Winbind/Samba RFC2307 Roadmap
Gémes Géza
geza at kzsdabas.hu
Tue Mar 12 12:47:44 MDT 2013
Hi,
> On Tue, 2013-03-12 at 09:30 -0400, David Mansfield wrote:
>>> Even though Windows uses RFC2307 it isn't pure RFC2307, (it's been a
>>> while since I setup a clean AD forest) Windows seems to basically puts
>>> the RFC2307 attributes into the standard AD objectClass "Person" and
>>> objectClass "group". I'd have thought Samba 4's useradding should allow
>>> adding RFC2307 attributes, and should add them the same way that AD
>>> Users and Computers does, to existing user and group objects. Maybe I'm
>>> behind the times on this one and this is fixed.
>> Unless one has Windows Server installed, you cannot install the RFC2307
>> extensions to "User and Computers" into windows afaik (that tab is
>> missing from the interface and cannot be installed using the freely
>> available downloads). So from the Windows AD management tool you cannot
>> manage the RFC2307 attributes either. This is my experience using Win
>> XP Pro with the AD management console.
> The "Unix Attributes" tab is present in Windows 7 AD if you add in
> "Server for NIS Tools". See:
>
> http://blogs.technet.com/b/askds/archive/2010/05/14/friday-mail-sack-it-s-about-to-get-real-edition.aspx
>
> Sadly it's greyed out unless a NIS name is set in the domain, there way
> a patch to fake it in Samba 4 to allow the dialog to appear but not sure
> if it ever made it? Discussed here:
If you provision with --use-rfc2307 or do a classicupgrade (where it is
enabled by default) you automaticaly get a "NIS" somain which equals
your workgroup name in lowercase.
>
> http://samba.2283325.n4.nabble.com/Samba4-patch-for-manipulating-Unix-attributes-via-ADUC-td4634434.html
>
> Hopefully any standard Windbind config or a suitable shipped samba tool
> to manipulate these should use/replicate what ADUC tool does with Unix
> Attributes.
>
>>> My bugbear I've seen, is that the default group in Winbind (even setting
>>> everything to use RFC2307) is to use the Windows default group. This
>>> makes total sense in a mapped UID/GID but makes less sense in a RFC2307
>>> world where the GID is specified as gidNumber for the user's account
>>> (but ignored by Winbind) and no way to configure this. This has a bug ID
>>> #8694.
>>>
>>> Another minor thing I notices is that Windbind also doesn't by default
>>> obtain a TGT, this should surely now be the default in a S4 context.
>> I think tweaking /etc/security/pam_winbind.conf can get the TGT working
>> fine.
> Yup, I just think this should be the default nowadays.
>
>>> Also to try to see if there is direction to make Samba 4's Unix
>>> behaviour be more like pure AD (strange to say I know) and achieve a
>>> level of standardisation across installs worldwide?
>>>
>>> Also I don't know how Samba 4 say interoperates with SSSD (rfc2307), has
>>> it been tried?
>>>
>>> Thanks for any information and for all the great work up to now!
>>>
>>>
>> I'm also not complaining! I'm excited about the direction s4 will take,
>> and will contribute as possible but I also think understanding (or
>> planning) the future direction of s4/unix interaction is necessary.
>>
> Glad it's not just me...
>
> Thanks
>
> Colin
>
>
> ________________________________
>
>
> This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you are not the original recipient or the person responsible for delivering the email to the intended recipient, be advised that you have received this email in error, and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you received this email in error, please immediately notify the sender and delete the original.
>
Regards
Geza Gemes
More information about the samba-technical
mailing list