Samba4 patch for manipulating Unix attributes via ADUC

Andrew Bartlett abartlet at samba.org
Thu Jul 12 03:08:50 MDT 2012 

On Thu, 2012-07-12 at 10:26 +0200, Gémes Géza wrote:
> 2012-07-12 10:00 keltezéssel, Andrew Bartlett írta:
> > On Thu, 2012-07-12 at 07:46 +0200, Gémes Géza wrote:
> >> 2012-07-12 03:11 keltezéssel, Andrew Bartlett írta:
> >>> On Wed, 2012-07-11 at 23:55 +0200, Gémes Géza wrote:
> >>>> Hi,
> >>>>
> >>>> The attached patch makes it possible to provision in a way
> >>>> (--fake-ypserver=yes) that allows manipulating the Unix attributes of
> >>>> users/groups via ADUC.
> >>>> It does that by provisioning as if it would be used by the MS NIS server.
> >>>>
> >>>> Please review the attached patch.
> >>> It certainly looks like a good idea, and I really appreciate getting
> >>> patches for important practical administration issues such as this.
> >>>
> >>> I have a few questions/concerns:
> >>>
> >>> How does the max uid/gid thing work, particularly with distributed user
> >>> creation?  (This is why we never tried this before, because we were told
> >>> that no such mechanism existed).
> >>>
> >>> We need to ensure the default for these values is sensible for s3
> >>> upgrades, and is somehow correlated with the default idmap range
> >>> otherwise
> >>>
> >>> I think that this should be tied to setting 'use rfc2307' by default in
> >>> the smb.conf, and we should probably refer to it as NIS or NIS/YP rather
> >>> than YP.  To avoid adding too many different parameters to provision,
> >>> the NIS domain should just be the netbios domain name (folks can always
> >>> change it later if need be).
> >>>
> >>> The other UID allocation scheme we should consider is the
> >>> trustPosixOffset and RID scheme.
> >>>
> >>> Andrew Bartlett
> >>>
> >> Hi,
> >>
> >> The patch does no more than the MS approach: transfers the
> >> responsibility to the administrator. It does not enforce any policy
> >> except a suggestion based on the current MAXUID/MAXGID.
> > So it becomes a default in a GUI somewhere, or?  What is it used for?
> If you try to allocate posix attributes (via ADUC) the default uid 
> offered is the value set for MAXUID, the same holds true for gids.

Thanks.  

> >> For the s3 upgrade code I think MAXUID/MAXGID is going to be set to the
> >> max of current uids/gids + 1.
> >>
> >> Do you suggest to change the patch to provision the fake NIS if
> >> use_rfc2307 was set? I didn't want to be that invasive, but if you as
> >> the author of that option says so I'm happy to reduce the number of
> >> options.
> > I think less configuration combinations is a better thing.
> Will modify it accordingly
> >
> >> Currently the nisdomain is nothing but domainname.lower()
> > I noticed, which is why I suggested to push it further down the stack.
> Do you suggest to replace nisdomain occurrences altogether by 
> domainname.lower() ?

Just do it as the argument to provision_fake_ypserver()

> >> TrustPossixOffset would certainly reduce the crossdomain uid/gid
> >> allocation problems.
> > As always, this needs someone to implement it :-)
> >
> > (Including the PDC master handling the allocation of offsets)
> >
> > Andrew Bartlett
> >
> Geza Gemes

Some further comments:

Please try to minimise the ldif, while still getting the right entries. 

A number of attributes don't need to be specified, as we will
automatically add them.  name is one example, but also check things like
showInAdvancedViewOnly, admin*,  In particular, things like name don't
need to be set.  Even cn doesn't need to be set, if it is already in the
DN. 

Use samba-tool ldapcmp to compare directory trees to validate the
output.

Thanks!

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list