Samba4 patch for manipulating Unix attributes via ADUC
Gémes Géza
geza at kzsdabas.hu
Thu Jul 12 03:13:14 MDT 2012
2012-07-12 11:08 keltezéssel, Andrew Bartlett írta:
> On Thu, 2012-07-12 at 10:26 +0200, Gémes Géza wrote:
>> 2012-07-12 10:00 keltezéssel, Andrew Bartlett írta:
>>> On Thu, 2012-07-12 at 07:46 +0200, Gémes Géza wrote:
>>>> 2012-07-12 03:11 keltezéssel, Andrew Bartlett írta:
>>>>> On Wed, 2012-07-11 at 23:55 +0200, Gémes Géza wrote:
>>>>>> Hi,
>>>>>>
>>>>>> The attached patch makes it possible to provision in a way
>>>>>> (--fake-ypserver=yes) that allows manipulating the Unix attributes of
>>>>>> users/groups via ADUC.
>>>>>> It does that by provisioning as if it would be used by the MS NIS server.
>>>>>>
>>>>>> Please review the attached patch.
>>>>> It certainly looks like a good idea, and I really appreciate getting
>>>>> patches for important practical administration issues such as this.
>>>>>
>>>>> I have a few questions/concerns:
>>>>>
>>>>> How does the max uid/gid thing work, particularly with distributed user
>>>>> creation? (This is why we never tried this before, because we were told
>>>>> that no such mechanism existed).
>>>>>
>>>>> We need to ensure the default for these values is sensible for s3
>>>>> upgrades, and is somehow correlated with the default idmap range
>>>>> otherwise
>>>>>
>>>>> I think that this should be tied to setting 'use rfc2307' by default in
>>>>> the smb.conf, and we should probably refer to it as NIS or NIS/YP rather
>>>>> than YP. To avoid adding too many different parameters to provision,
>>>>> the NIS domain should just be the netbios domain name (folks can always
>>>>> change it later if need be).
>>>>>
>>>>> The other UID allocation scheme we should consider is the
>>>>> trustPosixOffset and RID scheme.
>>>>>
>>>>> Andrew Bartlett
>>>>>
>>>> Hi,
>>>>
>>>> The patch does no more than the MS approach: transfers the
>>>> responsibility to the administrator. It does not enforce any policy
>>>> except a suggestion based on the current MAXUID/MAXGID.
>>> So it becomes a default in a GUI somewhere, or? What is it used for?
>> If you try to allocate posix attributes (via ADUC) the default uid
>> offered is the value set for MAXUID, the same holds true for gids.
> Thanks.
>
>>>> For the s3 upgrade code I think MAXUID/MAXGID is going to be set to the
>>>> max of current uids/gids + 1.
>>>>
>>>> Do you suggest to change the patch to provision the fake NIS if
>>>> use_rfc2307 was set? I didn't want to be that invasive, but if you as
>>>> the author of that option says so I'm happy to reduce the number of
>>>> options.
>>> I think less configuration combinations is a better thing.
>> Will modify it accordingly
>>>> Currently the nisdomain is nothing but domainname.lower()
>>> I noticed, which is why I suggested to push it further down the stack.
>> Do you suggest to replace nisdomain occurrences altogether by
>> domainname.lower() ?
> Just do it as the argument to provision_fake_ypserver()
>
>>>> TrustPossixOffset would certainly reduce the crossdomain uid/gid
>>>> allocation problems.
>>> As always, this needs someone to implement it :-)
>>>
>>> (Including the PDC master handling the allocation of offsets)
>>>
>>> Andrew Bartlett
>>>
>> Geza Gemes
> Some further comments:
>
> Please try to minimise the ldif, while still getting the right entries.
>
> A number of attributes don't need to be specified, as we will
> automatically add them. name is one example, but also check things like
> showInAdvancedViewOnly, admin*, In particular, things like name don't
> need to be set. Even cn doesn't need to be set, if it is already in the
> DN.
>
> Use samba-tool ldapcmp to compare directory trees to validate the
> output.
>
> Thanks!
>
> Andrew Bartlett
>
Going to implement the suggested changes, will send the revised patch
shortly.
Cheers
Geza Gemes
More information about the samba-technical
mailing list