Saturday, April 8, 2017

Delegating domain join privileges in Samba 4 from the command line (or not)

I'm trying to solve a bit of a mystery. I'd like to set up Samba 4 without using Windows. Most things seem to be possible, but I can't figure out how to delegate domain join privileges. Unfortunately, even the official documentation specifically references ADUC.

So I did some digging into what it would take to delegate domain join privileges without a Windows system. After several dead ends, I ran across this page:

The important bit of that page is this script that uses the Windows command-line tool dsacls:

$user = 'gps\SCCM Client Computer Joiners'
$ou = 'OU=SCCM Test Clients,OU=SCCM,OU=Service,OU=Company,DC=gopas,DC=virtual'

DSACLS $ou /R $user

DSACLS $ou /I:S /G "$($user):GR;;computer"
DSACLS $ou /I:S /G "$($user):CA;Reset Password;computer"
DSACLS $ou /I:S /G "$($user):WP;pwdLastSet;computer"
DSACLS $ou /I:S /G "$($user):WP;Logon Information;computer"
DSACLS $ou /I:S /G "$($user):WP;description;computer"
DSACLS $ou /I:S /G "$($user):WP;displayName;computer"
DSACLS $ou /I:S /G "$($user):WP;sAMAccountName;computer"
DSACLS $ou /I:S /G "$($user):WP;DNS Host Name Attributes;computer"
DSACLS $ou /I:S /G "$($user):WP;Account Restrictions;computer"
DSACLS $ou /I:S /G "$($user):WP;servicePrincipalName;computer"
DSACLS $ou /I:S /G "$($user):CC;computer;organizationalUnit"

samba-tool has a subcommand dsacl set that I thought might be able to accomplish the same task. After a lot of work trying to get the arguments correct, I got to this point:
[root@dc1 ~]# samba-tool dsacl set --action=allow --objectdn='cn=Computers,dc=samba4,dc=local' --trusteedn='cn=Domain Join,cn=Users,dc=samba4,dc=local' --sddl='GR;;computer' --realm=SAMBA4.LOCAL -U administrator --password="$( cat /root/.password )"
new descriptor for cn=Computers,dc=samba4,dc=local:
ERROR(<type 'exceptions.TypeError'>): uncaught exception - Unable to parse SDDL
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/", line 176, in _run
    return*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/", line 174, in run
    self.add_ace(samdb, objectdn, new_ace)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/", line 129, in add_ace
    desc = security.descriptor.from_sddl(desc_sddl, self.get_domain_sid(samdb))
So... I think the arguments to dsacls are some kind of "friendly" names that resolve to UUIDs or SIDs or something on the back end, but I can't figure out how to do the mapping.

Suggestions welcome.

Saturday, October 27, 2012

Health update

I don't often post anything personal (or really anything at all, for that matter), but I'm going to make an exception today.

Today marks 9 months since I started working on losing weight and generally improving my health.  At the time, I weighed somewhere around twice what I should (maybe more), and I hadn't been at a healthy weight for nearly 20 years.  The scary thing is that I really didn't see myself as that heavy, but obviously my self-image didn't match reality in the slightest...  As a co-worker put it, you don't get to that size without a healthy dose of denial.

2 years ago
It took a weight loss competition organized by another co-worker to get me motivated, but I decided in January that I was going to lose weight and get back to some level of physical fitness.  I've had a lot of success, as anyone who knows me can tell, so I get asked a lot how I lost all the weight.  The short answer that I give is that I lost it the old-fashioned way - diet and exercise.  There is a much longer answer though, so bear with me...

Diet was definitely the biggest change for me.  I've always eaten way too much food.  It wasn't necessarily all bad food, although it often was, but the sheer quantity was what got me in trouble.  I decided to do three things to address that.  First of all (and most importantly), I finally started logging what I was eating (as my wife had been trying to get me to do for years).  I found the Lose It! app, which made this painless.  It was absolutely invaluable since it let me see what foods were OK to eat and which weren't (and to see just how bad those things were).

Second, I tried to eat more of the right foods, like lean proteins and vegetables.  I started to avoid sugar, starches (no pasta, bread, or rice), and high-fat foods (with a few exceptions like almonds, which became one of my favorite snacks).  Conveniently, since I was watching my calorie intake, the things I was trying to eat are low-calorie, which meant I didn't have to starve myself at all.

The third diet change that I made was to start snacking through the day, usually eating something every couple of hours.  This was the weirdest part, focusing on eating regularly and often in order to lose weight, and it was odd never really being full, but at the same time I never really got hungry enough to have impulse control issues.

Note that when I say "diet", I'm trying to avoid the connotation that the world normally holds.  I never meant for any of this to be a short-term change in my eating, but rather I considered this to be a lifestyle change.  I have no intention of going back to anything resembling my old diet, no matter what shape I'm in or how active I am.

Speaking of activity, I struggled a bit to find exercise that I was physically capable of doing for any length of time, without hurting myself.  My friend Artie (who had recently lost a large amount of weight himself, and who was my biggest inspiration for putting in all this effort) worked for a while to convince me to go out for short walks with him.  With my bad knees, walking was extremely uncomfortable.  Eventually I gave in though, and we started walking as often as possible.  At first, a 15-minute walk would nearly kill me.  I kept walking as often as I could though, either at lunch, in the afternoons just to clear my head, with my family in the evenings, you name it.  By May, I walked a 5K with Artie (in just over 50 minutes).  It was looking like I would be able to run a 5K this past month, but unfortunately an injury slowed me down just enough that I wasn't able to.

Somewhere early on, I started riding our stationary recumbent bike (which had sat in our house, collecting dust for around 5 years).  At first, I was lucky to do 5-10 minutes.  After a few weeks, I recall doing an hour, non-stop, and feeling like I wasn't going to be able to walk afterwards.  At some point around then, I started riding my real bike and found that I couldn't climb a hill.  I kept working on it though, and eventually I was able to ride 10 miles, 15 miles, 25 miles, 33 miles, and ultimately 50 miles.  (At some point in the near future, I'd like to try to ride 100 miles, but that's a pretty massive time commitment.)

The most rewarding part of this entire experience has been the lifestyle change that my entire family has gone through.  It's one thing for everyone to diet together, but that's not what we've done.  We're all eating differently, cooking together, and finding ways to be active together.  My wife Kara has been incredibly patient and understanding, even when I've been overly single-minded about trying to hit whatever goal I had on any given day.  She has been on-board since the beginning, and has also managed to lose a significant amount of weight.  (I'll leave it to her to give details.)  All of the changes have been great for our daughter Emma too, who is in better shape now than she has been at any other point in her life.  I know a lot of people who try to lose weight on their own, and I'm sure it can be done, but I certainly wouldn't recommend it.

I'm fortunate to have a great support system.  I mentioned Artie before (thanks, Artie!), but I also have to thank Mike for pushing me to do more, go a little faster, or go a little farther.  There are many others (yes, I'm looking at you, Emma) who have helped, and I apologize for not naming every one of you, but I do appreciate all of the support.

As of this morning, I have lost over 36% of the weight I was carrying at the end of January.  I need to get to 50%, give or take, so I still have quite a bit to lose, but I have complete confidence that it will come off over the next few months.  I have had to replace my wardrobe multiple times now (I'm already wearing shirts 4 sizes smaller than I was wearing when I started), so I'm perfectly OK with the loss leveling off for a while.  :-)


Monday, September 19, 2011

New cpanspec coming soon

I haven't released a new version of cpanspec in quite a while, but I have been working on it off and on with the help of several other people.  The big feature that I added was dependency extraction from tests, but I wasn't happy with the results of it.  Luckily, other people made it better, plus knocked a bunch of stuff off my TODO list.

The current list of changes looks like this:

  • Extract dependencies from tests.
  • Add script detection (patch from Jeff Fearn).
  • Lots and lots of patches from Dennis Kaarsemaker and Gavin Carr:
    • Drop cpanget and add the functionality to cpanspec.
    • Check the search path for rpm, rpmbuild, etc.
    • Add CC0 licence.
    • Change %{optimize} to %{optflags}.
    • Make tarball directory version component optional.
    • Add an option to print the generated specfile to stdout
    • Allow building rpms for slightly older perl versions
    • Check all build requirements against CPAN
    • Stop losing dependency version information for Module::Build, ExtUtils::MakeMaker, etc.
    • Strip any version comparison operator from the 'perl' build requirement
    • Add entries from configure_requres in META.yml as build dependencies
    • Detect scripts better
    • Don't let Module::AutoInstall run interactively
    • Add a simple blacklisting mechanism

In my light testing, this version has been working beautifully, but I'd really like to hear some more positive feedback before I push this out into Fedora, so if you package Perl modules, give it a try and let me know what you think.

Sunday, August 28, 2011

Vim: From Essentials to Mastery at OLF 2011

Ohio LinuxFest 2011 is coming up next week, September 9-11. As part of OLF Institute, Bill Odom and I will be teaching a full-day class on Vim on Friday, September 9. If you're like I was a year or so ago, and you think you know Vim just because you've been using vi forever, you really need to come to our class. Some of the things you can do with Vim will just blow your mind. (And if you don't even know vi, the class will be life-changing. :-)

The main conference is on Saturday, September 10. At 2PM, we'll have a special Vim Geeks Columbus BoF session which, like the rest of the conference on Saturday, you can attend for free.

For more information about the Vim class, see

For more information about OLF 2011, see the web site:

For more information about Vim Geeks, our local Vim users group, see

The full class description follows:

VIM: From Essentials to Mastery

Instructors: Steven Pritchard and Bill Odom

Vim deserves its reputation as one of the most powerful tools in an admin or developer's toolbox -- but it's not exactly friendly and approachable. Even long-time users rarely employ more than a fraction of its capabilities, and new users are often left wondering why so many apparently-sane people won't shut up about how awesome it is. The stark UI, the steep learning curve, the host of idiosyncrasies... mastering Vim is a challenge, and that's putting it politely.

In this class, you'll learn why it's worth the effort.

We'll start by covering the essentials of Vim, like modes, motions, operators, and commands, with an emphasis on why Vim works the way it does in addition to how it works. With the fundamentals firmly established, we'll work our way through real-world examples of using Vim to perform astounding feats that poor souls using lesser editors can only imagine. We'll cover ways to integrate Vim with your environment, tailor it to your work, and generally bend it to your every whim. We'll discuss important settings, advanced techniques, useful customizations, handy scripts, must-have plugins, crafty tips, and sneaky tricks.

In short, we'll explore how to use Vim most effectively, so it lives up to the awesome reputation that you'll soon be telling all your disbelieving friends about.

Bios: Steven Pritchard has nearly two decades of Linux and Unix experience. A dedicated Open Source advocate, he founded the Southern Illinois Linux Users Group in 1994 and has been a volunteer developer with Red Hat's Fedora Project since it began in 2003. He is also an author of the award winning LPI Linux Certification in a Nutshell, 2nd Ed (O'Reilly & Associates). Steven currently offers his technical services through the Computer Room, a retail technical sales and service company outside of St. Louis, Missouri.

Bill Odom has over two decades of experience as a systems architect and software developer, working on everything from wiki software for Internet startups to global identity management solutions for Fortune 500 companies. He's also a long-time member of the Open Source community, an active member (and periodic leader) of several user groups in the St. Louis area, and served as president of the Perl Foundation from 2005 through 2007.

Steven and Bill are both long-time users and advocates of Vim, and are the founders of the St. Louis Vim Geeks. They've given several well-received presentations, tutorials, and classes on Vim to many Midwest organizations.

Thursday, October 21, 2010

Regular Expressions

Slides from my talk at last night's St. Louis Perl Mongers meeting:

Tuesday, September 28, 2010


I mentioned my one module on CPAN (String::Random) to a friend yesterday, and got the response "You wrote that?"  Honestly, I was shocked that he'd heard of it.  (There are so many modules on CPAN that I doubt most Perl programmers have heard of 99% of them.)

I decided to Google for the module a bit to see if there were many mentions (fully expecting to find some "I looked at the code, and my eyes are still bleeding" comments), and I was pleasantly surprised to find this rather old tutorial on using the module:

I also found a Ruby port on GitHub:

So far, I haven't found anyone ripping into it, but I'm sure it's out there...