Samba4 patch for manipulating Unix attributes via ADUC

Thu Jul 12 06:37:25 MDT 2012

2012-07-12 11:53 keltezéssel, Andrew Bartlett írta:
> On Thu, 2012-07-12 at 11:45 +0200, Gémes Géza wrote:
>> 2012-07-12 11:13 keltezéssel, Gémes Géza írta:
>>> 2012-07-12 11:08 keltezéssel, Andrew Bartlett írta:
>>>> On Thu, 2012-07-12 at 10:26 +0200, Gémes Géza wrote:
>>>>> 2012-07-12 10:00 keltezéssel, Andrew Bartlett írta:
>>>>>> On Thu, 2012-07-12 at 07:46 +0200, Gémes Géza wrote:
>>>>>>> 2012-07-12 03:11 keltezéssel, Andrew Bartlett írta:
>>>>>>>> On Wed, 2012-07-11 at 23:55 +0200, Gémes Géza wrote:
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> The attached patch makes it possible to provision in a way
>>>>>>>>> (--fake-ypserver=yes) that allows manipulating the Unix
>>>>>>>>> attributes of
>>>>>>>>> users/groups via ADUC.
>>>>>>>>> It does that by provisioning as if it would be used by the MS
>>>>>>>>> NIS server.
>>>>>>>>>
>>>>>>>>> Please review the attached patch.
>>>>>>>> It certainly looks like a good idea, and I really appreciate getting
>>>>>>>> patches for important practical administration issues such as this.
>>>>>>>>
>>>>>>>> I have a few questions/concerns:
>>>>>>>>
>>>>>>>> How does the max uid/gid thing work, particularly with
>>>>>>>> distributed user
>>>>>>>> creation?  (This is why we never tried this before, because we
>>>>>>>> were told
>>>>>>>> that no such mechanism existed).
>>>>>>>>
>>>>>>>> We need to ensure the default for these values is sensible for s3
>>>>>>>> upgrades, and is somehow correlated with the default idmap range
>>>>>>>> otherwise
>>>>>>>>
>>>>>>>> I think that this should be tied to setting 'use rfc2307' by
>>>>>>>> default in
>>>>>>>> the smb.conf, and we should probably refer to it as NIS or NIS/YP
>>>>>>>> rather
>>>>>>>> than YP.  To avoid adding too many different parameters to
>>>>>>>> provision,
>>>>>>>> the NIS domain should just be the netbios domain name (folks can
>>>>>>>> always
>>>>>>>> change it later if need be).
>>>>>>>>
>>>>>>>> The other UID allocation scheme we should consider is the
>>>>>>>> trustPosixOffset and RID scheme.
>>>>>>>>
>>>>>>>> Andrew Bartlett
>>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> The patch does no more than the MS approach: transfers the
>>>>>>> responsibility to the administrator. It does not enforce any policy
>>>>>>> except a suggestion based on the current MAXUID/MAXGID.
>>>>>> So it becomes a default in a GUI somewhere, or?  What is it used for?
>>>>> If you try to allocate posix attributes (via ADUC) the default uid
>>>>> offered is the value set for MAXUID, the same holds true for gids.
>>>> Thanks.
>>>>
>>>>>>> For the s3 upgrade code I think MAXUID/MAXGID is going to be set
>>>>>>> to the
>>>>>>> max of current uids/gids + 1.
>>>>>>>
>>>>>>> Do you suggest to change the patch to provision the fake NIS if
>>>>>>> use_rfc2307 was set? I didn't want to be that invasive, but if you as
>>>>>>> the author of that option says so I'm happy to reduce the number of
>>>>>>> options.
>>>>>> I think less configuration combinations is a better thing.
>>>>> Will modify it accordingly
>>>>>>> Currently the nisdomain is nothing but domainname.lower()
>>>>>> I noticed, which is why I suggested to push it further down the stack.
>>>>> Do you suggest to replace nisdomain occurrences altogether by
>>>>> domainname.lower() ?
>>>> Just do it as the argument to provision_fake_ypserver()
>>>>
>>>>>>> TrustPossixOffset would certainly reduce the crossdomain uid/gid
>>>>>>> allocation problems.
>>>>>> As always, this needs someone to implement it :-)
>>>>>>
>>>>>> (Including the PDC master handling the allocation of offsets)
>>>>>>
>>>>>> Andrew Bartlett
>>>>>>
>>>>> Geza Gemes
>>>> Some further comments:
>>>>
>>>> Please try to minimise the ldif, while still getting the right entries.
>>>>
>>>> A number of attributes don't need to be specified, as we will
>>>> automatically add them.  name is one example, but also check things like
>>>> showInAdvancedViewOnly, admin*,  In particular, things like name don't
>>>> need to be set.  Even cn doesn't need to be set, if it is already in the
>>>> DN.
>>>>
>>>> Use samba-tool ldapcmp to compare directory trees to validate the
>>>> output.
>>>>
>>>> Thanks!
>>>>
>>>> Andrew Bartlett
>>>>
>>> Going to implement the suggested changes, will send the revised patch
>>> shortly.
>>>
>>> Cheers
>>>
>>> Geza Gemes
>>>
>> Hi,
>>
>> Please review the revised patch.
> This is looking good.  As msSFU30MaxUidNumber/msSFU30MaxGidNumber is not
> a MUST attribute in the schema, could we consider making the default
> None (and then not specify them into the db by default)?
>
> This new default is the main aspect of the patch I am not comfortable
> with at the moment.  What does the AD GUI do if these are not set?
>
> Skipping these would also allow us time to better express the command
> line option help, as it needs to indicate clearly that Samba will never
> actually allocate based on these parameters.
>
> Thanks,
>
> Andrew Bartlett
Hi,

It seems, that ADUC has a built in default (both for uids and guids): 
10000. After setting the value for a user/group the corresponding 
msSFU30MaxUidNumber/msSFU30MaxGidNumber gets filled.

Shall I remove those attributes from the ldif for now?

Cheers

Geza Gemes