Samba4 patch for manipulating Unix attributes via ADUC
abartlet at samba.org
Thu Jul 12 02:00:17 MDT 2012
On Thu, 2012-07-12 at 07:46 +0200, Gémes Géza wrote:
> 2012-07-12 03:11 keltezéssel, Andrew Bartlett írta:
> > On Wed, 2012-07-11 at 23:55 +0200, Gémes Géza wrote:
> >> Hi,
> >> The attached patch makes it possible to provision in a way
> >> (--fake-ypserver=yes) that allows manipulating the Unix attributes of
> >> users/groups via ADUC.
> >> It does that by provisioning as if it would be used by the MS NIS server.
> >> Please review the attached patch.
> > It certainly looks like a good idea, and I really appreciate getting
> > patches for important practical administration issues such as this.
> > I have a few questions/concerns:
> > How does the max uid/gid thing work, particularly with distributed user
> > creation? (This is why we never tried this before, because we were told
> > that no such mechanism existed).
> > We need to ensure the default for these values is sensible for s3
> > upgrades, and is somehow correlated with the default idmap range
> > otherwise
> > I think that this should be tied to setting 'use rfc2307' by default in
> > the smb.conf, and we should probably refer to it as NIS or NIS/YP rather
> > than YP. To avoid adding too many different parameters to provision,
> > the NIS domain should just be the netbios domain name (folks can always
> > change it later if need be).
> > The other UID allocation scheme we should consider is the
> > trustPosixOffset and RID scheme.
> > Andrew Bartlett
> The patch does no more than the MS approach: transfers the
> responsibility to the administrator. It does not enforce any policy
> except a suggestion based on the current MAXUID/MAXGID.
So it becomes a default in a GUI somewhere, or? What is it used for?
> For the s3 upgrade code I think MAXUID/MAXGID is going to be set to the
> max of current uids/gids + 1.
> Do you suggest to change the patch to provision the fake NIS if
> use_rfc2307 was set? I didn't want to be that invasive, but if you as
> the author of that option says so I'm happy to reduce the number of
I think less configuration combinations is a better thing.
> Currently the nisdomain is nothing but domainname.lower()
I noticed, which is why I suggested to push it further down the stack.
> TrustPossixOffset would certainly reduce the crossdomain uid/gid
> allocation problems.
As always, this needs someone to implement it :-)
(Including the PDC master handling the allocation of offsets)
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical