Samba4 patch for manipulating Unix attributes via ADUC

[Andrew Bartlett]

On Thu, 2012-07-12 at 07:36 +0200, Gémes Géza wrote:
> 2012-07-12 03:02 keltezéssel, Andrew Bartlett írta:
> > On Wed, 2012-07-11 at 23:55 +0200, Gémes Géza wrote:
> >> Hi,
> >>
> >> The attached patch makes it possible to provision in a way
> >> (--fake-ypserver=yes) that allows manipulating the Unix attributes of
> >> users/groups via ADUC.
> >> It does that by provisioning as if it would be used by the MS NIS server.
> >>
> >> Please review the attached patch.
> >>
> >> Cheers
> >>
> >> Geza
> >>
> >> P.S. I've started working on a patch which (based on this one) would
> >> allow to keep all the Unix attributes when doing a classicupgrade.
> > Great!
> >
> > Let me know if I can help.
> >
> > My suggestion is to extract the ldap password from the secrets.tdb and
> > then use it and the bind dn to connect to the ldap server using ldb.
> > Then you should be able to modify the AD user by setting values on the
> > user, as found by SID (eg <SID=S-1-2-3>) like the current 'import uid
> > and gid mappings into AD' code does.
> >
> > Naturally, this would be conditional on us connecting to an LDAP passdb
> > backend (unless you just want to do it based on getpwnam()).
> >
> > Thanks!
> >
> > Andrew Bartlett
> >
> Hi Andrew,
> 
> I try to do that in reverse order: first try getpwnam and if it fails 
> (non in the place upgrades) then ldap. 

I would generally prefer we went to ldap as preference.  We do that for
other parts of the migration, as we set ldapsam:trusted=yes. 

> Currently I try to extract the 
> ldap password via secrets_db.__getitem__ but that is clearly not the 
> best way. I would be glad if you could suggest a better alternative.

See source4/scripting/python/samba/samba3.py and how we get the machine
account password.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org