Fwd: Re: s4: new classicupgrade and uids

Sergey Urushkin urushkin at telros.ru
Wed Aug 8 01:01:13 MDT 2012 

Hi.
Some time ago I sent the patch to the list, but didn't get answer. For
better readability it's attached again.
The problem with it now is that it may set administrator uid to non-zero
value (what will break GP editing, until appropriate posix acls is set.
As a workaround - chown -R administrator path/to/sysvol). It may need
additional warning message.
Also, please, take a look at the end of the message, there is a problem
which will likely appear sooner or later with some installation.
What's your thoughts about all these?
Thanks.


-------- Исходное сообщение --------
Тема: 	Re: s4: new classicupgrade and uids
Дата: 	Tue, 24 Jul 2012 11:57:31 +0400
От: 	Sergey Urushkin <urushkin at telros.ru>
Кому: 	Andrew Bartlett <abartlet at samba.org>
Копия: 	Samba technical <samba-technical at lists.samba.org>



22.06.2012 14:04, Andrew Bartlett пишет:
> On Fri, 2012-06-22 at 13:42 +0400, Sergey Urushkin wrote:
>
>
> 22.06.2012 12:11, Andrew Bartlett написал:
>>> On Thu, 2012-06-21 at 16:43 +0400, Sergey Urushkin wrote:
>>>> 2. 'Administrator' hasn't got an uidNumber (while it had it in
>>>> openldap), so it makes me map it manually. Is it a bug or feature?
>>> Simply a bug. 
>> As I wrote in another branch - 'guest' is also affected. Should I write
>> report, or it'll be fixed in place soon?

Hi, here is the patch that fixes this issue:

--- upgrade.py.orig    2012-07-23 09:25:27.000000000 +0400
+++ upgrade.py    2012-07-24 11:40:58.107080685 +0400
@@ -675,8 +675,9 @@
             continue
         username = entry['account_name']
         if entry['rid'] < 1000:
-            logger.info("  Skipping wellknown rid=%d (for
username=%s)", entry['rid'], username)
-            continue
+            if username.lower() != 'administrator' and username.lower()
!= 'guest' and username.lower() != 'krbtgt':
+                logger.info("  Skipping wellknown rid=%d (for
username=%s)", entry['rid'], username.lower())
+                continue
         if entry['rid'] >= next_rid:
             next_rid = entry['rid'] + 1
 
@@ -866,7 +867,11 @@
             else:
                 logger.warn('User root has been kept in the directory,
it should be removed in favour of the Administrator user')
 
-        s4_passdb.add_sam_account(userdata[username])
+        if username.lower() == 'administrator' or username.lower() ==
'guest' or username.lower() == 'krbtgt':
+            logger.warn("  Skipping wellknown provisioned user '%s'",
username)
+        else:
+            s4_passdb.add_sam_account(userdata[username])
+
         if username in uids:
             add_ad_posix_idmap_entry(result.samdb,
userdata[username].user_sid, uids[username], "ID_TYPE_UID", logger)
             if (username in homes) and (homes[username] != None) and \


Also, I have to say that "if entry['rid'] < 1000:" check gives an error
at the "adding users to groups" stage (nonexisting user). Ways to solve it:
 1. Stop provision with error if such accounts exist (think it's the best)
 2. Add some workaround to the function that lists members
 3. Remove this check.

Thanks.

-- 
Best regards,
Sergey Urushkin




-------------- next part --------------
A non-text attachment was scrubbed...
Name: upgrade.patch
Type: text/x-patch
Size: 1399 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120808/dc1faa38/attachment.bin>

More information about the samba-technical mailing list