[PATCH] Supplement nss info gecos from displayName

Jakub Hrozek jhrozek at redhat.com
Tue Jul 28 08:20:38 UTC 2015


On Tue, Jul 28, 2015 at 07:25:49AM +0300, Alexander Bokovoy wrote:
> On Mon, 27 Jul 2015, Rowland Penny wrote:
> > On 27/07/15 21:11, Ralph Böhme wrote:
> > >On Mon, Jul 27, 2015 at 06:30:51PM +0100, Rowland Penny wrote:
> > >>On 27/07/15 18:12, Ralph Böhme wrote:
> > >>>Attached is a small patchset that tries to address a shortcoming in
> > >>>winbind pulling gecos information from AD.
> > >>>
> > >>>Either winbind nss info sfu, sfu20 and rfc2307 will end up querying
> > >>>the gecos attribute, which will be empty in most cases, as neither
> > >>>Samba AD nor Windows with IDMU assigns a value to it by default.
> > >>>
> > >>>As a result Samba servers pulling nss info via winbind will show empty
> > >>>gecos fields. Wouldn't it make sense to pull the gecos info from
> > >>>another attribute like displayName in case gecos is empty?
> > >>>
> > >>>Review&comments appreciated. Thanks!
> > >>>
> > >>>-Ralph
> > >>>
> > >>er, you do realise that if you create a user with samba-tool
> > >>'samba-tool user create username' you do not get a displayName
> > >>attribute either,
> > >yes, but using MS tools will.
> > >
> > >>so what are your plans to fall back to ?
> > >That's not the point.
> > >
> > >>Or to put it another way, you cannot presume the displayName
> > >>attribute will be populated either, so why bother ?
> > >Because when using MS tools gecos will always be empty while
> > >displayName will contain something. For Samba users in an MS AD
> > >environment that makes a difference I guess.
> > >
> > >Cheerio!
> > >-Ralph
> > 
> > Hi Ralph, I think you are missing the point :-)
> > 
> > You cannot be sure that displayName will be populated, so if you want
> > 'gecos' to seemingly contain something, you need to either patch 'samba-tool
> > user create' to refuse to create the user unless the users first and last
> > names are also given i.e. just like windows, or test if gecos is empty, if
> > so, use displayName contents and if this is also empty, fall back to
> > samaccountname.
> Well, in case of SSSD we synthesize it from 'cn' (which couldn't be
> missing). I'd prefer a common behavior here but otherwise I agree with
> you.

According to the commit message in SSSD, that's compliant with
section 5.3 of RFC 2307 which states:

An account's GECOS field is preferably determined by a value of the
gecos attribute. If no gecos attribute exists, the value of the cn
attribute MUST be used. (The existence of the gecos attribute allows
information embedded in the GECOS field, such as a user's telephone
number, to be returned to the client without overloading the cn
attribute. It also accommodates directories where the common name
does not contain the user's full name.) 



More information about the samba-technical mailing list