Additional sambaAccountType in samba.schema?
Volker Lendecke
Volker.Lendecke at SerNet.DE
Wed Apr 13 16:08:46 GMT 2005
Hi!
While trying to get querydispinfo for large domains sane it becomes more and
more obvious that we need to tell the difference between the different account
types in LDAP. Subsearches for *U* in sambaAcctFlags did not work for me. We
know about:
enum SID_NAME_USE
{
SID_NAME_USE_NONE = 0,
SID_NAME_USER = 1, /* user */
SID_NAME_DOM_GRP, /* domain group */
SID_NAME_DOMAIN, /* domain sid */
SID_NAME_ALIAS, /* local group */
SID_NAME_WKN_GRP, /* well-known group */
SID_NAME_DELETED, /* deleted account: needed for c2 rating */
SID_NAME_INVALID, /* invalid account */
SID_NAME_UNKNOWN, /* unknown sid type */
SID_NAME_COMPUTER /* sid for a computer */
};
The group types are already used in the sambaGroupType attribute, I'd like to
use this in the sambaSamAccount as well. We might use sambaAccountType as the
attribute name. This would make it possible to restrict an LDAP search to only
machines for querydispinfo level 2.
Adding this as is no problem, migration however is. What about a
sambaSamVersion attribute for the sambaDomainObject together with a migration
script? This might make future changes possible as well.
Comments?
Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20050413/c2527f91/attachment.bin
More information about the samba-technical
mailing list