[PATCH] Supplement nss info gecos from displayName
Ralph Böhme
rb at sernet.de
Tue Jul 28 08:54:30 UTC 2015
On Tue, Jul 28, 2015 at 10:20:38AM +0200, Jakub Hrozek wrote:
> On Tue, Jul 28, 2015 at 07:25:49AM +0300, Alexander Bokovoy wrote:
> > On Mon, 27 Jul 2015, Rowland Penny wrote:
> > > On 27/07/15 21:11, Ralph Böhme wrote:
> > > >On Mon, Jul 27, 2015 at 06:30:51PM +0100, Rowland Penny wrote:
> > > >>On 27/07/15 18:12, Ralph Böhme wrote:
> > > >>>Attached is a small patchset that tries to address a shortcoming in
> > > >>>winbind pulling gecos information from AD.
> > > >>>
> > > >>>Either winbind nss info sfu, sfu20 and rfc2307 will end up querying
> > > >>>the gecos attribute, which will be empty in most cases, as neither
> > > >>>Samba AD nor Windows with IDMU assigns a value to it by default.
> > > >>>
> > > >>>As a result Samba servers pulling nss info via winbind will show empty
> > > >>>gecos fields. Wouldn't it make sense to pull the gecos info from
> > > >>>another attribute like displayName in case gecos is empty?
> > > >>>
> > > >>>Review&comments appreciated. Thanks!
> > > >>>
> > > >>>-Ralph
> > > >>>
> > > >>er, you do realise that if you create a user with samba-tool
> > > >>'samba-tool user create username' you do not get a displayName
> > > >>attribute either,
> > > >yes, but using MS tools will.
> > > >
> > > >>so what are your plans to fall back to ?
> > > >That's not the point.
> > > >
> > > >>Or to put it another way, you cannot presume the displayName
> > > >>attribute will be populated either, so why bother ?
> > > >Because when using MS tools gecos will always be empty while
> > > >displayName will contain something. For Samba users in an MS AD
> > > >environment that makes a difference I guess.
> > > >
> > > >Cheerio!
> > > >-Ralph
> > >
> > > Hi Ralph, I think you are missing the point :-)
> > >
> > > You cannot be sure that displayName will be populated, so if you want
> > > 'gecos' to seemingly contain something, you need to either patch 'samba-tool
> > > user create' to refuse to create the user unless the users first and last
> > > names are also given i.e. just like windows, or test if gecos is empty, if
> > > so, use displayName contents and if this is also empty, fall back to
> > > samaccountname.
> > Well, in case of SSSD we synthesize it from 'cn' (which couldn't be
> > missing). I'd prefer a common behavior here but otherwise I agree with
> > you.
>
> According to the commit message in SSSD, that's compliant with
> section 5.3 of RFC 2307 which states:
>
> An account's GECOS field is preferably determined by a value of the
> gecos attribute. If no gecos attribute exists, the value of the cn
> attribute MUST be used. (The existence of the gecos attribute allows
> information embedded in the GECOS field, such as a user's telephone
> number, to be returned to the client without overloading the cn
> attribute. It also accommodates directories where the common name
> does not contain the user's full name.)
very good, thanks! That would work nicely with MS AD and with an Samba
4 AD you'd get the same behaviour when using MS tools like RSAT,
alternatively when using samba-tool we have the --gecos arg.
Will post an updated patchset using cn instead of displayName.
-Ralph
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de,mailto:kontakt@sernet.de
More information about the samba-technical
mailing list