samba-tool posix user/group improvements

Andrew Bartlett abartlet at
Wed Oct 9 13:29:47 MDT 2013

On Wed, 2013-10-09 at 11:35 +0100, Rowland Penny wrote:

> HI, I will say this once again, anything Samba does to the AD database 
> should match what Windows does.
> Windows does NOT add either the 'posixAccount' or 'posixGroup' 
> attributes so Stephanes patch should not add this line:
> +            ldbmessage2["objectClass"] = 
> ldb.MessageElement('posixGroup', ldb.FLAG_MOD_ADD, 'objectClass')
> it should be removing this line:
>               ldbmessage2["objectClass"] = 
> ldb.MessageElement('posixAccount', ldb.FLAG_MOD_ADD, 'objectClass')

This is a distinct issue from the rest of the patch, because this patch
follows the pattern already established.  Adding these values improves
compatibility with LDAP clients, because many do (correctly) filter on
this objectclass. 

The reason this is set on posixAccount is that, as I read the schema,
otherwise you simply can't set for example gecos or loginShell on the
account.  Have you tested your proposed modification and shown that
everything sill works?

Samba certainly shouldn't require the posixAccount or posixGroup
attributes to get uid and gid values, and we fixed that up in the
idmap_ldb:use rfc2307 code a while back, but adding these seems
beneficial for a number of use cases.


Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list