Samba4: ID mapping is hard

Matthias Dieter Wallnöfer mdw at
Sun Mar 25 15:42:30 MDT 2012


in my personal "master" branch you can find the necessary changes ready 
for review. Also the "dn" branch has been finished as well.


Andrew Bartlett schrieb:
> On Sun, 2012-03-25 at 09:46 +0200, steve wrote:
>> El 24/03/12 01:20, Andrew Bartlett escribió:
>>> On Fri, 2012-03-23 at 23:54 +0100, steve wrote:
>>>> What is working well for us in tests is giving Domain Users a uid, gid,
>>>> setting their primaryGroupID to that of a posix-ified security group and
>>>> storing these attributes in their entry in sam.ldb. The only problem I
>>>> have with this is that adding the posixGroup objectClass to a security
>>>> group removes the ability to be able to list its members in ADUC and it
>>>> is really unfortunate that I can't test this against a windows server.
>>>> Because I don't have one.
>>> Trial copies of Windows are available for download:
>> There is already a bugzilla which confirms that s4 does not handle the
>> posixGroup attribute correctly. Adding the posixGroup attribute on a ms
>> 2008 server works correctly. The membership tabs under ADCU appear
>> correctly.
>> Please see:
>> comment 43 onwards.
> Steve,
> I would be most helpful if you could:
>   - file a new bug with a clear description of only the objectClass
> ordering issue
>   - determine how the objectclass ordering algorithm works on Windows to
> allow this auxillary class to be added.  The WSPP documentation may be
> of assistance here. MS-ADTS in particular:
>   - provide a patch to source4/dsdb/tests/python/ to demonstrate
> the correct objectClass ordering behaviour
>   - provide a patch to source4/dsdb/samdb/ldb_modules/sobjectclass_sort.c
> to implement the correct sorting.
> Only this process will get this issue fixed.
> I've CC'ed Matthias, who has worked on many of our LDAP behaviour issues
> in the past, and who may be able to provide some further assistance, as
> I'm currently too far stuck in IDMAP for s3fs to try and take this on in
> the near future.
> Thanks,
> Andrew Bartlett

More information about the samba-technical mailing list