Patch submission version 4

Rowland Penny repenny241155 at
Sun Dec 1 14:36:10 MST 2013

On 01/12/13 20:51, Andrew Bartlett wrote:
> On Wed, 2013-10-09 at 11:35 +0100, Rowland Penny wrote:
>> HI, I will say this once again, anything Samba does to the AD database
>> should match what Windows does.
>> Windows does NOT add either the 'posixAccount' or 'posixGroup'
>> attributes so Stephanes patch should not add this line:
>> +            ldbmessage2["objectClass"] =
>> ldb.MessageElement('posixGroup', ldb.FLAG_MOD_ADD, 'objectClass')
>> it should be removing this line:
>>                ldbmessage2["objectClass"] =
>> ldb.MessageElement('posixAccount', ldb.FLAG_MOD_ADD, 'objectClass')
> For the time-being, I'm going to accept being consistent with the
> existing code over making this change to the old code, in a patch series
> that is adding new functionality.
> Andrew Bartlett
Just because something was created wrong in the first place is not a 
good reason for continuing the error, all I am asking is that the 
totally un-needed posix objectclasses are removed from samba-tool.

posixAccount and posixShadow are both auxillaries of the 'users' 
objectclass, posixGroup is the auxillary of the 'group' objectclass. 
What this means is that the 'user' & 'group' objectclasses inherit all 
the attributes from the posix objectclasses, this is why windows does 
not add the objectclasses 'posixAccount' & 'posixGroup'.

You would not even need any tests for the removal of these 
objectclasses, I mean how do you test for something that should not be 
there, if you test for the attributes the posix objectclasses hold, they 
can still be there.

As a last thought, if you insist on allowing the adding of the posix 
objectclasses then you should stop recommending the use of ADUC or any 
windows tools to add users & groups, because no windows tools will add 
the posix objectclasses.


More information about the samba-technical mailing list