As I want it to be proofread by some folks, I think writing it as plain text and later on converting it to xml would be better?
P.S.: oops... did not notice I did send the mail to you and not to the list, sorry for that Am Dienstag, den 11.09.2007, 19:17 -0500 schrieb John H Terpstra: > On Tuesday 11 September 2007 18:25, Michael Schmitt wrote: > > Hi John, hi list (your opinion too please) > > OK. Write it! When will it be done? I'm looking forward to it. will you give > it to me in XML and ready to roll it into the book? > > - John T. > > > > > "samba3 by example"=s3bx > > > > This is how I want to write that chapter, but for sure it could or > > should be integrated in the existig s3bx as best as possible. But I must > > admit, even if s3bx is somewhat clearer and better structured compared > > to tosharg2 it could be better. Maybe just a good index is missing? Mybe > > we should rethink the titles of the chapters to be clearer. So here we > > go: > > > > Install samba, maybe leave some short notes about distribution specific > > things, drop a valid smb.conf in /etc/samba/ (maybe a heavily documented > > one as example including things that are missing in the s3bx chapters, > > including things I mentioned in the last mail, maybe with notes about > > optional and important parameters, including defaults and if defaults > > change if something else is changed). For the begining add two unix > > groups. One for users, one for admins, some words about groups in > > general including both sides, windows and unix. Map those groups to > > Windows accounts, explain exactly what is going on there, what about the > > rid for domain admins and the unix gid 0? There may be an error in s3bx. > > We do not need to be very verbose here, everything should be documented > > in a very basic fashion but somewhat "complete" with notes to > > continuative docs, ideally with links to those (footnotes, if ever > > printed, for printed docs... no idea). Grant the Domain Admin group all > > rights for managing the domain. Some notes about rights and permissions > > and about granting rights and especially about granting rights that a > > user / a group gets real domain admin rights, including local admin > > rights. Btw. I think > > > > net rpc rights grant "<domain>\Domain Admins" SeMachineAccountPrivilege > > SePrintOperatorPrivilege SeAddUsersPrivilege SeRemoteShutdownPrivilege > > SeDiskOperatorPrivilege -U root <enter> > > > > should be possible to be abbreviated to something like > > > > net rpc rights grant "<domain>\Domain Admins" SeAll -U root <enter> > > > > or did I miss something in tosharg2? > > > > So, in best cases the linux part is done, nevertheless explain some > > basic administrative things you can do on the commandline (pdbedit, net > > *, ...), but as "User Manager for Domains" (=UMFD) is somewhat better > > for the casual user, or in other words the Linux guys may be on holiday, > > what should the Windows guys do in the meantime if they need to manage > > accounts? Anyhow, some words about the right srvtools.exe package (I got > > at first the wrong one, nothing at all worked!) and where to get it and > > about using it... hey, it is just klickibunti (sorry, I did not find a > > perfect translation for this german word, maybe you get the point: > > click-o-matic, windows-like, colorful-clickable-userinterface, > > YouCanBeDumbAsVegetablesToUseThisSystem... whatever prejudice fits best > > for you *g*) so not manny words needed, but explain in short words what > > is possible and what needs to be done that it will be possible and > > what's not possible at all with UMFD. There are many buttons... whoopie! > > But most of them seem not to work for me... dunno why... should be > > definitely addresed or at least linked to the right place. > > > > Done ;) I wrote this as I did set up another PDC this evening, so fairly > > fresh from mind, I hope I did not miss anything, I will see if all works > > in a few minutes. I boot the only Windows machine here and try to join > > the samba domain controller. But as this is just schematic... please, > > what do you think about it? > > > > regards > > Michael > > > > Am Sonntag, den 09.09.2007, 23:07 -0500 schrieb John H Terpstra: > > > On Sunday 09 September 2007 22:34, Michael Schmitt wrote: > > > > Hi John, > > > > > > > > I am glad to report full success and must admit, at the end all is > > > > really easy... if one only knows those tiny "things". It may be that I > > > > > > Good. I am happy to hear that you have conquered Samba at last. Now, > > > while all this is fresh in your mind, why don't you write that chapter > > > you so nicely suggest below. The Samba documentation is user-contributed > > > documentation so you might as well earn your moment of glory in the docs. > > > :-) > > > > > > PS: I can identify with your comments - we've all been there at one time > > > or another. > > > > > > Cheers, > > > John T. > > > > > > > did not understand everything in the docs right or that I've read over > > > > some parts but finally adding and deleting groups and users work via > > > > usermanager for domains and via pdbedit, just some very tiny rather > > > > cosmetic issues are left. > > > > > > > > The problem, the solution: > > > > Very interesting, the _real_ problem was with the passwd chat. This is > > > > something I may have read over and I must admit I did not read the > > > > manpage for smb.conf very thoroughly but as this is a VERY massive and > > > > boring to read document... I like to think of it rather as a bit of a > > > > reference than documentation. > > > > One thing I always misunderstood was, the passwd chat is NOT a thing > > > > displayed on the windows' screen somehwere / sometime if a user changes > > > > his password... it is just a guidance for samba what to expect to see > > > > if the passwd program is executed so it can interact properly. Somehow > > > > embarrassing, awkward or just dumb... but that's how it was ;) So this > > > > passwd chat, passwd sync and passwd program was a real myth to me and > > > > over the years many false assumptions were accumulated. Not a big deal > > > > as I did use samba only as a standalone server so far. > > > > Another thing was, you see an error message, you make assumptions, you > > > > google, you get lots of hints, several different and even more > > > > assumptions from other users with similar problems, but absolutely NO > > > > hint about the real problem. After hours (I must admit I spent a way > > > > too much time googleing!) a few minutes of debugging did the trick... > > > > and at the end, not very hard at all! > > > > For example you get an error message "Access denied" (may be > > > > "permission denied", translated from german) on the windows screen, we > > > > all know those errors from Linux or *UNIX in general. Maybe most errors > > > > in unixland are permission related... but in this case it was not an > > > > issue of missing or wrong permissions at all. > > > > I did raise the log level, noticed it added the account, could not > > > > change / set the password and deleted the account afterwards again... a > > > > few moments of thinking including help and thoughts from users on > > > > IRC... and there it was, the myth is gone! Coppy and paste is not a > > > > very good idea after all when it comes to implement samba _right_ ;) > > > > This should be mentioned in the docs a hundred times if you ask me! > > > > Another thing was, I could not delete a user from a specific group... > > > > after _short_ googleing with no luck, thinking, trying out something... > > > > and see, found a bug! deluser on debian stable does not like to delete > > > > root from _any_ group it just complains he is not in that group, but he > > > > is! $EDITOR /etc/group did the trick here. This is just a side-effect > > > > from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=428144 I think. > > > > As deluser is a perl script and I am not very good at reading perl, I > > > > did not investigate this issue any further, I know it works on sid > > > > (debian unstable) so it is fixed already. So... don't add root to any > > > > groups you want to remove him afterwards from, on debian etch... ;) > > > > > > > > So in short, I think one small chapter about those scripts including > > > > notes about the distro specific stuff, a bunch of notes about copy and > > > > paste, a joke every once in a while, a remark about locales (passwd > > > > does not look the same in all languages > passwd chat), encourage users > > > > to debug samba themselves, a rant about google and how useless and > > > > confusing it can be, some notes about "user manager for domains" and > > > > how this piece of software works and as a running gag (my personal > > > > favorite): Clear up myths! I have no idea why, but several users > > > > reported usrmgr.exe should be installed on a share on the samba PDC to > > > > get it running... it worked for them. Really, no idea what problem they > > > > had, but I can't think of any reason why this could be true! (I think a > > > > little bit of debugging would have been of help here ;) And if all that > > > > is done, even dumb users like me can set up a samba PDC in less then 2 > > > > Minutes (maybe even faster!) and spend the rest of the day in the > > > > woods, at a lake or <insert your favorite place here>. > > > > > > > > regards > > > > Michael > > > > > > > > P.S.: 2 Minutes, excluding reading of course ;) > > > > P.P.S.: Tanze Samba mit mir, tanze Samba die ganze Nacht... > > > > > > > > Am Samstag, den 08.09.2007, 23:54 -0500 schrieb John H Terpstra: > > > > > On Saturday 08 September 2007 23:30, Michael Schmitt wrote: > > > > > > Hi List, > > > > > > > > > > > > I have some issues with user manager for domains (srvtools.exe from > > > > > > MS) and the scripts mentioned in the subject. The examples from the > > > > > > samba howto collection seem to cause serious issues here. I am on > > > > > > debian etch and tried to create my own scripts but till now to now > > > > > > avail. With the examples from the docs I could add groups, but > > > > > > could not add users to groups. There was the option -A used but > > > > > > here it seems to be -a refering to the manpage (log was helping > > > > > > here)... anyhow changed to -a and it worked. But adding users does > > > > > > not work at all. Different syntax, different problems, but nothing > > > > > > does work. With the example of the howto collection the user > > > > > > manager gave me "access denied" or similar (translated from german) > > > > > > as I tried to add a user. I tried to use adduser instead of useradd > > > > > > and came to these syntaxes: > > > > > > > > > > Please check the man page for your distro. The options to useradd, > > > > > usremod, groupmod, etc. seem to vary considerably across Linux > > > > > distros. > > > > > > > > > > > add user script = /usr/sbin/adduser --ingroup domusers --gecos > > > > > > samba '% u' > > > > > > delete user script = /usr/sbin/deluser '%u' > > > > > > add group script = /usr/sbin/groupadd '%g' > > > > > > delete group script = /usr/sbin/groupdel '%g' > > > > > > add user to group script = /usr/sbin/adduser '%u' '%g' > > > > > > > > > > Please note that the adduser script is entirely different from the > > > > > useradd utility. Neither is consistent across implementations. Both > > > > > vary from Linux distro to distro. I was unaware of this until last > > > > > week and am not sure how to handle this in the HOWTO, other than to > > > > > make a note regarding the problem. > > > > > > > > > > > add machine script = /usr/sbin/useradd -s /bin/false -d > > > > > > /var/lib/nobody '%u' > > > > > > > > > > > > now the adduser syntax gives me loads of this over and over again: > > > > > > > > > > > > Use of uninitialized value in chop at /usr/sbin/adduser line 537. > > > > > > Use of uninitialized value in pattern match (m//) at > > > > > > /usr/sbin/adduser line 538. > > > > > > Enter new UNIX password: Retype new UNIX password: No password > > > > > > supplied Enter new UNIX password: Retype new UNIX password: No > > > > > > password supplied Enter new UNIX password: Retype new UNIX > > > > > > password: No password supplied passwd: Authentication token > > > > > > manipulation error > > > > > > passwd: password unchanged > > > > > > > > > > > > If only all scripts would give me some hints why they don't work. > > > > > > As I see not for all scripts log entries but none work I think > > > > > > everything I tried was wrong. > > > > > > > > > > This is something you will need to take up with the Linux distro > > > > > maintainer. > > > > > > > > > > > Could someone pinpoint me in the right direction or to the right > > > > > > part of the docs? Maybe some insights of how those scripts need to > > > > > > be built? > > > > > > > > > > The useradd and adduser tools should NOT set the password. That > > > > > whould be done using the passwd utility. > > > > > > > > > > - John T. > > > > > > -- > > > John H Terpstra > > > Samba-Team Member > > > Phone: +1 (650) 580-8668 > > > > > > Author: > > > The Official Samba-3 HOWTO & Reference Guide, 2 Ed., ISBN: 0131882228 > > > Samba-3 by Example, 2 Ed., ISBN: 0131882221X > > > Hardening Linux, ISBN: 0072254971 > > > Other books in production. > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/listinfo/samba > > -- > John H Terpstra > Samba-Team Member > Phone: +1 (650) 580-8668 > > Author: > The Official Samba-3 HOWTO & Reference Guide, 2 Ed., ISBN: 0131882228 > Samba-3 by Example, 2 Ed., ISBN: 0131882221X > Hardening Linux, ISBN: 0072254971 > Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
