Fwd: Re: s4: new classicupgrade and uids
Sergey Urushkin
urushkin at telros.ru
Wed Aug 8 05:21:36 MDT 2012
08.08.2012 12:55, Andrew Bartlett пишет:
> On Wed, 2012-08-08 at 11:01 +0400, Sergey Urushkin wrote:
>> Hi.
>> Some time ago I sent the patch to the list, but didn't get answer. For
>> better readability it's attached again.
>> The problem with it now is that it may set administrator uid to non-zero
>> value (what will break GP editing, until appropriate posix acls is set.
>> As a workaround - chown -R administrator path/to/sysvol). It may need
>> additional warning message.
> My thoughts are that I don't like the upgrade handling any of the well
> known users, except perhaps to assign a UID. Even then, things like
> administrator UID should be connected via the provision() stage.
Then, may be we should add some default uid/gid attributes to wellknown
users/groups on the provision stage (if --use-rfc2307 is used add them
to the directory too). That would also be a step to provision default
posix acls for sysvol. Here is the list which I feel needed and
suggested values.
name : sid : uid/gid
---------------------------------
Administrators : S-1-5-32-544 : 300544 -
should to be synced on all dcs (it's a part of default ms's sysvol
permissions)
Server Operators : S-1-5-32-549 : 300549 - the same
Authenticated Users : S-1-5-11 : 300011 - the same
Local System : S-1-5-18 : 300018/300018 - the same
Administrator : S-1-5-21domain-500 : 0/0
Guest : S-1-5-21domain-501 : nobody's uid/nobody's gid
Anonymous : S-1-5-7 : nobody's gid
What do you think?
>> Also, I have to say that "if entry['rid'] < 1000:" check gives an error
>> at the "adding users to groups" stage (nonexisting user). Ways to solve it:
>> 1. Stop provision with error if such accounts exist (think it's the best)
>> 2. Add some workaround to the function that lists members
>> 3. Remove this check.
> I'm not entirely sure what you mean here. I guess we do need to upgrade
> groups of any well known users we find?
>
If group contains user with rid < 1000 (skipped), then
add_users_to_group ends with error (because this user hasn't been
actually imported), and upgrading fails.
So, if there are 1000 users, we have to wait for a really long time
(while all users are being imported) to just see an error at the end. I
think we should give an error immediately, or test somehow for user
existence in s4 db before trying to add it to some group.
--
Best regards,
Sergey Urushkin
More information about the samba-technical
mailing list