Samba4 patch for manipulating Unix attributes via ADUC

Thu Jul 12 03:45:28 MDT 2012

2012-07-12 11:13 keltezéssel, Gémes Géza írta:
> 2012-07-12 11:08 keltezéssel, Andrew Bartlett írta:
>> On Thu, 2012-07-12 at 10:26 +0200, Gémes Géza wrote:
>>> 2012-07-12 10:00 keltezéssel, Andrew Bartlett írta:
>>>> On Thu, 2012-07-12 at 07:46 +0200, Gémes Géza wrote:
>>>>> 2012-07-12 03:11 keltezéssel, Andrew Bartlett írta:
>>>>>> On Wed, 2012-07-11 at 23:55 +0200, Gémes Géza wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> The attached patch makes it possible to provision in a way
>>>>>>> (--fake-ypserver=yes) that allows manipulating the Unix 
>>>>>>> attributes of
>>>>>>> users/groups via ADUC.
>>>>>>> It does that by provisioning as if it would be used by the MS 
>>>>>>> NIS server.
>>>>>>>
>>>>>>> Please review the attached patch.
>>>>>> It certainly looks like a good idea, and I really appreciate getting
>>>>>> patches for important practical administration issues such as this.
>>>>>>
>>>>>> I have a few questions/concerns:
>>>>>>
>>>>>> How does the max uid/gid thing work, particularly with 
>>>>>> distributed user
>>>>>> creation?  (This is why we never tried this before, because we 
>>>>>> were told
>>>>>> that no such mechanism existed).
>>>>>>
>>>>>> We need to ensure the default for these values is sensible for s3
>>>>>> upgrades, and is somehow correlated with the default idmap range
>>>>>> otherwise
>>>>>>
>>>>>> I think that this should be tied to setting 'use rfc2307' by 
>>>>>> default in
>>>>>> the smb.conf, and we should probably refer to it as NIS or NIS/YP 
>>>>>> rather
>>>>>> than YP.  To avoid adding too many different parameters to 
>>>>>> provision,
>>>>>> the NIS domain should just be the netbios domain name (folks can 
>>>>>> always
>>>>>> change it later if need be).
>>>>>>
>>>>>> The other UID allocation scheme we should consider is the
>>>>>> trustPosixOffset and RID scheme.
>>>>>>
>>>>>> Andrew Bartlett
>>>>>>
>>>>> Hi,
>>>>>
>>>>> The patch does no more than the MS approach: transfers the
>>>>> responsibility to the administrator. It does not enforce any policy
>>>>> except a suggestion based on the current MAXUID/MAXGID.
>>>> So it becomes a default in a GUI somewhere, or?  What is it used for?
>>> If you try to allocate posix attributes (via ADUC) the default uid
>>> offered is the value set for MAXUID, the same holds true for gids.
>> Thanks.
>>
>>>>> For the s3 upgrade code I think MAXUID/MAXGID is going to be set 
>>>>> to the
>>>>> max of current uids/gids + 1.
>>>>>
>>>>> Do you suggest to change the patch to provision the fake NIS if
>>>>> use_rfc2307 was set? I didn't want to be that invasive, but if you as
>>>>> the author of that option says so I'm happy to reduce the number of
>>>>> options.
>>>> I think less configuration combinations is a better thing.
>>> Will modify it accordingly
>>>>> Currently the nisdomain is nothing but domainname.lower()
>>>> I noticed, which is why I suggested to push it further down the stack.
>>> Do you suggest to replace nisdomain occurrences altogether by
>>> domainname.lower() ?
>> Just do it as the argument to provision_fake_ypserver()
>>
>>>>> TrustPossixOffset would certainly reduce the crossdomain uid/gid
>>>>> allocation problems.
>>>> As always, this needs someone to implement it :-)
>>>>
>>>> (Including the PDC master handling the allocation of offsets)
>>>>
>>>> Andrew Bartlett
>>>>
>>> Geza Gemes
>> Some further comments:
>>
>> Please try to minimise the ldif, while still getting the right entries.
>>
>> A number of attributes don't need to be specified, as we will
>> automatically add them.  name is one example, but also check things like
>> showInAdvancedViewOnly, admin*,  In particular, things like name don't
>> need to be set.  Even cn doesn't need to be set, if it is already in the
>> DN.
>>
>> Use samba-tool ldapcmp to compare directory trees to validate the
>> output.
>>
>> Thanks!
>>
>> Andrew Bartlett
>>
> Going to implement the suggested changes, will send the revised patch 
> shortly.
>
> Cheers
>
> Geza Gemes
>
Hi,

Please review the revised patch.

Cheers

Geza Gemes

-------------- next part --------------
A non-text attachment was scrubbed...
Name: fake_ypserver.diff
Type: text/x-patch
Size: 21989 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120712/24dcbc0d/attachment-0001.bin>