[Samba] We need help with a bug....smbldap-installer script (long)
Hi all! First of allif you haven't heard of the smbldap-installer scriptallow me to introduce it to you. Here's the latest announcement that Matt Oquist posted to the K12OS list (Matt and I are working on this togetherhe's the scripter and I'm the tester/documenter) First the announcement and then read on below to see what we need help withand some questions I have. ## Version 1.2-beta of the smbldap-installer script is available at http://majen.net/smbldap-installer-1.2-beta.tgz This version has been updated to include shell and home fields in the input to smbldap-useradd bulk. This means that you can use userinfo.start and 'make' to create users just as you could previously, but if you wish you can also manipulate the input for smbldap-useradd-bulk yourself. For example, you could use create-usernames to create your usernames, and then use a spreadsheet (or whatever else) to add customized home directories and/or shells. Then you could give that input to smbldap-useradd-bulk to create your users on the system. Both create-usernames and smbldap-useradd-bulk have inline documentation: $ create-usernames --help $ smbldap-useradd-bulk --help And, as always, you can look in the Makefile to see how it's using the two scripts. This is a beta version because: 1. the roving profiles problem we've been discussing is not solved 2. the included Samba-LDAP_smbldap-installer document is not updated to reflect the changes to smbldap-useradd-bulk 3. it has not undergone full testing Please let me know if these changes are the right changes, and of course let me know about all the bugs you find. :) --matt # Oknow for the issues we know about. First, the script right now is written to only work with Fedora Core 3 or K12LTSP 4.2 (we had to start somewhere...if you'd like to alter or repackage for another distroPLEASE do and share with us). Noweverything works in my test environment and in others...we can add usersLinux users can authenticateWindows users can authenticate.we can join Windows machines to the domain...BUT we're haveing a problem with roaming profiles. The login goes fine so we know the authentication takes placebut then Windows gives an error that it doesn't have permission to access the profiles directory and as a result is using a TEMP directory which will (and indeed does) disappear once the user logs off. We could use some help finding out why this is happening. (We'd like to have it fixed in time for Linux World in Boston next week) We are using the latest version of smbldap-tools in this script (0.86 I believe) Now for some questions There appear to be some issues with the Administrator user this time around (I have a perfectly working Samba/LDAP server in production at my school running version 0.84 of smbldap-tools and version 3.0.7-2 of Samba) and I noticed that John T. had mentioned that smbldap-populate should be run differently (See below) # Get rid of the Administrator account. Use the root account instead. You have ambiguous names that can NOT unambiguously resolve to one identity. ie: Is uid=0 root or is it Administrator? Does uid=0 map to the Administrator SID or to some other SID? Also, use: net rpc join -S 'PDC_Name' -Uroot%secret PS: It is best to populate your LDAP directory using: smbldap-populate -a root, not just the default which creates an Administrator account. - John T. If I do it this way do I join machines to the domain using root as opposed to administrator? And when I run smbpasswd -w secretpassword will that set it for root? SecondlyI noticed this when I run getent passwd on my current functioning Samba/LDAP server (production box...pre smbldap-installer) I get ... Administrator:x:0:512:Netbios Domain Administrator:/home/:/bin/false Where as on a machine I just set up with smbldap-installerI get... Administrator:x:0:512:Netbios Domain Administrator:/home/Administrator:/bin/false Note the difference in home. Are you guys seeing this? I'm having issue running programs like gedit as it wants to write to /home/Administrator, but it isn't there. I wonder if this is contributing? Anyway...I could really use some help trying to debug this situationnot only for me, but for all of us. Plus I'm supposed to be teaching a class about it in 2 weeks(hence the panicking)I tested everything except roaming profiles and never would have even thought to check if it hadn't been for Jim K. I have a functioning Samba/LDAP server already thus I hadn't needed to try it, but I do need to fix this as I run Windows roaming profiles and will need it to work when I upgrade this summer. Arrrgghhh! Any help gratefully appreciatedIf you go to Linux World I'll buy you a beer. :-) David N. Trask Technology Teacher/Coordinator Vassalboro Community School [EMAIL
RE: [Samba] We need help with a bug....smbldap-installer script (long)
Can you send a copy of your smb.conf file? Have you checked the permissions on the profiles directory you've created? If I'm not mistaken the directory permissions should be 1777. What is net groupmap list reporting? Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Trask Sent: Monday, 7 February 2005 12:43 PM To: samba@lists.samba.org Subject: [Samba] We need help with a bugsmbldap-installer script (long) Hi all! First of allif you haven't heard of the smbldap-installer scriptallow me to introduce it to you. Here's the latest announcement that Matt Oquist posted to the K12OS list (Matt and I are working on this togetherhe's the scripter and I'm the tester/documenter) First the announcement and then read on below to see what we need help withand some questions I have. ## Version 1.2-beta of the smbldap-installer script is available at http://majen.net/smbldap-installer-1.2-beta.tgz This version has been updated to include shell and home fields in the input to smbldap-useradd bulk. This means that you can use userinfo.start and 'make' to create users just as you could previously, but if you wish you can also manipulate the input for smbldap-useradd-bulk yourself. For example, you could use create-usernames to create your usernames, and then use a spreadsheet (or whatever else) to add customized home directories and/or shells. Then you could give that input to smbldap-useradd-bulk to create your users on the system. Both create-usernames and smbldap-useradd-bulk have inline documentation: $ create-usernames --help $ smbldap-useradd-bulk --help And, as always, you can look in the Makefile to see how it's using the two scripts. This is a beta version because: 1. the roving profiles problem we've been discussing is not solved 2. the included Samba-LDAP_smbldap-installer document is not updated to reflect the changes to smbldap-useradd-bulk 3. it has not undergone full testing Please let me know if these changes are the right changes, and of course let me know about all the bugs you find. :) --matt # Oknow for the issues we know about. First, the script right now is written to only work with Fedora Core 3 or K12LTSP 4.2 (we had to start somewhere...if you'd like to alter or repackage for another distroPLEASE do and share with us). Noweverything works in my test environment and in others...we can add usersLinux users can authenticateWindows users can authenticate.we can join Windows machines to the domain...BUT we're haveing a problem with roaming profiles. The login goes fine so we know the authentication takes placebut then Windows gives an error that it doesn't have permission to access the profiles directory and as a result is using a TEMP directory which will (and indeed does) disappear once the user logs off. We could use some help finding out why this is happening. (We'd like to have it fixed in time for Linux World in Boston next week) We are using the latest version of smbldap-tools in this script (0.86 I believe) Now for some questions There appear to be some issues with the Administrator user this time around (I have a perfectly working Samba/LDAP server in production at my school running version 0.84 of smbldap-tools and version 3.0.7-2 of Samba) and I noticed that John T. had mentioned that smbldap-populate should be run differently (See below) # Get rid of the Administrator account. Use the root account instead. You have ambiguous names that can NOT unambiguously resolve to one identity. ie: Is uid=0 root or is it Administrator? Does uid=0 map to the Administrator SID or to some other SID? Also, use: net rpc join -S 'PDC_Name' -Uroot%secret PS: It is best to populate your LDAP directory using: smbldap-populate -a root, not just the default which creates an Administrator account. - John T. If I do it this way do I join machines to the domain using root as opposed to administrator? And when I run smbpasswd -w secretpassword will that set it for root? SecondlyI noticed this when I run getent passwd on my current functioning Samba/LDAP server (production box...pre smbldap-installer) I get ... Administrator:x:0:512:Netbios Domain Administrator:/home/:/bin/false Where as on a machine I just set up with smbldap-installerI get... Administrator:x:0:512:Netbios Domain Administrator:/home/Administrator:/bin/false Note the difference in home. Are you guys seeing this? I'm having issue running programs like gedit as it wants to write to /home/Administrator, but it isn't there. I wonder if this is contributing? Anyway...I could really use some help trying to debug this situationnot only for me, but for all of us. Plus I'm supposed to be teaching a class about it in 2 weeks(hence
Re: [Samba] We need help with a bug....smbldap-installer script (long)
Steve Simeonidis [EMAIL PROTECTED] on Sunday, February 6, 2005 at 8:59 PM + wrote: Can you send a copy of your smb.conf file? If you download the script you can see a copy of the smb.conf file in the templates directoryonly thing missing are the variables that are entered into the scriptthings like netbios name...domain name etc. Have you checked the permissions on the profiles directory you've created? If I'm not mistaken the directory permissions should be 1777. It's 1777 What is net groupmap list reporting? I'll have to let you know tomorrow afternoon once I get my next test going.although I'll forward/cc this to Matt to see if he has anything Thanks David N. Trask Technology Teacher/Coordinator Vassalboro Community School [EMAIL PROTECTED] (207)923-3100 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] We need help with a bug....smbldap-installer script (long)
Craig White [EMAIL PROTECTED] on Sunday, February 6, 2005 at 9:57 PM + wrote: I admire your efforts but would caution you... - doesn't make much sense to start programming a solution in which you don't have the map in front of you - i.e. a complete how-to, run through each step manually and you could even grab everything you did from the 'history' command The how-to is included in the package as documentation and is on the web at http://web.vcs.u52.k12.me.us/linux/smbldap - the concept is interesting in that it attempts to promote the 'lesser skilled' into an actual working environment but of course, they won't be able to maintain it. Why not? Many folks on the K12OS list have been doing so for a couple years now since my first how-to. I've been using it for two years now and I'm not nearly as skilled as you think. - if I had any quantity of users, I am sure I wouldn't use /home as base and thus would be editing /etc/default/useradd and adjust entries in my DSA accordingly What do you consider a quantity? I have 600 users and use /homeI'm not sure where you're going with this...what's wrong with /home? I use my Samba/LDAP server for K12LTSP, Windows XP network, and Win 2003 Terminal server networkworks fine. Although I will say that the newest version of the smbldap-useradd-bulk script allows folks to get more specific about the location of home dirs. For example: Mrs. Jones class can be located in /home/mrsjones/username Alsodon't confuse Matt's annoucement about the useradd script as being what smbldap-installer is all about. The smbldap-useradd-bulk script is and add-on in addition to smbldap-installer (which sets up the server). - there are so many other files that are involved / impacted by your scenario besides the obvious smbldap_conf.pm (or whatever it is called these days...I'm still on an older version). Files such as /etc/ldap.conf, /etc/nsswitch.conf, slapd.conf and I presume that you are going to have people hand edit them and they will pull their hair out. Nothe script fills in the values for you and copies the conf files to the correct locations. That's precisely what we're trying avoid. Run the script...answer the prompts...and voila! You have a working Samba/LDAP server. We'll even take care of the exporting of /home for you if you want. It's one of the prompts. And yesthe primary audience is not the uber-geek, but rather the common IT guy employed by a school or a small to mid-sized company. - I am firmly of the opinion that no one should be running LDAP if they can't easily use tools such as ldapmodify and ldapsearch - they can't troubleshoot. There is no shortcut on knowledge on this one. I agree to some extent, but also feel that even newbies can use LDAP in a low-mission-critical environment especially if they back up data. I had a Samba/LDAP server problem earlier this fall, but since I back up the /home dirs to another serverI was able to easily rebuild the serverplug the users back incopy /home back overrerun the user creation script I use to fix permissions and away we went without skipping a beat. - You're looking at everything in a vacuum, it's likely people are going to want their server to do things other than be a samba server. Integration with openldap - well if they don't understand it, it's going to present a real challenge. I hear you, but what we're finding is that 90% of the people who asked for and are using this script (it's been out for about three weeks)are folks like methose who want to provide centralized authentication for a mixed Linux, Windows, OS X network. Mail is sometimes figured in, but often not. - I can see the need for the type of thing you are trying to do but I think it has to almost be a distro in and of itself. Probably should have a perl program that is web accessible where it writes ALL of the config files out and not just populate the DSA. By all, I mean openldap, samba, bind, dhcp padl's nsswitch ldap.conf, obviously the smbldap_conf files and of course, this is pretty much a one shot deal. The script does write out the configs. Most of the conf files are in the templates directorythe script prompts for things like domain names, passwords, etc. And then writes the configs. It also backs up your current configs. It doesn't do dhcp as that is done when you set up the server. Thanks, but I hope folks will still help us try to get over the roaming profiles issue. Baby stepslet's start with this script and grow from there. Craig David N. Trask Technology Teacher/Coordinator Vassalboro Community School [EMAIL PROTECTED] (207)923-3100 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] We need help with a bug....smbldap-installer script (long)
Craig White [EMAIL PROTECTED] on Sunday, February 6, 2005 at 11:26 PM + wrote: I'm sure I gave you the answers on the profiles issue You did give me some info and I appreciate thathere's the profiles section of my smb.conf [profiles] path = /opt/samba/profiles writeable = yes browseable = no #create mode = 0644 #directory mode = 0755 # this prevents users from browsing other peoples' profiles create mode = 0600 directory mode = 0700 Note we changed the create mode and directory mode from what was given by the folks from IDEALX in their examplein an effort to secure things. I can see in your example that you did the same. Due to the name of the smbldap_conf.pm file I'm aware that you're using an older version of smbldap-tools. This past summer I migrated from RH 9 using an older version of smbldap-tools and Samba 2 to Fedora Core 2 using Samba 3 and smbldap-tools 0.84 (what I'm using on my production server0.86 is what we use in the script). Things changed dramatically in the newer versions. Name changes...and in the latest versionlocation changes. No longer is smbldap-tools located in /etc/smbldap-toolsnor are the executables located in /usr/local/sbin.they are now in /opt/IDEALX/sbin. Anyway...in version 0.84 there was a bug or feature where in order to get smbldap-populate to work (because of the adding of the Administrator user) you had to go to smbusers and comment out the line with #root = administrator admin Once one did this...everything worked fine. I'm wondering if things have changed with the newer version of smbldap-tools and possibly the later version of samba in FC3 that make this uneccesary and perhaps naughty. My hunch is the profiles issue is a permissions problem...not in the sense that the profiles directory is not 1777 (which it is) but rather something amiss with Administrator. In earlier versions of Samba and smbldap-tools (at least in my case) root was the user that I used to join Windows machines to the domain (entered on the Windows machine)now it is Administratorbut quirky little things are making me wonder if that's not the case anymore. David N. Trask Technology Teacher/Coordinator Vassalboro Community School [EMAIL PROTECTED] (207)923-3100 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
