Thread: [webmin-l] Users and Groups module - Problem with Samba "Machine Trust Accounts"

A web-based interface for system administration of UNIX

Brought to you by: iliaross, jcameron

webadmin-list

[webmin-l] Users and Groups module - Problem with Samba "Machine Trust Accounts"

From: William A. <waa...@re...> - 2005-12-07 00:43:22

BTW, as always, I feel the need to thank you Jamie - and everyone who
has contributed - for Webmin and all associated modules.

OK, Now that the buttering up is done with... :)

Just kidding - The compliments are sincere.



Recently, it has come to my attention that, at two of my clients running
Samba on Linux with Webmin as their "admin" interface they can no longer
add XP machines to their domains.

Well, this is not entirely true... They are able to _ADD_ XP machines to
the domain the way they always have using Webmin's Users and Groups
module - and they are able to successfully _JOIN_ the machine to the
domain just like before.

BUT, after the machine successfully joins the domain and gets the
"Welcome to the XYZ domain" message, they are not able to log onto the
domain and are told that the domain controller may not be available, or
that the machine may not exist in the domain.

After doing some research I have found that when they create a machine
trust account as they always have in Webmin's Users and Groups module:

- Create new user
- Username is the machine name with a $ appended to it: eg  xpmachine$
- Password is irrelavent
- Home dir is not important so we use /home/machines/machinename$

...I see that the user (machine) account is created fine in the
/etc/passwd file and the home directory is created, BUT on inspecting
Samba's smbpasswd file (yeah... I know... moving to LDAP soon) the
account's FLAGS are:

[U          ]  ---> A User Account

when they SHOULD be

[W          ]  ---> A Workstation Trust Account


As I stated above, even with the User Account flag in the smbpasswd file
instead of a Workstation Trust Account flag, the XP machine successfully
JOINS the domain, but is unable to log in.


Further testing shows that if I add a machine trust account by using
these two simple command at a shell prompt everything works fine:

# useradd -d /home/machines/xpmachine$ -s /bin/false -c "machine trust \
account via cmdline" -g machines -m xpmachine$

# smbpasswd -a -m xpmachine$

The machine joins, and users are able to log into the domain. One thing
I noticed about this manually added user (machine trust account) though:

In the Webmin Users and Groups module, the xpmachine$ account is
ITALLICISED in the listing while all other users (created with webmin)
are normal text.

Any thoughts, comments, questions?  I'd LOVE to get this fixed so that
my clients are able to once again administer their own XP workstations
with Webmin.

I am willing to provide any additional information neccessary...

Thanks!

-
Bill Arlofski
Reverse Polarity
860-824-2433
email: waa...@re...
jabber: wa...@ja...

Re: [webmin-l] Users and Groups module - Problem with Samba "Machine Trust Accounts"

From: Craig W. <cra...@az...> - 2005-12-07 00:57:54

On Tue, 2005-12-06 at 19:43 -0500, William Arlofski wrote:
> BTW, as always, I feel the need to thank you Jamie - and everyone who
> has contributed - for Webmin and all associated modules.
> 
> OK, Now that the buttering up is done with... :)
> 
> Just kidding - The compliments are sincere.
> 
> 
> 
> Recently, it has come to my attention that, at two of my clients running
> Samba on Linux with Webmin as their "admin" interface they can no longer
> add XP machines to their domains.
> 
> Well, this is not entirely true... They are able to _ADD_ XP machines to
> the domain the way they always have using Webmin's Users and Groups
> module - and they are able to successfully _JOIN_ the machine to the
> domain just like before.
> 
> BUT, after the machine successfully joins the domain and gets the
> "Welcome to the XYZ domain" message, they are not able to log onto the
> domain and are told that the domain controller may not be available, or
> that the machine may not exist in the domain.
> 
> After doing some research I have found that when they create a machine
> trust account as they always have in Webmin's Users and Groups module:
> 
> - Create new user
> - Username is the machine name with a $ appended to it: eg  xpmachine$
> - Password is irrelavent
> - Home dir is not important so we use /home/machines/machinename$
> 
> ...I see that the user (machine) account is created fine in the
> /etc/passwd file and the home directory is created, BUT on inspecting
> Samba's smbpasswd file (yeah... I know... moving to LDAP soon) the
> account's FLAGS are:
> 
> [U          ]  ---> A User Account
> 
> when they SHOULD be
> 
> [W          ]  ---> A Workstation Trust Account
> 
> 
> As I stated above, even with the User Account flag in the smbpasswd file
> instead of a Workstation Trust Account flag, the XP machine successfully
> JOINS the domain, but is unable to log in.
> 
> 
> Further testing shows that if I add a machine trust account by using
> these two simple command at a shell prompt everything works fine:
> 
> # useradd -d /home/machines/xpmachine$ -s /bin/false -c "machine trust \
> account via cmdline" -g machines -m xpmachine$
> 
> # smbpasswd -a -m xpmachine$
> 
> The machine joins, and users are able to log into the domain. One thing
> I noticed about this manually added user (machine trust account) though:
> 
> In the Webmin Users and Groups module, the xpmachine$ account is
> ITALLICISED in the listing while all other users (created with webmin)
> are normal text.
> 
> Any thoughts, comments, questions?  I'd LOVE to get this fixed so that
> my clients are able to once again administer their own XP workstations
> with Webmin.
> 
----
man smb.conf ( presumption is samba > 3.0.0 )

add machine
Example: add machine script = /usr/sbin/adduser -n -g machines -c \
Machine -d /dev/null -s /bin/false %u

Why would you just use a script and add machines on the fly?

Why would you use a real home directory for a user that clearly would
never need one? (-d /dev/null)

Craig

Re: [webmin-l] Users and Groups module - Problem with Samba "Machine Trust Accounts"

From: William A. <waa...@re...> - 2005-12-07 02:43:19

Craig White wrote:
> On Tue, 2005-12-06 at 19:43 -0500, William Arlofski wrote:
> 
>>BTW, as always, I feel the need to thank you Jamie - and everyone who
>>has contributed - for Webmin and all associated modules.
>>
>>OK, Now that the buttering up is done with... :)
>>
>>Just kidding - The compliments are sincere.
>>
>>
>>
>>Recently, it has come to my attention that, at two of my clients running
>>Samba on Linux with Webmin as their "admin" interface they can no longer
>>add XP machines to their domains.
>>
>>Well, this is not entirely true... They are able to _ADD_ XP machines to
>>the domain the way they always have using Webmin's Users and Groups
>>module - and they are able to successfully _JOIN_ the machine to the
>>domain just like before.
>>
>>BUT, after the machine successfully joins the domain and gets the
>>"Welcome to the XYZ domain" message, they are not able to log onto the
>>domain and are told that the domain controller may not be available, or
>>that the machine may not exist in the domain.
>>
>>After doing some research I have found that when they create a machine
>>trust account as they always have in Webmin's Users and Groups module:
>>
>>- Create new user
>>- Username is the machine name with a $ appended to it: eg  xpmachine$
>>- Password is irrelavent
>>- Home dir is not important so we use /home/machines/machinename$
>>
>>...I see that the user (machine) account is created fine in the
>>/etc/passwd file and the home directory is created, BUT on inspecting
>>Samba's smbpasswd file (yeah... I know... moving to LDAP soon) the
>>account's FLAGS are:
>>
>>[U          ]  ---> A User Account
>>
>>when they SHOULD be
>>
>>[W          ]  ---> A Workstation Trust Account
>>
>>
>>As I stated above, even with the User Account flag in the smbpasswd file
>>instead of a Workstation Trust Account flag, the XP machine successfully
>>JOINS the domain, but is unable to log in.
>>
>>
>>Further testing shows that if I add a machine trust account by using
>>these two simple command at a shell prompt everything works fine:
>>
>># useradd -d /home/machines/xpmachine$ -s /bin/false -c "machine trust \
>>account via cmdline" -g machines -m xpmachine$
>>
>># smbpasswd -a -m xpmachine$
>>
>>The machine joins, and users are able to log into the domain. One thing
>>I noticed about this manually added user (machine trust account) though:
>>
>>In the Webmin Users and Groups module, the xpmachine$ account is
>>ITALLICISED in the listing while all other users (created with webmin)
>>are normal text.
>>
>>Any thoughts, comments, questions?  I'd LOVE to get this fixed so that
>>my clients are able to once again administer their own XP workstations
>>with Webmin.
>>
> 
> ----
> man smb.conf ( presumption is samba > 3.0.0 )

Hi Craig...

That machine is currently running 3.0.2a an oldie, but goodie.

> add machine
> Example: add machine script = /usr/sbin/adduser -n -g machines -c \
> Machine -d /dev/null -s /bin/false %u

Dammit! All the docs I have seen show  "add user script = ...."  Never
could get that to work 'on the fly'. Now I THINK I know why.   :)

man smb.conf on that machine shows NO "add machine script"... But I
think I ALSO know why. The smb.conf.5 man pages for this install are
under /usr/local/samba/man/man5/smb.conf.5 (which DOES include the add
machine script info) so there must be a leftover smb.conf.5 manpage in
the manpath from a previous rpm install... Sigh...

> Why would you just use a script and add machines on the fly?

Because all previous attempts failed. :(

That server is slated for an upgrade (the whole thing, not just Samba -
it is a RH 6.2 server) but it is difficult trying to coordinate a "good
time" (tm) with the client to take their main server offline.

> Why would you use a real home directory for a user that clearly would
> never need one? (-d /dev/null)

Umm, because it really doesn't matter.  Most times I used -d /dev/null -
Probably should have said that in my post as well.

Thanks for the quick reply. I'm going to implement the add MACHINE
script ASAP.

I seriously can not believe that I missed that. I always wondered how
others were getting that to work with the "add USER script = "  that I
saw posted all over the place.

Thanks again

-
Bill Arlofski
Reverse Polarity
860-824-2433
email: waa...@re...
jabber: wa...@ja...

Re: [webmin-l] Users and Groups module - Problem with Samba "MachineTrust Accounts"

From: Kris D. <kd...@vi...> - 2005-12-07 15:34:44

William Arlofski wrote:
> That server is slated for an upgrade (the whole thing, not just Samba
> - it is a RH 6.2 server)

*wince* *shiver*  I sincerely hope this machine is NOT directly
Internet-connected.

> but it is difficult trying to coordinate a "good
> time" (tm) with the client to take their main server offline.

Tell them that this is a security-critical change, and the sooner it's
done the better.

You have likely spent far more time maintaining software updates and
building custom backported versions of software for RH6.2 than it would
take to set up a new machine.  I recently had a glimpse of some of the
potential headaches in doing this when I set up a RH6.1 box in an
attempt to build some software that requires a third-party library which
is only available to me (currently) as a compiled object file.  I
discovered that RH6.1 didn't seem to have SSH...  and started trying to
backport the openssh package from RH7.  It wasn't fun.

-kgd
-- 
Get your mouse off of there!  You don't know where that email has been!

Re: [webmin-l] Users and Groups module - Problem with Samba "MachineTrust Accounts"

From: William A. <waa...@re...> - 2005-12-08 21:03:48

Kris Deugau wrote:
> William Arlofski wrote:
> 
>>That server is slated for an upgrade (the whole thing, not just Samba
>>- it is a RH 6.2 server)
> 
> 
> *wince* *shiver*  I sincerely hope this machine is NOT directly
> Internet-connected.

Of course not silly. It is a SAMBA server. :)

>>but it is difficult trying to coordinate a "good
>>time" (tm) with the client to take their main server offline.
> 
> 
> Tell them that this is a security-critical change, and the sooner it's
> done the better.

Been there, done that... Fortunately, they are very good about
understanding and taking heed when it comes to this type of stuff. I
think this one is more my fault because I am not looking forward to the
large amount of work it is going to take to upgrade this particular
system. It provides several other services on top of Samba file/print
services.

> You have likely spent far more time maintaining software updates and
> building custom backported versions of software for RH6.2 than it would
> take to set up a new machine.  

Not really becasue long ago (RH 6.2 era) when building systems I would
lock things down pretty good, turn off EVERYTHING that didn't need to be
on, and even remove the tons of unnecessary RPMs that were installed by
default. I'd also install an iptables script so that only the required
ports were even exposed - and only to machines or subnets that required
the service.

Next, all the important software on this server was built from souce
(kernel, samba, apache, openssh, openssl, proftpd and certain library
dependancies etc) so that upgrades of critical components have generally
been a simple download, configure, recompile, install, service restart
for the affected daemon.  That was probably the only thing that helped
me to keep my sanity.

> I recently had a glimpse of some of the
> potential headaches in doing this when I set up a RH6.1 box in an
> attempt to build some software that requires a third-party library which
> is only available to me (currently) as a compiled object file.  I
> discovered that RH6.1 didn't seem to have SSH...  and started trying to
> backport the openssh package from RH7.  It wasn't fun.

No kidding. I have played that game a bit on some systems so I know your
pain. Lately I have been deploying Gentoo bozex and have not looked
back. It gives me the best of both worlds (IMHO) - Ease of
use/upgrading, and building from source.

Cheers!

-
Bill Arlofski
Reverse Polarity
waa...@re...

[webmin-l] Webmin Follow up survey

From: Paul C. <pcu...@op...> - 2005-12-10 00:56:50

The promised follow-up survey is posted at 
http://www.surveymonkey.com/s.asp?u=78761591785

Also, as promised, the results of the first survey can be viewed at
http://www.surveymonkey.com/Report.asp?U=145445138494

Thanks for taking the time, glad you really like Webmin.  Your responses 
are a great help to us.

One  of you expressed dissatisfaction with Webmin and suggested that
there  should be a refund on the book.  I assume the reference is to
Jamie's book (there are 5 books dealing with Webmin
http://webmin.com/index7.html).

We are willing to do what it takes to make Webmin work.  Please contact
me and OC will work with Jamie to get you running.  If we can't, or you
don't want to try, please contact me about a refund on the book.

Jamie is one of the most straight-up people I have met in this business
and that is a major reason we chose to sponsor Webmin.  Beyond our
shared technology interests, we share values.

Paul Cubbage
Evangelist
Open Country, Inc.