s4: new classicupgrade and uids

Sergey Urushkin urushkin at telros.ru
Fri Jun 22 01:09:30 MDT 2012


21.06.2012 19:09, steve написал:
> On 06/21/2012 02:43 PM, Sergey Urushkin wrote:
>> Hi!
>> I've just made a test upgrade from s3 with the new uid/gid migration
>> feature and I have some questions:
>> 1. Computer accounts have objectclass:posixAccount and uidNumber
>> attributes. What is it for? As far as I know unix computer accounts are
>> needed only for s3 dc, that we can join Linux clients to those
>> attributes so am I right? If so, than computer accounts should
>> be excluded somehow.
> Hi
> We use those attributes so that we can join Linux clients to the
> domain and users can login with them without having to use winbind.
But how can computer's uidnumber attribute help us with this... Joining
works without computer posix accounts. ldapd, sss, nss_ldap doesn't need
computer accounts. We can also export computer creds into keytab without
posixaccount objectclass. Uids are only needed for owning files and nss
info, and I don't see any reason to support setting computer as an owner
and logging in as a computer (at least by default).
>> 2. 'Administrator' hasn't got an uidNumber (while it had it in
>> openldap), so it makes me map it manually. Is it a bug or feature?
Here, seems that "Guest" account is also affected.
>> 3. To have an ability to manage user's uid, gid, etc. through dsa.msc we
>> need to add NIS domain to AD. And then add some attributes to
>> accounts/groups. Why not to add NIS domain (it's a simple ldif) to
>> config while provisioning (named as workgroup by default and also have
>> an provision/classicupgrade option to change the name) and then
>> additionally modify users like this:
>> changetype: modify
>> replace: msSFU30NisDomain
>> msSFU30NisDomain: $NISDOMAIN
>> -
>> replace: msSFU30Name
>> msSFU30Name: $USER
>> and groups like this:
>> changetype: modify
>> replace: msSFU30NisDomain
>> msSFU30NisDomain: $NISDOMAIN
>> -
>> replace: msSFU30Name
>> msSFU30Name: $GROUP
>> Thanks.
> We made a simple script to do this without changing the schema. We
> manage most of the domain from the s4DC and rarely touch ADUC. 
But we still don't have something like 'samba-tool user unix ...' and
'samba-tool domain nis ...' and all managing of unix attribs is made
with external tools (you suggested, I have one too).
Schema modification I made works and replicates well (I've been using it
for tests for more then half of a year) , so I don't see actual reason
why not just to implement it. In summary to begin we need one ldif with
2 params - basedn and nis domain, one option to provision/classicupgrade
(--nis-domain), and user/group provisioning modifications showed above.
I would be glad to make it but my python is not good, anyway I'm ready
to help with testing.
> The main reason we don't use winbind is because our unixHomeDrirectory
> attributes do not all point at the same directory.
It's a problem for s4 winbind, but s3 winbind works nicely with rfc2307
schema and respects attribs like uid, unixHomeDirectory.
> The script is here. It has many similarities to your sfu example for
> the most part.
> http://dl.dropbox.com/u/45150875/s4bind.tar.gz
Thanks for the script.

Also, another question appeared:

4. gidNumber for users is not set too. Until it's set we can not use s3
winbind rfc2307 mode with s4 dc. Maybe it's also about loginshell,


Best regards,
Sergey Urushkin

More information about the samba-technical mailing list