[PATCH] Supplement nss info gecos from displayName

Ralph Böhme rb at sernet.de
Tue Jul 28 08:57:01 UTC 2015


On Tue, Jul 28, 2015 at 07:25:49AM +0300, Alexander Bokovoy wrote:
> On Mon, 27 Jul 2015, Rowland Penny wrote:
> > On 27/07/15 21:11, Ralph Böhme wrote:
> > >On Mon, Jul 27, 2015 at 06:30:51PM +0100, Rowland Penny wrote:
> > >>On 27/07/15 18:12, Ralph Böhme wrote:
> > >>>Attached is a small patchset that tries to address a shortcoming in
> > >>>winbind pulling gecos information from AD.
> > >>>
> > >>>Either winbind nss info sfu, sfu20 and rfc2307 will end up querying
> > >>>the gecos attribute, which will be empty in most cases, as neither
> > >>>Samba AD nor Windows with IDMU assigns a value to it by default.
> > >>>
> > >>>As a result Samba servers pulling nss info via winbind will show empty
> > >>>gecos fields. Wouldn't it make sense to pull the gecos info from
> > >>>another attribute like displayName in case gecos is empty?
> > >>>
> > >>>Review&comments appreciated. Thanks!
> > >>>
> > >>>-Ralph
> > >>>
> > >>er, you do realise that if you create a user with samba-tool
> > >>'samba-tool user create username' you do not get a displayName
> > >>attribute either,
> > >yes, but using MS tools will.
> > >
> > >>so what are your plans to fall back to ?
> > >That's not the point.
> > >
> > >>Or to put it another way, you cannot presume the displayName
> > >>attribute will be populated either, so why bother ?
> > >Because when using MS tools gecos will always be empty while
> > >displayName will contain something. For Samba users in an MS AD
> > >environment that makes a difference I guess.
> > >
> > >Cheerio!
> > >-Ralph
> > 
> > Hi Ralph, I think you are missing the point :-)
> > 
> > You cannot be sure that displayName will be populated, so if you want
> > 'gecos' to seemingly contain something, you need to either patch 'samba-tool
> > user create' to refuse to create the user unless the users first and last
> > names are also given i.e. just like windows, or test if gecos is empty, if
> > so, use displayName contents and if this is also empty, fall back to
> > samaccountname.
> Well, in case of SSSD we synthesize it from 'cn' (which couldn't be
> missing).

I thought sssd would be using the attribute from ldap_user_gecos which
defaults to gecos?

-Ralph

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de,mailto:kontakt@sernet.de



More information about the samba-technical mailing list