samba-tool posix user/group improvements
Andrew Bartlett
abartlet at samba.org
Wed Oct 9 13:29:47 MDT 2013
On Wed, 2013-10-09 at 11:35 +0100, Rowland Penny wrote:
> HI, I will say this once again, anything Samba does to the AD database
> should match what Windows does.
>
> Windows does NOT add either the 'posixAccount' or 'posixGroup'
> attributes so Stephanes patch should not add this line:
>
> + ldbmessage2["objectClass"] =
> ldb.MessageElement('posixGroup', ldb.FLAG_MOD_ADD, 'objectClass')
>
> it should be removing this line:
>
> ldbmessage2["objectClass"] =
> ldb.MessageElement('posixAccount', ldb.FLAG_MOD_ADD, 'objectClass')
This is a distinct issue from the rest of the patch, because this patch
follows the pattern already established. Adding these values improves
compatibility with LDAP clients, because many do (correctly) filter on
this objectclass.
The reason this is set on posixAccount is that, as I read the schema,
otherwise you simply can't set for example gecos or loginShell on the
account. Have you tested your proposed modification and shown that
everything sill works?
Samba certainly shouldn't require the posixAccount or posixGroup
attributes to get uid and gid values, and we fixed that up in the
idmap_ldb:use rfc2307 code a while back, but adding these seems
beneficial for a number of use cases.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list