Samba4 patch for manipulating Unix attributes via ADUC
geza at kzsdabas.hu
Thu Jul 12 02:26:58 MDT 2012
2012-07-12 10:00 keltezéssel, Andrew Bartlett írta:
> On Thu, 2012-07-12 at 07:46 +0200, Gémes Géza wrote:
>> 2012-07-12 03:11 keltezéssel, Andrew Bartlett írta:
>>> On Wed, 2012-07-11 at 23:55 +0200, Gémes Géza wrote:
>>>> The attached patch makes it possible to provision in a way
>>>> (--fake-ypserver=yes) that allows manipulating the Unix attributes of
>>>> users/groups via ADUC.
>>>> It does that by provisioning as if it would be used by the MS NIS server.
>>>> Please review the attached patch.
>>> It certainly looks like a good idea, and I really appreciate getting
>>> patches for important practical administration issues such as this.
>>> I have a few questions/concerns:
>>> How does the max uid/gid thing work, particularly with distributed user
>>> creation? (This is why we never tried this before, because we were told
>>> that no such mechanism existed).
>>> We need to ensure the default for these values is sensible for s3
>>> upgrades, and is somehow correlated with the default idmap range
>>> I think that this should be tied to setting 'use rfc2307' by default in
>>> the smb.conf, and we should probably refer to it as NIS or NIS/YP rather
>>> than YP. To avoid adding too many different parameters to provision,
>>> the NIS domain should just be the netbios domain name (folks can always
>>> change it later if need be).
>>> The other UID allocation scheme we should consider is the
>>> trustPosixOffset and RID scheme.
>>> Andrew Bartlett
>> The patch does no more than the MS approach: transfers the
>> responsibility to the administrator. It does not enforce any policy
>> except a suggestion based on the current MAXUID/MAXGID.
> So it becomes a default in a GUI somewhere, or? What is it used for?
If you try to allocate posix attributes (via ADUC) the default uid
offered is the value set for MAXUID, the same holds true for gids.
>> For the s3 upgrade code I think MAXUID/MAXGID is going to be set to the
>> max of current uids/gids + 1.
>> Do you suggest to change the patch to provision the fake NIS if
>> use_rfc2307 was set? I didn't want to be that invasive, but if you as
>> the author of that option says so I'm happy to reduce the number of
> I think less configuration combinations is a better thing.
Will modify it accordingly
>> Currently the nisdomain is nothing but domainname.lower()
> I noticed, which is why I suggested to push it further down the stack.
Do you suggest to replace nisdomain occurrences altogether by
>> TrustPossixOffset would certainly reduce the crossdomain uid/gid
>> allocation problems.
> As always, this needs someone to implement it :-)
> (Including the PDC master handling the allocation of offsets)
> Andrew Bartlett
More information about the samba-technical