Make sambashare work out of the box for wheel users

* get rid of crazy scriptlet which added random users into the "sambashare" group
* users were not added to this group (because that crazy scriptlet was run when building ISO), instead add members of the group "wheel" into "sambashare" at glibc resolve time via libnss-role
(not-admins are not in wheel and do not need ability to manage Samba shares)
* do not pull all this into non-desktop distros
* own directory for shares properly
* use systemd-sysusers to create groups based on configs

samba-server.sysusers.conf

@@ -0,0 +1,2 @@
+g sambashare - -
+g machines - -

samba.spec

@@ -119,6 +119,7 @@ Source41:	openldap-samba.conf
 %if %{with avahi_service}
 Source42:	avahi_samba.xml
 %endif
+Source43:	samba-server.sysusers.conf
 Source100:	%{name}.rpmlintrc
 
 Patch2:		samba-4.3.11-winbind-service.patch
@@ -246,6 +247,9 @@ Requires:	%{name}-client = %{EVRD}
 Requires:	%{name}-winbind = %{EVRD}
 # pull deps for python scripts
 Requires:	python3-%{name} = %{EVRD}
+# distro-type(desktop) is provided by branding-configs
+Recommends:	(%{name}-share-role if distro-type(desktop))
+Requires(pre):	/bin/systemd-sysusers
 # samba.service is domain controller
 Provides:	samba = %{EVRD}
 
@@ -299,19 +303,14 @@ implementation details.
 %{_unitdir}/samba.service
 %{_unitdir}/smb.service
 %{_unitdir}/nmb.service
+%{_sysusersdir}/samba-server.conf
+%attr(1770,root,sambashare) %dir %{smb_usershare_dir}
 %config(noreplace) %{_sysconfdir}/sysconfig/samba
 
+%pre server
+%sysusers_create_package samba-server %{SOURCE43}
+
 %post server
-# Add a unix group for samba machine accounts
-groupadd -frg 421 machines
-
-# https://wiki.archlinux.org/index.php/Samba#Enable_usershares
-groupadd -frg 430 sambashare
-mkdir -p %{smb_usershare_dir}
-chown root:sambashare %{smb_usershare_dir}
-chmod 1770 %{smb_usershare_dir}
-for u in $(awk -F: '$6 ~ /\/home/ && $3 >= 500 {print $1}' /etc/passwd); do usermod -a -G sambashare $u; done
-
 %systemd_post nmb.service
 %systemd_post smb.service
 
@@ -335,6 +334,22 @@ fi
 
 #----------------------------------------------------------------------------
 
+%package share-role
+Summary:	Allow users from the "wheel" group to manage Samba shares
+Group:		System/Configuration/Other
+Requires:	libnss-tole
+
+%description share-role
+Allow users from the "wheel" group to manage Samba shares.
+Install this package to automatically add any member of the group "wheel"
+to the group "sambashare". It will allow admin users of graphical desktops
+to create and manage Samba shares from GUIs like file managers.
+
+%files share-role
+%config(noreplace) %{_sysconfdir}/role.d/sambashare.role
+
+#----------------------------------------------------------------------------
+
 %package -n %{libsambalibs}
 Summary:	Samba libraries
 Group:		System/Libraries
@@ -1354,6 +1369,7 @@ mkdir -p %{buildroot}%{_localstatedir}/lib/%{name}/private
 mkdir -p %{buildroot}%{_localstatedir}/lib/%{name}/{netlogon,profiles,printers}
 mkdir -p %{buildroot}%{_localstatedir}/lib/%{name}/printers/{W32X86,WIN40,W32ALPHA,W32MIPS,W32PPC}
 mkdir -p %{buildroot}%{_localstatedir}/lib/%{name}/codepages/src
+mkdir -p %{buildroot}%{smb_usershare_dir}
 mkdir -p %{buildroot}/%{_lib}/security
 mkdir -p %{buildroot}%{_libdir}/pkgconfig
 mkdir -p %{buildroot}%{_sbindir}
@@ -1428,6 +1444,13 @@ rm -f %{buildroot}%{perl_archlib}/vendor_perl/auto/Parse/Pidl/.packlist
 rm -rf %{buildroot}%{perl_vendorlib}/Parse/Yapp
 )
 
+# Make managing Samba shares from GUIs (e.g. Dolphin, Thunar) work out of the box where needed
+mkdir -p %{buildroot}%{_sysconfdir}/role.d
+echo "wheel: sambashare" > %{buildroot}%{_sysconfdir}/role.d/sambashare.role
+
+mkdir -p %{buildroot}%{_sysusersdir}
+cat %{SOURCE43} > %{buildroot}%{_sysusersdir}/samba-server.conf
+
 %if %{with avahi_service}
 mkdir -p %{buildroot}%{_sysconfdir}/avahi/services/
 install -m 0644 %{SOURCE42} %{buildroot}%{_sysconfdir}/avahi/services/smb.service