Samba4 patch for manipulating Unix attributes via ADUC
Gémes Géza
geza at kzsdabas.hu
Wed Jul 11 23:46:52 MDT 2012
2012-07-12 03:11 keltezéssel, Andrew Bartlett írta:
> On Wed, 2012-07-11 at 23:55 +0200, Gémes Géza wrote:
>> Hi,
>>
>> The attached patch makes it possible to provision in a way
>> (--fake-ypserver=yes) that allows manipulating the Unix attributes of
>> users/groups via ADUC.
>> It does that by provisioning as if it would be used by the MS NIS server.
>>
>> Please review the attached patch.
> It certainly looks like a good idea, and I really appreciate getting
> patches for important practical administration issues such as this.
>
> I have a few questions/concerns:
>
> How does the max uid/gid thing work, particularly with distributed user
> creation? (This is why we never tried this before, because we were told
> that no such mechanism existed).
>
> We need to ensure the default for these values is sensible for s3
> upgrades, and is somehow correlated with the default idmap range
> otherwise
>
> I think that this should be tied to setting 'use rfc2307' by default in
> the smb.conf, and we should probably refer to it as NIS or NIS/YP rather
> than YP. To avoid adding too many different parameters to provision,
> the NIS domain should just be the netbios domain name (folks can always
> change it later if need be).
>
> The other UID allocation scheme we should consider is the
> trustPosixOffset and RID scheme.
>
> Andrew Bartlett
>
Hi,
The patch does no more than the MS approach: transfers the
responsibility to the administrator. It does not enforce any policy
except a suggestion based on the current MAXUID/MAXGID.
For the s3 upgrade code I think MAXUID/MAXGID is going to be set to the
max of current uids/gids + 1.
Do you suggest to change the patch to provision the fake NIS if
use_rfc2307 was set? I didn't want to be that invasive, but if you as
the author of that option says so I'm happy to reduce the number of
options. Currently the nisdomain is nothing but domainname.lower()
TrustPossixOffset would certainly reduce the crossdomain uid/gid
allocation problems.
Cheers
Geza Gemes
More information about the samba-technical
mailing list