[PATCH] Supplement nss info gecos from displayName

Rowland Penny repenny241155 at gmail.com
Tue Jul 28 09:14:48 UTC 2015 

On 28/07/15 10:06, Ralph Böhme wrote:
> On Mon, Jul 27, 2015 at 09:26:18PM +0100, Rowland Penny wrote:
>> On 27/07/15 21:11, Ralph Böhme wrote:
>>> On Mon, Jul 27, 2015 at 06:30:51PM +0100, Rowland Penny wrote:
>>>> On 27/07/15 18:12, Ralph Böhme wrote:
>>>>> Attached is a small patchset that tries to address a shortcoming in
>>>>> winbind pulling gecos information from AD.
>>>>>
>>>>> Either winbind nss info sfu, sfu20 and rfc2307 will end up querying
>>>>> the gecos attribute, which will be empty in most cases, as neither
>>>>> Samba AD nor Windows with IDMU assigns a value to it by default.
>>>>>
>>>>> As a result Samba servers pulling nss info via winbind will show empty
>>>>> gecos fields. Wouldn't it make sense to pull the gecos info from
>>>>> another attribute like displayName in case gecos is empty?
>>>>>
>>>>> Review&comments appreciated. Thanks!
>>>>>
>>>>> -Ralph
>>>>>
>>>> er, you do realise that if you create a user with samba-tool
>>>> 'samba-tool user create username' you do not get a displayName
>>>> attribute either,
>>> yes, but using MS tools will.
>>>
>>>> so what are your plans to fall back to ?
>>> That's not the point.
>>>
>>>> Or to put it another way, you cannot presume the displayName
>>>> attribute will be populated either, so why bother ?
>>> Because when using MS tools gecos will always be empty while
>>> displayName will contain something. For Samba users in an MS AD
>>> environment that makes a difference I guess.
>>>
>>> Cheerio!
>>> -Ralph
>> Hi Ralph, I think you are missing the point :-)
>>
>> You cannot be sure that displayName will be populated, so if you want
>> 'gecos' to seemingly contain something, you need to either patch 'samba-tool
>> user create' to refuse to create the user unless the users first and last
>> names are also given i.e. just like windows, or test if gecos is empty, if
>> so, use displayName contents and if this is also empty, fall back to
>> samaccountname.
> I expect users using samba-tool to add users to a Samba 4 AD to use
> --gecos anyway, that's not the use case I'm trying to address.

Hi Ralph, sorry, but what you expect and what people actually do is very 
often not the same :-)
>
> What I'm trying to do is getting some sensible behaviour for users
> using tools like RSAT which will never put something into gecos.

Good idea, wrong attribute, you need to use an attribute that will be 
always populated, this would seem to be 'cn' as Jakub has posted.


>
>> I personally think using the contents of one attribute instead of another
>> (even if it is empty) is not a good idea, but hey, what does my opinion
> Your opinion is certainly welcome and appreciated!

Thanks.

Rowland

> -Ralph
>

More information about the samba-technical mailing list