29.2.12

Linux takes control of Microsoft

The days of Microsoft domination in the corporate network market are severely numbered. The amazing technological achievement that is Samba 4 effectively puts to an abrupt end the monopoly that Microsoft have enjoyed in isolation since 1990. It allows Linux servers to take full control over what was once a lucrative, exclusive and unopposed marketplace.

But what's the key to all this? Answer: The domain. What's a domain? Answer: It's an after hours lock-in. Your safety is guaranteed whilst you're inside. Venture out and we'll still do our best to protect you but you'll have no safety net. There's a lot of confusion about how to join a domain, so let's have a look at what's involved.

In this example, our Samba4 DC is hh3.hh3.site at IP 192.168.1.3 and our w7 client has hostname SuSE-pc at IP 192.168.1.12. We'll join SuSE-pc to the domain we created when we installed our Samba4 DC after following the instructions in the official Samba4 HOWTO.

There are a few stages involved in this domain join process which we shall outline here. As you go through example, please bear in mind that there is not a single Microsoft networking component anywhere in the system.

Stage 1. As local admin.
Add 2 registry keys. On the start menu type regedit and hit enter. The keys we need live here:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters
DomainCompatibilityMode 1
DNSNameResolutionRequired 0
The Control Panel Network Connections screen
Use only one DNS server during the join
Set it to point at the same DNS that s4 uses
Don't waste time going beyond here if these tests do not work
Test DNS. We did name --> IP but you should also test IP --> name
Here, Bind can ping out, but this is not essential
Where do we tell it to join a domain?
The easy way to get here is rt-clik computer > properties > change settings
Enter your domain admin details and take a deep breath
Our Ubuntu server making a lot of noise during the join process
Here, SuSE-pc gets a machine account, becomes SuSE-pc$ and successfully obtains a ticket for the fileserver
There's something strangely satisfying about seeing this popup
It wouldn't be Microsoft without, erm, what does it say?
Ah, that's better. Restart.
 Of course
Stage 2. The Domain Administrator takes over
The Domain logon screen
They say it takes longer the first time ... zzz ... zzz ...
Admin locking a group into one of the shares using the acl editor
client <--> server dialogue in WireShark
You never understand what it's saying!
Install Google Chrome and download the M$ free gift
Then, 1/2 hour later  ... zzz ... zzz ...  choose the bits you want
You want the stuff that says AD
It's got to be around here somewhere
Now, in an attempt to do something useful, here are two users and two groups we posix-ified over on the Samba4 server
You don't have to point and click to get this going. But you can if you must.
ldbmodify at its very best


Now, everyone. Put your hands together for the Samba4 devs. What a piece of technology:-)

28.2.12

The 8 Euro computer

Security conscious? Carry your computer around in your handbag. A computer on a memory stick. But how long before you lose the protective cap?
Great idea. The indestructible Kingston Datatraveler.
Hundreds of presentations, photos and mp3's. And still 2.5Gb left!
The beautiful Ubuntu Oneiric revives an old Acer lapatop

27.2.12

Windows XP joins Samba 4 Domain

Many moons ago, I took delivery of 25 IBM black boxes. They came complete with dodgy power-on buttons, 256MB of RAM and they ran XP. The deal was buy 24, get one free. They lasted a day before getting virus ridden for the the rest of their microsoft lives. We installed SuSE 7 and updated from the 6-CD set at regular intervals. The boxes were thrashed to hell 12/6. There was to be a gap of over 10 years before we installed XP again. It would have been nice to use one of those old IBM's. Alas, we had to make do with Oracle VB.
1999. the IBM Intellistation
On the other side of the room is an Ubuntu machine running Samba4, DNS and NFS. Here is us dealing with the windows side of affairs.
XP installation on VirtualBox
There must be a reason for all this. Why install XP all these years on? Samba 4 is poised to seriously question the M$ monopoly on Corporate (and not so corporate) networks. Open Source Active Directory is here, and it's here now. But just what is Active Directory and how can we use our Linux workstations within it? Let's join the domain and have a look.
First failure to join the domain. CACTUS is our workgroup
hh3.site is our domain!
Irrefutable evidence that Microsoft is present
Next
Login as domain administrator, install Chrome and make it default
 Then grab the Microsoft Remote AD Tools
How do I get the thing on the Desktop?
Here you can see our Posix-ified  Domain group, debusers
Neat eh? AD without a microsoft server in sight. Go on, admit it. There were a few head scratching moments trying to join the domain. Like not setting DNS and forgetting how you log on to the domain rather than the computer iteself. Oh, and there were other failures too. Go on. Tell them. Admit it. Erm, OK. We have only Spanish keyboards and erm, well our password for Administrator wasn't accepted. But of course you don't see the password, do you. So we didn't know that when you think you ate typing MyP@s1wd you are actually typing MyP²s1wd. This makes Kerberos throw violent fits over on the KDC with all manner of threats about deception (or was it decryption?), not to mention bad language like arcfour-hmac-md5. Not a pretty site (geddit?!). You have been warned.

26.2.12

Samba 4: scripts for Linux integration

** Update 2020: I'd forgotten this was here. Guys, you really are still using AD? You really are still employing a sysadmin? Go cloud and forget all the on-the-ground DNS rubbish!

** Update 2014: full suite of tested scripts here: s4bind

Scripts to help make s4 users and groups play nice with Linux. warning Tested but not idiot proof by any means. You may want to make a backup of sam.ldb and idmap.ldb;-)
Our domain
reference
The POSIX sections of the Microsoft AD schema

1. s4group
Creates a posix group suitable for accommodating both Linux and Windows users

  cat s4group
#!/bin/bash
#creates a posix group suitable for containing Linux users
#usage s4group <name>
echo "Creating s4 posix group "$1
samba-tool group add $1
strgid=$(wbinfo --group-info=$1)
gid=$(echo $strgid | cut -d ":" -f 3)
echo "dn: cn=$1,cn=Users,dc=hh3,dc=site
changetype: modify
add:objectclass
objectclass: posixGroup
-
add: gidnumber
gidnumber: $gid" > /tmp/$1
ldbmodify --url=/usr/local/samba/private/sam.ldb -b dc=hh3,dc=site /tmp/$1
rm /tmp/$1

2. s4domaingroup-change-gid
Take the group you created above and change it's gidNumber into a value of your choice.


 cat s4domaingroup-change-gid
#!/bin/bash
#usage s4domaingroup-change-gid <Domain Group> <new-gidNumber>
#e.g. a group created with s4group 
#sets the xid in idmap.ldb to <xidNumber>
#and updates the gidNumber=xid in sam.ldb
#this can help prevent collision with existing Linux groups
#typical use: s4group mygroup then s4domaingroup-change-gid mygroup 2001
echo "Modifying s4 posix group "$1
sid=$(wbinfo --name-to-sid="$1")
echo $sid
gsid=$(echo "$sid" | cut -d " " -f1)
echo "found $1 sid= $gsid" 
echo "dn: cn=$gsid
changetype: modify
replace: xidNumber
xidNumber: $2" > /tmp/xid.ldif
echo "sleeping. . ."
sleep 2
ldbmodify --url=/usr/local/samba/private/idmap.ldb /tmp/xid.ldif
echo "dn: CN=$1,CN=Users,DC=hh3,DC=site
changetype: modify
replace: gidNumber
gidNumber: $2" > /tmp/gid.ldif
echo "sleeping. . ."
sleep 2
ldbmodify --url=/usr/local/samba/private/sam.ldb /tmp/gid.ldif
echo "$1 changed from gid $gsid to $2"
echo "pls change your users to reflect this"
sleep 2
echo "getent group:"
getent group $1

3. s4user
Creates a user and places him in a posix group created by s4group. It set's his default windows group to be the posix group.

 cat s4user
#!/bin/bash
#creates a s4 user, posix-ifies him, places him in a posix group
#sets his windows primaryGroup=posixGroup and set's some common
#defaults for logging onto windows
#usage s4user <user> <group>
echo "Creating s4 posix user "$1
echo "Pls enter pwd for "$1
samba-tool user add $1
sleep 2
#get the uid
struid=$(wbinfo -i $1)
uid=$(echo $struid | cut -d ":" -f 3)
#get the gid
strgid=$(wbinfo --group-info=$2)
gid=$(echo $strgid | cut -d ":" -f 3)
#get the group from the sid
strsid=$(wbinfo --gid-to-sid=$gid)
primarygid=$(echo $strsid | cut -d "-" -f 8)
strwg=$(echo $struid | cut -d "\\" -f 1)
#add the posix attributes to the user
echo "dn: CN=$1,CN=Users,DC=hh3,DC=site
changetype: modify
add: objectclass
objectclass: posixaccount
-
add: uidnumber
uidnumber: $uid
-
add: gidnumber
gidnumber: $gid
-
add:unixhomedirectory
unixhomedirectory: /home/$strwg/$1
-
add: loginshell
loginshell: /bin/bash" > /tmp/$1
ldbmodify --url=/usr/local/samba/private/sam.ldb -b dc=hh3,dc=site /tmp/$1
samba-tool group addmembers $2 $1
#set the user to the posix group
echo "dn: CN=$1,CN=Users,DC=hh3,DC=site
changetype: modify
replace: primarygroupid
primarygroupid: $primarygid" > /tmp/$1
echo "sleeping. . ."
sleep 5
ldbmodify --url=/usr/local/samba/private/sam.ldb -b dc=hh3,dc=site /tmp/$1
mkdir /home/$strwg/$1
chown -R $1:$2 /home/$strwg/$1
rm /tmp/$1
hostname=$(hostname -s)
echo "dn: CN=$1,CN=Users,DC=hh3,DC=site
changetype: modify
add: profilePath
profilePath: \\\\$hostname\\profiles\\$1
-
add: homeDrive
homeDrive: Z:
-
add: homeDirectory
homeDirectory: \\\\$hostname\\home\\$1" > /tmp/$1
echo "sleeping. . ."
sleep 5
ldbmodify --url=/usr/local/samba/private/sam.ldb -b dc=hh3,dc=site /tmp/$1
echo "New user: "  $1 "POSIX-ified as follows:"
echo "uid " $uid
echo "gid " $gid
echo "primaryGroupID " $primarygid " :$2"
echo "getent passwd $1"
echo $(getent passwd $1)
echo "sid " $(wbinfo --gid-to-sid=$gid)
db=/usr/local/samba/private/sam.ldb
ldbsearch --url=$db cn=$1 | grep \\\\$hostname
ldbsearch --url=$db cn=$1 | grep homeDrive
rm /tmp/$1

4. s4domaingroup
This was written to help make the posix <--> windows group mapping make more sense. The s4user script works but maps gidNumber=xidNumber. Adding the posixGroup class to the Domain Users entry in sam.ldb and mapping xidNumber to gidNumber didn't make sense as this collided with the popular Linux group users. Here is an example which allows you to change the xid in /usr/local/samba/private/idmap.ldb. s4group followed by s4domaingroup-change-gid is probably the better way to go.

 cat s4domaingroup
#!/bin/bash
#usage s4domaingroup <Domain Group> <xidNumber>
#adds posix attributes to Domain Users group
#sets the xid to <xidNumber>
#sets the posix gidNumber = xidNumber
#this can help prevent collision with the existing Linux groups
echo "Modifying  s4 group "$1
sid=$(wbinfo --name-to-sid="$1")
echo $sid
gsid=$(echo "$sid" | cut -d " " -f1)
echo "found $1 sid= $gsid"
echo "dn: cn=$gsid
changetype: modify
replace: xidNumber
xidNumber: $2" > /tmp/xid.ldif
echo "sleeping. . ."
sleep 2
ldbmodify --url=/usr/local/samba/private/idmap.ldb /tmp/xid.ldif
#academic exercise: we've set it so let's use it
strgid=$(wbinfo --group-info="$1")
gid=$(echo $strgid | cut -d ":" -f 3)
echo "dn: cn="$1",cn=Users,dc=hh3,dc=site
changetype: modify
add: objectclass
objectclass: posixGroup
-
add: gidNumber
gidNumber: $gid" > /tmp/gid.ldif
echo "sleeping. . ."
sleep 5
ldbmodify --url=/usr/local/samba/private/sam.ldb -b dc=hh3,dc=site /tmp/gid.ldif
echo $1 "rfc2307-ified"

5. s4domainuser
This script can be used to add a user to a group which has been modified by the s4domaingroup script. Unlike the s4user script, this script does not modify the windows primaryGroupID.

 cat s4domainuser
#!/bin/bash
#adds posix attributes to a user in the default Domain Users group
#adds windows home path profiles and logon drive
#pls see s4user to specify a different default group
#usage s4domainuser <user>
echo "Creating s4 POSIX Domain User "$1
echo "Pls enter pwd for "$1
samba-tool user add $1
sleep 2
#get the uid
struid=$(wbinfo -i $1)
uid=$(echo $struid | cut -d ":" -f 3)
#get the gid
strgid=$(wbinfo --group-info='Domain Users')
gid=$(echo $strgid | cut -d ":" -f 3)
strwg=$(echo $struid | cut -d "\\" -f 1)
#add the posix attributes to the user
echo "dn: CN=$1,CN=Users,DC=hh3,DC=site
changetype: modify
add: objectclass
objectclass: posixaccount
-
add: uidnumber
uidnumber: $uid
-
add: gidnumber
gidnumber: $gid
-
add:unixhomedirectory
unixhomedirectory: /home/$strwg/$1
-
add: loginshell
loginshell: /bin/bash" > /tmp/$1
echo "sleeping . . ."
sleep 2
ldbmodify --url=/usr/local/samba/private/sam.ldb -b dc=hh3,dc=site /tmp/$1
mkdir /home/$strwg/$1
chown -R $1:$gid /home/$strwg/$1
rm /tmp/$1
db=/usr/local/samba/private/sam.ldb
hostname=$(hostname -s)
echo "dn: CN=$1,CN=Users,DC=hh3,DC=site
changetype: modify
add: profilePath
profilePath: \\\\$hostname\\profiles\\$1
-
add: homeDrive
homeDrive: Z:
-
add: homeDirectory
homeDirectory: \\\\$hostname\\home\\$1" > /tmp/$1
echo "sleeping. . ."
sleep 5
ldbmodify --url=$db /tmp/$1
echo "New user: "  $1 "POSIX-ified as follows:"
echo "uid " $uid
echo "gid " $gid
echo "getent passwd $1"
echo $(getent passwd $1)
echo "sid " $(wbinfo --gid-to-sid=$gid)
ldbsearch --url=$db cn=$1 | grep \\\\$hostname
ldbsearch --url=$db cn=$1 | grep homeDrive
rm /tmp/$1

prototype
Deleteing users and groups leaves the database in a mess. Here is an attempt to tidy up a bit:

 cat s4userdel
#!/bin/sh
#deletes a user and his home and profile folder
#tidies up idmap.ldb
#usage s4userdel <user>
echo "Deleting user $1"
sid=$(wbinfo --name-to-sid="$1")
usersid=$(echo "$sid" | cut -d " " -f1)
echo "found $1 sid= $usersid" 
ldbdel --url=/usr/local/samba/private/idmap.ldb CN=$usersid
samba-tool user delete $1
rm -r /home/CACTUS/$1
rm -r /home/CACTUS/profiles/"$1"*
echo "$1 deleted"


example
Here we set the Domain Users posix gidNumber to 2000 and add a posix user to the group.

1. Modify the xidnumber in idmap.ldb:
 s4group 'Domain Users' 2000

 wbinfo --group-info='Domain Users'
Domain Users:*:2000:
 getent group 'Domain Users'
Domain Users:*:2000:

2. posix-ify steve2 according to Domain Users:
 s4domainuser steve2
Creating s4 POSIX Domain User steve2
Pls enter pwd for steve2
New Password:
User 'steve2' created successfully
sleeping . . .
Modified 1 records with 0 failures
sleeping. . .
Modified 1 records with 0 failures
New user:  steve2 POSIX-ified as follows:
uid  3000016
gid  2000
getent passwd steve2
steve2:*:3000016:2000:steve2:/home/CACTUS/steve2:/bin/bash
sid  S-1-5-21-2871321456-443247610-264051687-513
profilePath: \\hh3\profiles\steve2
homeDirectory: \\hh3\home\steve2
homeDrive: Z:

3. test

 steve2@hh3:~$ id
uid=3000016(steve2) gid=2000(Domain Users) groups=2000(Domain Users)
 steve2@hh3:~$ touch hola.txt
 steve2@hh3:~$ ls -la hola.txt
-rw-r--r-- 1 steve2 Domain Users 0 2012-02-26 09:55 hola.txt
Domain Users and debusers as posix domain groups under Samba4 on Ubuntu
Co-starring the Samba4 wiki creating a makes you look twice effect
bugs
ldbmodify has to be done in stages with a pause inbetween. Probably our slow hardware rather than a bug. Adding the posixGroup class to a group prevents you being able to list group members. It works, but it is inconvenient. Best to leave Domain Users as it is and just posix-ify the groups themselves. Must write a script to be able to list all members in a group. Posix or not.

man cut(1)
SYNOPSIS
     cut -b list [-n] [file ...]
     cut -c list [file ...]
     cut -f list [-d delim] [-s] [file ...]

25.2.12

Microsoft go public: The AD LDAP schema

Here's hoping that the Samba4 gurus don't decide to change this. Here are the Linux'y bits we need:

from: MS-AD_Schema_2K8_R2_Classes, lines 2879 to 2930

cn: PosixAccount
ldapDisplayName: posixAccount
governsId: 1.3.6.1.1.1.2.0
objectClassCategory: 3
rdnAttId: uid
subClassOf: top
mayContain: uid, cn, uidNumber, gidNumber, unixHomeDirectory,homeDirectory, userPassword, unixUserPassword, loginShell, gecos,description
schemaIdGuid:ad44bb41-67d5-4d88-b575-7b20674e76d8
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=PosixAccount,CN=Schema,CN=Configuration,<RootDomainDN>

cn: PosixGroup
ldapDisplayName: posixGroup
governsId: 1.3.6.1.1.1.2.2
objectClassCategory: 3
rdnAttId: cn
subClassOf: top
mayContain: cn, userPassword, unixUserPassword, description,gidNumber, memberUid
schemaIdGuid:2a9350b8-062c-4ed0-9903-dde10d06deba
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=PosixGroup,CN=Schema,CN=Configuration,<RootDomainDN>

Development of ideas



It's just been pointed out that instead of:
echo "sid " $(wbinfo --gid-to-sid=$gid)
maybe
echo "user sid= " $(wbinfo --uid-to-sid=$uid)
would be less monotonous, and perhaps even useful.
What's that phrase? Sarcasm will get you anywhere?


Don't read this: Turn off nscd before fiddling with anything even remotely LDAP 'y.

Escape those Backslashes

Headlines
Make a note of the date. Today I did something that was on my todo list. Here is the list:
- Clean floors
- Write a Samba4 user script
- Shopping
- Go to the bar

Samba4 script writing  make cleaning tasks seem decidedly attractive. Only joking. Here, we got one step further to automating Active Directory on Linux. Using just Linux that is.

Aim
It is a real pain to have to tie up a Windows machine just for AD administration. What would be nice is if we could do it all from a Samba4 DC. We've got to the stage where we have taken a lot of the pain out of creating a domain user who can work on both Linux and Windows clients. We now have one command to add these attributes:
uidNumber
gidNumber
unixHomeDirectory
loginShell
primaryGroupID
profilePath
homeDirectory
homeDrive
and these objects
posixAccount (for the user)
posixGroup (for the group)
to create a user who can logon to both Linux and Windows clients.

In the superb new Samba4 , this takes the pain out of creating users and groups who can work transparently on both Linux and Windows LAN clients.

Here is the user script
We imaginatively call s4user
#!/bin/bash
echo "Creating s4 posix user "$1
echo "Pls enter pwd for "$1
samba-tool user add $1
sleep 2
#get the uid
struid=$(wbinfo -i $1)
uid=$(echo $struid | cut -d ":" -f 3)
#get the gid
strgid=$(wbinfo --group-info=$2)
gid=$(echo $strgid | cut -d ":" -f 3)
#get the group from the sid
strsid=$(wbinfo --gid-to-sid=$gid)
primarygid=$(echo $strsid | cut -d "-" -f 8)
strwg=$(echo $struid | cut -d "\\" -f 1)
#add the posix attributes to the user
echo "dn: CN=$1,CN=Users,DC=hh3,DC=site
changetype: modify
add: objectclass
objectclass: posixaccount
-
add: uidnumber
uidnumber: $uid
-
add: gidnumber
gidnumber: $gid
-
add:unixhomedirectory
unixhomedirectory: /home/$strwg/$1
-
add: loginshell
loginshell: /bin/bash" > /tmp/$1
ldbmodify --url=/usr/local/samba/private/sam.ldb -b dc=hh3,dc=site /tmp/$1
samba-tool group addmembers $2 $1
#set the user to the posix group
echo "dn: CN=$1,CN=Users,DC=hh3,DC=site
changetype: modify
replace: primarygroupid
primarygroupid: $primarygid" > /tmp/$1
echo "sleeping. . ."
sleep 5
ldbmodify --url=/usr/local/samba/private/sam.ldb -b dc=hh3,dc=site /tmp/$1
mkdir /home/$strwg/$1
chown -R $1:$2 /home/$strwg/$1
rm /tmp/$1
hostname=$(hostname -s)
echo "dn: CN=$1,CN=Users,DC=hh3,DC=site
changetype: modify
add: profilePath
profilePath: \\\\$hostname\\profiles\\$1
-
add: homeDrive
homeDrive: Z:
-
add: homeDirectory
homeDirectory: \\\\$hostname\\home\\$1" > /tmp/$1
echo "sleeping. . ."
sleep 5
ldbmodify --url=/usr/local/samba/private/sam.ldb -b dc=hh3,dc=site /tmp/$1
echo "New user: "  $1 "POSIX-ified as follows:"
echo "uid " $uid
echo "gid " $gid
echo "primaryGroupID " $primarygid " :$2"
echo "getent passwd $1"
echo $(getent passwd $1)
echo "sid " $(wbinfo --gid-to-sid=$gid)
db=/usr/local/samba/private/sam.ldb
ldbsearch --url=$db cn=$1 | grep \\\\$hostname
ldbsearch --url=$db cn=$1 | grep homeDrive
rm /tmp/$1

Here is the output
s4user steve8 suseusers
Creating s4 posix user steve8
Pls enter pwd for steve8
New Password: 
User 'steve8' created successfully
Modified 1 records with 0 failures
Added members to group suseusers
sleeping. . .
Modified 1 records with 0 failures
sleeping. . .
Modified 1 records with 0 failures
New user:  steve8 POSIX-ified as follows:
uid  3000033
gid  3000020
primaryGroupID  1118  :suseusers
getent passwd steve8
steve8:*:3000032:3000020:steve8:/home/CACTUS/steve8:/bin/bash
sid  S-1-5-21-443838659-2890314986-1722269781-1118
profilePath: \\hh3\profiles\steve8
homeDirectory: \\hh3\home\steve8
homeDrive: Z:

And here are the results
10 seconds to do what used to take a the best head scratching part of an hour.
Our Windows AD Admin in disbelief

steve8 with the (very nice) KDE plasma
Back to the 1990's. steve8 with (the not very nice) Windows 7 monotony 
Deep breath. Can he open it?


24.2.12

Samba 4 Windows Profiles

Today we went a step closer to not having to dedicate a whole windows 7 box just to administer our lan.
Aim
To automate this:

Method
We created our POSIX-ified Samba 4 user as described here, and then searched


Before
# ldbsearch --url=/usr/local/samba/private/sam.ldb 'cn=steve6' | grep '\\hh3'
<nothing>
and
After
# ldbsearch --url=/usr/local/samba/private/sam.ldb 'cn=steve6' | grep '\\hh3'
profilePath: \\hh3\profiles\steve6
homeDirectory: \\hh3\home\steve6
What do they call Z:?
# ldbsearch --url=/usr/local/samba/private/sam.ldb 'cn=steve6' | grep Z:
homeDrive: Z:

Prototype
Make a cheap and cheerful ldif:
cat profile.ldif
dn: cn=lynn2,cn=Users,dc=hh3,dc=site
changetype: modify
add: profilePath
profilePath: \\hh3\profiles\steve6
-
add: homeDrive
homeDrive: Z:
-
add: homeDirectory
homeDirectory: \\hh3\home\steve6

Then a quick:
ldbmodify --url=/usr/local/samba/private/sam.ldb profile.ldif

TODO
Automate on the names profiles and home from smb.conf. Give a choice of drive letters to map? Does it matter? Then include in our POSIX s4user script.
Neat:-)


23.2.12

Ubuntu Art

Testing Samba4 brought me back into contact with Windows 7 after all those years. Has it always looked that bad?
Welcome to 2012. Cairo on Ubuntu

Microsoft. Firmly in the 1990's
Tweak that dock

The sad tale nfs4 acls

Group rw on a folder
OK folks. Over nfs4, you can't.

Why?
Well, you can but only if your umask is 0002. Unlike the POSIX setfacl, nfs4_setfacl does not override umask. So unless you want to reset your umask to 0002 (you dont!), you can't have group rw on nfs4 by setting the acl. On openSUSE that is where the default umask is 0022. On Ubuntu, the umask is 0002 by default. it's what you get whether you like it or not.

Now, let's see. . .

20.2.12

POSIX <--> nfs4 acls

The Scenario
ACL's. We want group read/write for a shared folder. Nice work if you can get it.
Our test domain
Windows - ntacl - Samba4: works
LINUX - nfs4_acl - Samba4: square peg, round hole

The workaround
Create a share:
hh3:/tmp # mkdir -m 0770 /home/CACTUS/dropbox
hh3:/tmp # chown root:suseusers /home/CACTUS/dropbox/
hh3:/tmp # chmod g+s /home/CACTUS/dropbox/
hh3:/tmp # setfacl -d -m g::rw /home/CACTUS/dropbox

drwxrws---+  2 root    suseusers 4096 Feb 20 17:24 dropbox 



hh3:/tmp # touch /home/CACTUS/dropbox/lynn.txt

-rw-rw---- 1 root suseusers 0 Feb 20 17:30 lynn.txt

YEAH! The file is created with group rw:-) The acl looks like this:

getfacl /home/CACTUS/dropbox/
getfacl: Removing leading '/' from absolute path names
# file: home/CACTUS/dropbox/
# owner: root
# group: suseusers
# flags: -s-
user::rwx
group::rwx
other::---
default:user::rwx
default:group::rw-
default:other::---


Now we mount the share.

hh3:/tmp # mount -t nfs4 hh3:/home /mnt
The acl has been translated to this:

hh3:/tmp # nfs4_getfacl /mnt/CACTUS/dropbox/
A::OWNER@:rwaDxtTcCy
A::GROUP@:rwaDxtcy
A::EVERYONE@:tcy
A:fdi:OWNER@:rwaDxtTcCy
A:fdi:GROUP@:rwaDtcy
A:fdi:EVERYONE@:tcy


We create a file in the mounted share:

hh3:/tmp # touch /mnt/CACTUS/dropbox/lynn2.txt
hh3:/tmp # ls -la /mnt/CACTUS/dropbox/
total 8
drwxrws--- 2 root suseusers 4096 Feb 20 17:38 .
drwxr-xr-x 9 root root      4096 Feb 20 17:24 ..
-rw-r----- 1 root suseusers    0 Feb 20 17:34 lynn2.txt
-rw-rw---- 1 root suseusers    0 Feb 20 17:30 lynn.txt

The file created on the mount does not have group rw:-(

Setting the acl on the mount and remounting:
nfs4_setfacl -a A:gfdi:GROUP@:rwaDxtTcCy /mnt/CACTUS/dropbox/
makes no difference. 



The big hammer
We treat it with the contempt it deserves:
#!/bin/sh
share=/home/CACTUS/dropbox/
cd $share
while true
do
 if [ -N $share ]; then
for a in *
do
listing=$(ls -l $a)
perm=$(echo $listing | cut -d "-" -f 3)
if [ $perm != "rw" ]; then
echo $(chmod g+w $a)
fi
done 
 fi
sleep 4
done

The guys over on the openSUSE list got involved:
 #!/bin/sh
share=/home/CACTUS/dropbox/
while true
do
find "$share" ! -perm -g=w  -print0 | xargs -r -0 chmod g+w
sleep 4
done
Neat!