[PATCH] samba-tool group add: set gidNumber or look up in NSS

Alfred Klomp alfred at 1afa.com
Tue Jul 8 04:51:16 MDT 2014


This patch adds the --gid-number and --rfc2307-from-nss options to 
'samba-tool group add'. An admin can specify a Unix group ID on the 
commandline manually, or request a lookup through NSS based on the 
group's name. Using either one will add a 'gidNumber' property and an 
'objectClass' of 'posixGroup' to the ldb transaction.

This patch is essentially the same as commit bfdaaf23 discussed here, 
but for groups instead of users:


Could I please request a review for this patch?

Kind regards,
--Alfred Klomp

Bokxing IT
Elektronicaweg 14a
2628 XG Delft
T: 088-00 164 00
F: 015-25 609 77
support at bokxing-it.nl
KvK: 27194486
-------------- next part --------------
>From 242492049e9cdbbcc3bf55ddd81103e6e5891d66 Mon Sep 17 00:00:00 2001
From: Alfred Klomp <alfred at 1afa.com>
Date: Thu, 3 Jul 2014 12:39:09 +0200
Subject: [PATCH] Set RFC2307 GID attribute in samba-tool group add

See also commit bfdaaf23; this is the same thing, but for group IDs.

Add an option for 'group add' to either fetch the gidNumber from NSS based on
the groupname, or specify the gidNumber directly on the commandline. The group
will be created with a 'gidNumber' entry, and will get an additional objectType
of 'posixGroup'.
 python/samba/netcmd/group.py | 18 ++++++++++++++++--
 python/samba/samdb.py        | 12 +++++++++++-
 2 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/python/samba/netcmd/group.py b/python/samba/netcmd/group.py
index 1a24e5f..cad1ae7 100644
--- a/python/samba/netcmd/group.py
+++ b/python/samba/netcmd/group.py
@@ -20,6 +20,7 @@
 import samba.getopt as options
 from samba.netcmd import Command, SuperCommand, CommandError, Option
 import ldb
+import grp
 from samba.ndr import ndr_unpack
 from samba.dcerpc import security
@@ -58,6 +59,8 @@ Groups are located in domains in organizational units (OUs).  The group's scope
 The group location (OU), type (security or distribution) and scope may all be specified on the samba-tool command when the group is created.
+A Unix (RFC2307) GID attribute may be added to the group from a NSS lookup. The GID is obtained from NSS on the local machine. An explicitly given GID overrides the value obtained from NSS.
 The command may be run from the root userid or another authorized userid.  The
 -H or --URL= option can be used to execute the command on a remote server.
@@ -93,19 +96,29 @@ Example2 adds a new distribution group to the local server.  The command is run
         Option("--description", help="Group's description", type=str),
         Option("--mail-address", help="Group's email address", type=str),
         Option("--notes", help="Groups's notes", type=str),
+        Option("--rfc2307-from-nss",
+            help="Fetch group's numeric Unix GID from NSS (will be overridden by explicit GID)",
+            action="store_true"),
+        Option("--gid-number", help="Group's Unix/RFC2307 numeric GID", type=int),
     takes_args = ["groupname"]
     def run(self, groupname, credopts=None, sambaopts=None,
             versionopts=None, H=None, groupou=None, group_scope=None,
-            group_type=None, description=None, mail_address=None, notes=None):
+            group_type=None, description=None, mail_address=None, notes=None,
+            rfc2307_from_nss=False, gid=None, gid_number=None):
         if (group_type or "Security") == "Security":
             gtype = security_group.get(group_scope, GTYPE_SECURITY_GLOBAL_GROUP)
             gtype = distribution_group.get(group_scope, GTYPE_DISTRIBUTION_GLOBAL_GROUP)
+        if rfc2307_from_nss:
+            grpent = grp.getgrnam(groupname)
+            if gid_number is None:
+                gid_number = grpent[2]
         lp = sambaopts.get_loadparm()
         creds = credopts.get_credentials(lp, fallback_machine=True)
@@ -113,7 +126,8 @@ Example2 adds a new distribution group to the local server.  The command is run
             samdb = SamDB(url=H, session_info=system_session(),
                           credentials=creds, lp=lp)
             samdb.newgroup(groupname, groupou=groupou, grouptype = gtype,
-                          description=description, mailaddress=mail_address, notes=notes)
+                          description=description, mailaddress=mail_address, notes=notes,
+                          gidnumber=gid_number)
         except Exception, e:
             # FIXME: catch more specific exception
             raise CommandError('Failed to create group "%s"' % groupname, e)
diff --git a/python/samba/samdb.py b/python/samba/samdb.py
index 2dfc839..d223ab8 100644
--- a/python/samba/samdb.py
+++ b/python/samba/samdb.py
@@ -169,7 +169,7 @@ pwdLastSet: 0
     def newgroup(self, groupname, groupou=None, grouptype=None,
-                 description=None, mailaddress=None, notes=None, sd=None):
+                 description=None, mailaddress=None, notes=None, sd=None, gidnumber=None):
         """Adds a new group with additional parameters
         :param groupname: Name of the new group
@@ -178,6 +178,7 @@ pwdLastSet: 0
         :param mailaddress: Email address of the new group
         :param notes: Notes of the new group
         :param sd: security descriptor of the object
+        :param gidnumber: RFC2307 Unix GID of the new group
         group_dn = "CN=%s,%s,%s" % (groupname, (groupou or "CN=Users"), self.domain_dn())
@@ -203,7 +204,16 @@ pwdLastSet: 0
         if sd is not None:
             ldbmessage["nTSecurityDescriptor"] = ndr_pack(sd)
+        ldbmessage2 = None
+        if gidnumber is not None:
+            ldbmessage2 = ldb.Message()
+            ldbmessage2.dn = ldb.Dn(self, group_dn)
+            ldbmessage2["objectClass"] = ldb.MessageElement('posixGroup', ldb.FLAG_MOD_ADD, 'objectClass')
+            ldbmessage2["gidNumber"] = ldb.MessageElement(str(gidnumber), ldb.FLAG_MOD_REPLACE, 'gidNumber')
+        if ldbmessage2:
+            self.modify(ldbmessage2)
     def deletegroup(self, groupname):
         """Deletes a group

More information about the samba-technical mailing list