Samba4 patch for manipulating Unix attributes via ADUC

[Gémes Géza]

2012-07-12 10:01 keltezéssel, Andrew Bartlett írta:
> On Thu, 2012-07-12 at 07:36 +0200, Gémes Géza wrote:
>> 2012-07-12 03:02 keltezéssel, Andrew Bartlett írta:
>>> On Wed, 2012-07-11 at 23:55 +0200, Gémes Géza wrote:
>>>> Hi,
>>>>
>>>> The attached patch makes it possible to provision in a way
>>>> (--fake-ypserver=yes) that allows manipulating the Unix attributes of
>>>> users/groups via ADUC.
>>>> It does that by provisioning as if it would be used by the MS NIS server.
>>>>
>>>> Please review the attached patch.
>>>>
>>>> Cheers
>>>>
>>>> Geza
>>>>
>>>> P.S. I've started working on a patch which (based on this one) would
>>>> allow to keep all the Unix attributes when doing a classicupgrade.
>>> Great!
>>>
>>> Let me know if I can help.
>>>
>>> My suggestion is to extract the ldap password from the secrets.tdb and
>>> then use it and the bind dn to connect to the ldap server using ldb.
>>> Then you should be able to modify the AD user by setting values on the
>>> user, as found by SID (eg <SID=S-1-2-3>) like the current 'import uid
>>> and gid mappings into AD' code does.
>>>
>>> Naturally, this would be conditional on us connecting to an LDAP passdb
>>> backend (unless you just want to do it based on getpwnam()).
>>>
>>> Thanks!
>>>
>>> Andrew Bartlett
>>>
>> Hi Andrew,
>>
>> I try to do that in reverse order: first try getpwnam and if it fails
>> (non in the place upgrades) then ldap.
> I would generally prefer we went to ldap as preference.  We do that for
> other parts of the migration, as we set ldapsam:trusted=yes.
>
Will change that.
>> Currently I try to extract the
>> ldap password via secrets_db.__getitem__ but that is clearly not the
>> best way. I would be glad if you could suggest a better alternative.
> See source4/scripting/python/samba/samba3.py and how we get the machine
> account password.
Thanks, found it in the meantime: secrets_db.get_ldap_bind_pw(ldapuser)
>
> Thanks,
>
> Andrew Bartlett
>

Thank you!

Geza Gemes