users declared in /etc/passwd.
>>>
>>> What is the point of your remark?
>>>
>> The point is that 'Unix system users" != 'Unix local
users'
>>
>> On a Unix system, low ID numbers are used for system users i.e. root,
>> www-data, ntp etc, these numbers are all under 1000 (used to be 500 on
>> redhat systems), but they all appear in /etc/passwd.
>> A Unix local user is a user that has an ID number of 1000 and upwards
that
>> appears in /etc/passwd. You can have a user called fred on two
different
>> Unix machines, but they would not be the same user. This is where AD
comes
>> in, by creating the user 'fred' in AD and giving the user a
uidNumber, this
>> user could log into any domain joined computer and would be the same
user.
>>
> You wrote:
> "A Unix local user is a user that has an ID number of 1000 and upwards
that
> appears in /etc/passwd."
> How do you call a user declared in /etc/passwd with UID superior than 1000?
>
> I understand your point of view but you seem to me the one needing to find
> a new word, not me.
Have you tried reading 'man adduser' ?

    Add a system user
        If called with one non-option argument and the --system option, 
adduser
        will add a system user.

        adduser  will  choose  the first available UID from the range 
specified
        for system  users  in  the  configuration  file 
(FIRST_SYSTEM_UID  and
        LAST_SYSTEM_UID).

The configuration file is '/etc/adduser.conf' and from that:

FIRST_SYSTEM_UID=100
LAST_SYSTEM_UID=999

>
> Let's forget this "local user" - which does not release you
to answer my
> previous question - and speak about "system users". For me a
system is a
> user available on system side, for command as getent, id... A user which
> can interact with the system as a user.
Well it might mean that to you, but to me and a lot of others, it 
doesn't. A 'system user' is a user that controls something like
apache,
whilst a normal user is one that just logs into the computer and uses it 
as a workstation. Now this 'normal user' tag is meaningless in AD terms,
hence 'local Unix user' or a local user on a Unix machine. Note that I 
didn't create this name, it is widely used, but not apparently by you
>
> Still for me, "local users" are anything declared locally
regardless of
> their UID.
> This because:
> - they are declared locally
> - we mainly speak about Samba, as Samba is bound to act as AD, as AD is
> designed to have an external user database which could be use on system
> side, we really need a way to describe the difference between all local
> users and users coming from AD. Here I'm still speaking about users
which
> can interact with the system ("system users" is shorter indeed).
> This distinction is necessary for us to understand each other and it again
> more necessary for new comers in Samba or AD world.
>
> What for a user reading your mails where you told "A Unix local user
is a
> user that has an ID number of 1000 and upwards that appears in
/etc/passwd"
> and trust you?
Yes, because it is true.
> Should he remove all users in /etc/passwd with uid > 1000
> because that's not how thing are nice or should he find a way to keep
these
> users and find a workaround?
If you follow the wiki, any users with uid of less than 2000 will be 
ignored by samba. You normally need some 'local Unix users' and if you 
use 'adduser' to create them, their uids will start at 1000. This is not
a problem, as long as the username doesn't exist in AD and smb.conf is 
setup correctly.
>
> In AD and any remote user DB there is two kinds of users: local users and
> remote users. Reuniting both kinds and you get system users. All users
> which can use the system as a system (shell if they are allowed, getent for
> lazy test).
No, there are AD users, AD users that also Unix users and local Unix 
users that are unknown to AD.
> I really don't understand why you can't stop yourself complaining
like
> that. I was merely trying to describe a not-so-simple concept. All I get
> was "It may be better if you stop "... Did you really write that
to help
> the original poster? Or just to complain?
No, I didn't write that to complain, I was trying to help you understand 
that to Unix, 'system user' means something other than what you think it
does.
> Words are nothing more than words. They have meaning with context, only.
> Especially in IT world where all moves so fast, language included.
I agree with first part, not necessarily with the second, a Unix 'system 
user' has meant the same for as long as I have been dealing with Unix, 
which has been a very long time :-)
> I would end that with:
> Rowland, please, try to make effort to understand others, try to understand
> we are not all English native, try to be less rough, accept the idea we
> (most of us) have to translate. And finally try to understand the way you
> speak IT in your daily work is not necessarily the same way we speak IT
> there, or here. We all have to adapt to understand each other. You too.
I understand where you are coming from, but English is my mother tongue 
and I call a spade a spade, not an earth moving device. You also want me 
to accept your terminology over the terminology I have been using for 
years, sorry but this isn't going to happen.

Rowland
>
> Thank you, with best regards,
>
> mathias