Patch submission version 4

Mon Dec 2 01:58:51 MST 2013

On 01/12/13 22:59, Jelmer Vernooij wrote:
> On Sun, Dec 01, 2013 at 09:36:10PM +0000, Rowland Penny wrote:
>> On 01/12/13 20:51, Andrew Bartlett wrote:
>>> On Wed, 2013-10-09 at 11:35 +0100, Rowland Penny wrote:
>>>
>>>> HI, I will say this once again, anything Samba does to the AD database
>>>> should match what Windows does.
>>>>
>>>> Windows does NOT add either the 'posixAccount' or 'posixGroup'
>>>> attributes so Stephanes patch should not add this line:
>>>>
>>>> +            ldbmessage2["objectClass"] =
>>>> ldb.MessageElement('posixGroup', ldb.FLAG_MOD_ADD, 'objectClass')
>>>>
>>>> it should be removing this line:
>>>>
>>>>                ldbmessage2["objectClass"] =
>>>> ldb.MessageElement('posixAccount', ldb.FLAG_MOD_ADD, 'objectClass')
>>> For the time-being, I'm going to accept being consistent with the
>>> existing code over making this change to the old code, in a patch series
>>> that is adding new functionality.
>> Just because something was created wrong in the first place is not a
>> good reason for continuing the error, all I am asking is that the
>> totally un-needed posix objectclasses are removed from samba-tool.
>>
>> posixAccount and posixShadow are both auxillaries of the 'users'
>> objectclass, posixGroup is the auxillary of the 'group' objectclass.
>> What this means is that the 'user' & 'group' objectclasses inherit
>> all the attributes from the posix objectclasses, this is why windows
>> does not add the objectclasses 'posixAccount' & 'posixGroup'.
>>
>> You would not even need any tests for the removal of these
>> objectclasses, I mean how do you test for something that should not
>> be there, if you test for the attributes the posix objectclasses
>> hold, they can still be there.
>>
>> As a last thought, if you insist on allowing the adding of the posix
>> objectclasses then you should stop recommending the use of ADUC or
>> any windows tools to add users & groups, because no windows tools
>> will add the posix objectclasses.
> samba-tool is not the Samba equivalent of ADUC. They have a different
> UI. They can both add users and groups to an Active Directory domain
> among other things - but they can each also do much, much more that
> the other can't.
>
> It makes sense to be consistent with ADUC where that is
> reasonable, as more consistency will lead to more predictable
> behaviour and thus less confusion for users.
>
> We can consider adding an option (--posix?) that enables the
> the posixGroup objectClass, and have that option disabled by default.
> I don't have a strong opinion about what the default should be.
> Addressing that is outside of the scope of Stephane's patch.
>
> There is nothing fundamentally wrong with samba-tool having
> the ability to add posix{Account,Group} objectClasses, just like it
> can already do so many other things that ADUC can't.
Why would you need the posix objectClasses?
I was of the opinion that the whole idea behind Samba 4 was to create a 
clone of a windows AD server. If this is correct then the samba tools 
should work basically in the same way as ADUC.

Let us take the case of a site that uses both Linux and windows users 
and has two admins, Bill & Ben. Bill always uses Linux to administrate 
the domain, Ben always uses ADUC.
Bill sets up the Linux part and creates all the Linux users with 
samba-tool and they can connect to the domain.
Everything goes great until Bill is away from work and Ben has to create 
a group of linux users, he of course uses ADUC, Ben is then called away 
and when he comes back, he finds that non of the new Linux users he 
created can log into any Linux machines. This is traced to the fact that 
when Bill set up the Linux machines, he relied on the posix 
objectClasses that samba-tool adds and ADUC doesn't.

The cure? set the Linux machine to connect as if they were connecting to 
a Windows AD server (which samba4 is supposed to be) and then it would 
not matter if you used samba-tool or ADUC to create users, but if you do 
this, then samba-tool wouldn't need to add the posix objectClasses would it?

Rowland
>
> Cheers,
>
> Jelmer