Patch submission version 4

Jelmer Vernooij jelmer at
Sun Dec 1 15:59:56 MST 2013

On Sun, Dec 01, 2013 at 09:36:10PM +0000, Rowland Penny wrote:
> On 01/12/13 20:51, Andrew Bartlett wrote:
> >On Wed, 2013-10-09 at 11:35 +0100, Rowland Penny wrote:
> >
> >>HI, I will say this once again, anything Samba does to the AD database
> >>should match what Windows does.
> >>
> >>Windows does NOT add either the 'posixAccount' or 'posixGroup'
> >>attributes so Stephanes patch should not add this line:
> >>
> >>+            ldbmessage2["objectClass"] =
> >>ldb.MessageElement('posixGroup', ldb.FLAG_MOD_ADD, 'objectClass')
> >>
> >>it should be removing this line:
> >>
> >>               ldbmessage2["objectClass"] =
> >>ldb.MessageElement('posixAccount', ldb.FLAG_MOD_ADD, 'objectClass')
> >For the time-being, I'm going to accept being consistent with the
> >existing code over making this change to the old code, in a patch series
> >that is adding new functionality.

> Just because something was created wrong in the first place is not a
> good reason for continuing the error, all I am asking is that the
> totally un-needed posix objectclasses are removed from samba-tool.
> posixAccount and posixShadow are both auxillaries of the 'users'
> objectclass, posixGroup is the auxillary of the 'group' objectclass.
> What this means is that the 'user' & 'group' objectclasses inherit
> all the attributes from the posix objectclasses, this is why windows
> does not add the objectclasses 'posixAccount' & 'posixGroup'.
> You would not even need any tests for the removal of these
> objectclasses, I mean how do you test for something that should not
> be there, if you test for the attributes the posix objectclasses
> hold, they can still be there.
> As a last thought, if you insist on allowing the adding of the posix
> objectclasses then you should stop recommending the use of ADUC or
> any windows tools to add users & groups, because no windows tools
> will add the posix objectclasses.
samba-tool is not the Samba equivalent of ADUC. They have a different
UI. They can both add users and groups to an Active Directory domain
among other things - but they can each also do much, much more that
the other can't.

It makes sense to be consistent with ADUC where that is
reasonable, as more consistency will lead to more predictable
behaviour and thus less confusion for users.

We can consider adding an option (--posix?) that enables the
the posixGroup objectClass, and have that option disabled by default.
I don't have a strong opinion about what the default should be.
Addressing that is outside of the scope of Stephane's patch.

There is nothing fundamentally wrong with samba-tool having
the ability to add posix{Account,Group} objectClasses, just like it
can already do so many other things that ADUC can't.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <>

More information about the samba-technical mailing list