Samba4 patch for manipulating Unix attributes via ADUC

Andrew Bartlett abartlet at
Thu Jul 12 02:00:17 MDT 2012

On Thu, 2012-07-12 at 07:46 +0200, Gémes Géza wrote:
> 2012-07-12 03:11 keltezéssel, Andrew Bartlett írta:
> > On Wed, 2012-07-11 at 23:55 +0200, Gémes Géza wrote:
> >> Hi,
> >>
> >> The attached patch makes it possible to provision in a way
> >> (--fake-ypserver=yes) that allows manipulating the Unix attributes of
> >> users/groups via ADUC.
> >> It does that by provisioning as if it would be used by the MS NIS server.
> >>
> >> Please review the attached patch.
> > It certainly looks like a good idea, and I really appreciate getting
> > patches for important practical administration issues such as this.
> >
> > I have a few questions/concerns:
> >
> > How does the max uid/gid thing work, particularly with distributed user
> > creation?  (This is why we never tried this before, because we were told
> > that no such mechanism existed).
> >
> > We need to ensure the default for these values is sensible for s3
> > upgrades, and is somehow correlated with the default idmap range
> > otherwise
> >
> > I think that this should be tied to setting 'use rfc2307' by default in
> > the smb.conf, and we should probably refer to it as NIS or NIS/YP rather
> > than YP.  To avoid adding too many different parameters to provision,
> > the NIS domain should just be the netbios domain name (folks can always
> > change it later if need be).
> >
> > The other UID allocation scheme we should consider is the
> > trustPosixOffset and RID scheme.
> >
> > Andrew Bartlett
> >
> Hi,
> The patch does no more than the MS approach: transfers the 
> responsibility to the administrator. It does not enforce any policy 
> except a suggestion based on the current MAXUID/MAXGID.

So it becomes a default in a GUI somewhere, or?  What is it used for?

> For the s3 upgrade code I think MAXUID/MAXGID is going to be set to the 
> max of current uids/gids + 1.
> Do you suggest to change the patch to provision the fake NIS if 
> use_rfc2307 was set? I didn't want to be that invasive, but if you as 
> the author of that option says so I'm happy to reduce the number of 
> options. 

I think less configuration combinations is a better thing.

> Currently the nisdomain is nothing but domainname.lower()

I noticed, which is why I suggested to push it further down the stack. 

> TrustPossixOffset would certainly reduce the crossdomain uid/gid 
> allocation problems.

As always, this needs someone to implement it :-)

(Including the PDC master handling the allocation of offsets)

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list