Samba4 patch for manipulating Unix attributes via ADUC

Andrew Bartlett abartlet at
Wed Jul 11 19:11:42 MDT 2012

On Wed, 2012-07-11 at 23:55 +0200, Gémes Géza wrote:
> Hi,
> The attached patch makes it possible to provision in a way 
> (--fake-ypserver=yes) that allows manipulating the Unix attributes of 
> users/groups via ADUC.
> It does that by provisioning as if it would be used by the MS NIS server.
> Please review the attached patch.

It certainly looks like a good idea, and I really appreciate getting
patches for important practical administration issues such as this. 

I have a few questions/concerns:

How does the max uid/gid thing work, particularly with distributed user
creation?  (This is why we never tried this before, because we were told
that no such mechanism existed).  

We need to ensure the default for these values is sensible for s3
upgrades, and is somehow correlated with the default idmap range

I think that this should be tied to setting 'use rfc2307' by default in
the smb.conf, and we should probably refer to it as NIS or NIS/YP rather
than YP.  To avoid adding too many different parameters to provision,
the NIS domain should just be the netbios domain name (folks can always
change it later if need be). 

The other UID allocation scheme we should consider is the
trustPosixOffset and RID scheme.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list