[bug#54561,1/4] services: Add samba service.

* gnu/services/samba.scm (<samba-configuration>): New record.
(samba-service-type): New variable.
(samba-shepherd-services): New Procedure.
---
 gnu/services/samba.scm | 173 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 173 insertions(+)
 create mode 100644 gnu/services/samba.scm

--
2.34.0

I have a local service definition for samba i wanted to upstream
at some point. Your service looks better then mine though.

> +(define (samba-activation config)
> +  (let ((package (samba-configuration-package config))
> +        (config-file (samba-configuration-config-file config)))
> +    (with-imported-modules '((guix build utils))
> +      (let ((lib-directory "/var/lib/samba")
> +            (log-directory "/var/log/samba")
> +            (run-directory "/var/run/samba")
> +            (smb.conf "/etc/samba/smb.conf"))
> +        #~(begin
> +            (use-modules (guix build utils))
> +
> +            (mkdir-p #$log-directory)
> +            (mkdir-p #$run-directory)
> +            (mkdir-p (string-append #$lib-directory "/private"))
> +            (mkdir-p "/etc/samba")
> +            (copy-file #$config-file #$smb.conf)
> +            (system* (string-append #$package "/bin/testparm")
> +                     "--suppress-prompt" #$smb.conf))))))
Is it a good idea to create all those directories with the default
umask? I always wanted to investigate which of those directories
contains sensitive data. I never got around to.

Another thing i wanted to investigate: can samba and friends be run
as non-root users? I think it would be a good idea to do that if
possible.

fyi: I currently use samba as an AD DC.

fesoj000 schreef op zo 27-03-2022 om 03:07 [+0200]:
> > +(define (samba-activation config)
> > +  (let ((package (samba-configuration-package config))
> > +        (config-file (samba-configuration-config-file config)))
> > +    (with-imported-modules '((guix build utils))
> > +      (let ((lib-directory "/var/lib/samba")
> > +            (log-directory "/var/log/samba")
> > +            (run-directory "/var/run/samba")
> > +            (smb.conf "/etc/samba/smb.conf"))

Is it necessary to put the configuration file there?
Can be we do something like (system* "/.../testparm" #$smb.conf), where
smb.conf is the generated configuration file?

> > +        #~(begin
> > +            (use-modules (guix build utils))
> > +
> > +            (mkdir-p #$log-directory)
> > +            (mkdir-p #$run-directory)
> > +            (mkdir-p (string-append #$lib-directory "/private"))
> > +            (mkdir-p "/etc/samba")
> > +            (copy-file #$config-file #$smb.conf)
> > +            (system* (string-append #$package "/bin/testparm")
> > +                     "--suppress-prompt" #$smb.conf))))))
> Is it a good idea to create all those directories with the default
> umask? I always wanted to investigate which of those directories
> contains sensitive data. I never got around to.

FWIW, you can use 'mkdir-p/perms' to set the permission bits.
The (string-append ...) can be simplified to:

  (system* #$(file-append package "/bin/testparm" "--suppres-prompt
#$smb.conf).

Also, would it be a good idea to use (invoke ...) instead of system, to
make sure errors are detected?  What is the 'suppress-prompt' for?

Greetings,
Maxime.

Maxime Devos <maximedevos@telenet.be> writes:

> fesoj000 schreef op zo 27-03-2022 om 03:07 [+0200]:
>> > +(define (samba-activation config)
>> > +  (let ((package (samba-configuration-package config))
>> > +        (config-file (samba-configuration-config-file config)))
>> > +    (with-imported-modules '((guix build utils))
>> > +      (let ((lib-directory "/var/lib/samba")
>> > +            (log-directory "/var/log/samba")
>> > +            (run-directory "/var/run/samba")
>> > +            (smb.conf "/etc/samba/smb.conf"))
>
> Is it necessary to put the configuration file there?
> Can be we do something like (system* "/.../testparm" #$smb.conf), where
> smb.conf is the generated configuration file?

No, not really.  The Samba suit has a lot of tools that may want to look
into the default config directory.  It seems that any relevant
configuration belonging to Samba lands in smb.conf, that is looked into
anytime when needed.  That is my impression, and thus
placed it there.

>> Is it a good idea to create all those directories with the default
>> umask? I always wanted to investigate which of those directories
>> contains sensitive data. I never got around to.

I'm not so sure myself.  That was the end result of what had to be
created to have the service successfully initiate itself.  True that I
have not investigated this myself yet.  While writing this service I was
comparing the directory structure with Debian and Arch Linux, to be sure
that it would work. 
>
> FWIW, you can use 'mkdir-p/perms' to set the permission bits.
> The (string-append ...) can be simplified to:
>
>   (system* #$(file-append package "/bin/testparm" "--suppres-prompt
> #$smb.conf).
>
> Also, would it be a good idea to use (invoke ...) instead of system, to
> make sure errors are detected?  What is the 'suppress-prompt' for?

My understanding now would be better to write invoke.  Thanks for
pointing this out.

fesoj000 <fesoj000@gmail.com> writes:

> I have a local service definition for samba i wanted to upstream
> at some point. Your service looks better then mine though.

Thanks.  It still counts as my first try writing a service.

> fyi: I currently use samba as an AD DC.

Impressive!  It might be quite interesting to see how you managed to set
up an AD DC.  I stopped after certain tools began to crash.  I tried to
solve them here [1].  I just noticed that you had pushed some patches
some time ago too [2].  They're both addressing the same issues.  In
this case your patches are looking better than mine.

That means these tools are working for you now?

[1] https://issues.guix.gnu.org/52976
[2] https://issues.guix.gnu.org/54266

On 3/27/22 8:48 PM, Simon Streit wrote:
> fesoj000 <fesoj000@gmail.com> writes:
> 
>> I have a local service definition for samba i wanted to upstream
>> at some point. Your service looks better then mine though.
> 
> Thanks.  It still counts as my first try writing a service.
> 
>> fyi: I currently use samba as an AD DC.
> 
> Impressive!  It might be quite interesting to see how you managed to set
> up an AD DC.  I stopped after certain tools began to crash.  I tried to
> solve them here [1].  I just noticed that you had pushed some patches
> some time ago too [2].  They're both addressing the same issues.  In
> this case your patches are looking better than mine.
> 
> That means these tools are working for you now?
> 
> [1] https://issues.guix.gnu.org/52976
> [2] https://issues.guix.gnu.org/54266
I mostly followed the step by step guide in the samba wiki [0]. I use this
AD DC mostly for testing and developing (kerberos, ldap). While following
the step by step guide i found that samba-tool and friends are not working,
so i tried to fix them, and yes, they do work for me currently using my patch.

My main motivation for running samba as AD DC is that i want to port sssd to
guix. Currently i have a hack for glibc which solves the libnss module lookup
issue. But all this needs more polish and time....

[0] https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

Please find attached an updated patch series.

I've made slight changes as follows:

 * The reference to further config options in the manual have been removed.
 * Samba's (samba-activation config) procedure has been slightly modified,
 * better cleaned up, regarding the mkdirs.  I've done more testing and it
 * appears that samba will only run when /var/{lib,log,run}/samba exist,
   including /var/lib/samba/private.  In this case it is chmod now to o700 to
   be on the save side.  Debian's directory structure is world readable though.
   In Arch it is o700.  If anyone objects, please make it world readable.  It
   appears that Samba lives and breathes in these directories, so they better
   be put there. 
 * Regarding smb.conf -- while this service technically doesn't need it placed
   at /etc/samba -- is convenient to have it placed there for other tools part
   of the Samba family to read it, and so that others can quickly look into its
   configuration.  I'll leave this for further debate whether it can stay there
   or not.
 * The packages samba and wsdd are included in profile-service-type so that they
   are generally available in the system profile.

I hope I didn't miss anything out.

Simon Streit (5):
  services: Add samba service.
  doc: Add "Samba" chapter.
  doc: Add documentation for WSDD service.
  services: Add wsdd service.
  gnu: Add wsdd.

 doc/guix.texi          | 118 ++++++++++++++++++
 gnu/packages/samba.scm |  26 ++++
 gnu/services/samba.scm | 277 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 421 insertions(+)
 create mode 100644 gnu/services/samba.scm

Hi Simon,

Simon Streit <simon@netpanic.org> skribis:

> Please find attached an updated patch series.

It’s a huge amount of work that you did, and that’ll certainly be useful
to many!

> I've made slight changes as follows:
>
>  * The reference to further config options in the manual have been removed.
>  * Samba's (samba-activation config) procedure has been slightly modified,
>  * better cleaned up, regarding the mkdirs.  I've done more testing and it
>  * appears that samba will only run when /var/{lib,log,run}/samba exist,
>    including /var/lib/samba/private.  In this case it is chmod now to o700 to
>    be on the save side.  Debian's directory structure is world readable though.
>    In Arch it is o700.  If anyone objects, please make it world readable.  It
>    appears that Samba lives and breathes in these directories, so they better
>    be put there. 
>  * Regarding smb.conf -- while this service technically doesn't need it placed
>    at /etc/samba -- is convenient to have it placed there for other tools part
>    of the Samba family to read it, and so that others can quickly look into its
>    configuration.  I'll leave this for further debate whether it can stay there
>    or not.
>  * The packages samba and wsdd are included in profile-service-type so that they
>    are generally available in the system profile.

I didn’t look at everything in detail, but overall that LGTM.

There’s a couple of things that I think would be worth adjusting though:

>   services: Add samba service.
>   doc: Add "Samba" chapter.
>   doc: Add documentation for WSDD service.
>   services: Add wsdd service.
>   gnu: Add wsdd.

It seems patches are in the wrong order: I’d expect the wsdd package to
come before the wsdd service.

Regarding documentation: by convention, documentation for a service is
added in the same commit that adds the service, so that it’s
self-contained.  Could you squash them?

Last, it would be great if you could add a system test under
gnu/tests/samba.scm.  Essentially, that test would do what you probably
did manually already: spawning a VM running an OS with
‘samba-service-type’ and/or ‘wsdd-service-type’ and running an SMB
and/or WSD client to make sure the basics work.  You can get inspiration
from other system tests there, and see:

  https://guix.gnu.org/manual/devel/en/html_node/Running-the-Test-Suite.html

I have minor cosmetic comments that I’ll send separately.

Could you send a v3 addressing these issues?

Thanks!

Ludo’.