Winbind/Samba RFC2307 Roadmap

[Colin Simpson]

Hi

I was just wondering if there was a roadmap on how rfc2307 and I guess
how Unix clients in general were planned to be handled in a Winbind
Samba setup. It seems (from an outside perspective) that there is no
clear direction (to users) as to the preferred way these should be dealt
with.

I mean at provisioning the RFC2307 attributes aren't enabled by default
(which is maybe understandable as the target is domain level 2003 and
this wasn't true until 2003R2) but not helpful for Unix clients (better
if it was 2003R2 but not sure the other side effects this would
introduce).

Also by default no reverse DNS zone is created by the provisioning
process (can't remember if an AD forest does this by default, I think it
might) and this is often required for Linux kererized services to work
(SSH being the obvious one).

Additionally last time I tried I notice the add user commands don't seem
to be able to add Unix attributes, which means people have hand rolled
their own, and some of these scripts do things that Windows AD doesn't
for Unix users and groups, for example setting objectClass
"posixAccount" and "posixGroup", this won't inerop easily with a Windows
DC, I'd imagine.

Even though Windows uses RFC2307 it isn't pure RFC2307, (it's been a
while since I setup a clean AD forest) Windows seems to basically puts
the RFC2307 attributes into the standard AD objectClass "Person" and
objectClass "group". I'd have thought Samba 4's useradding should allow
adding RFC2307 attributes, and should add them the same way that AD
Users and Computers does, to existing user and group objects. Maybe I'm
behind the times on this one and this is fixed.

My bugbear I've seen, is that the default group in Winbind (even setting
everything to use RFC2307) is to use the Windows default group. This
makes total sense in a mapped UID/GID but makes less sense in a RFC2307
world where the GID is specified as gidNumber for the user's account
(but ignored by Winbind) and no way to configure this. This has a bug ID
#8694.

Another minor thing I notices is that Windbind also doesn't by default
obtain a TGT, this should surely now be the default in a S4 context.

Is the eventual aim to encourage people to use RFC2307 attributes in
preferrence to generated or mapped UID/GID's?

It seems like with the arrival of Samba 4 that there exists the
capability to be a first class cross platform directory service (like AD
itself is to be honest, except it only runs on Windows) but it isn't so
easy at the moment to use as Unix directory.

I know it's early days on Samba 4 (and what an achievement) and I really
don't mean to complain at all, I just want to get some insight into the
Winbind plan (I know there are currently two so maybe that is where all
this is being thought of in a merge).

Also to try to see if there is direction to make Samba 4's Unix
behaviour be more like pure AD (strange to say I know) and achieve a
level of standardisation across installs worldwide?

Also I don't know how Samba 4 say interoperates with SSSD (rfc2307), has
it been tried?

Thanks for any information and for all the great work up to now!

Colin


________________________________


This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you are not the original recipient or the person responsible for delivering the email to the intended recipient, be advised that you have received this email in error, and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you received this email in error, please immediately notify the sender and delete the original.