Samba4 patch for manipulating Unix attributes via ADUC

Andrew Bartlett abartlet at
Sat Jul 14 06:05:18 MDT 2012

On Sat, 2012-07-14 at 16:14 +1000, Robert Colquhoun wrote:
> On Thu, Jul 12, 2012 at 11:11 AM, Andrew Bartlett <abartlet at> wrote:
> > How does the max uid/gid thing work, particularly with distributed user
> > creation?  (This is why we never tried this before, because we were told
> > that no such mechanism existed).
> I don't know if this is relevant but openldap has a mechanism for the
> above using overlays:
> Basically the ldap server needs to intercept add and modifies and call
> a handler which then checks (hopefully indexed) attribute for
> suitability ie unique.
> I would imagine in any normal system adding or modifying users would
> be well less than 1% of reads and thus safe to make relatively
> expensive operation to perform.
> Adding max uid/gid would require some kind of transaction support as
> would need to increment those values and add the user in a single
> operation or cancel everything.
> Other way is to create some sort of samba private area in ldap and use
> the uids and gids encoded into the dn as that is guaranteed to be
> unique when doing an add

The issue is doing this in a distributed way that is safe on a mix of AD
implementations including Samba and Microsoft. 

So far, the only safe allocation mechanism is the RID allocation

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list