[PATCHv2] Supplement nss info gecos from cn

Rowland Penny repenny241155 at gmail.com
Tue Jul 28 11:06:40 UTC 2015 

On 28/07/15 12:00, Ralph Böhme wrote:
> On Tue, Jul 28, 2015 at 10:20:38AM +0200, Jakub Hrozek wrote:
>> On Tue, Jul 28, 2015 at 07:25:49AM +0300, Alexander Bokovoy wrote:
>>> On Mon, 27 Jul 2015, Rowland Penny wrote:
>>>> On 27/07/15 21:11, Ralph Böhme wrote:
>>>>> On Mon, Jul 27, 2015 at 06:30:51PM +0100, Rowland Penny wrote:
>>>>>> On 27/07/15 18:12, Ralph Böhme wrote:
>>>>>>> Attached is a small patchset that tries to address a shortcoming in
>>>>>>> winbind pulling gecos information from AD.
>>>>>>>
>>>>>>> Either winbind nss info sfu, sfu20 and rfc2307 will end up querying
>>>>>>> the gecos attribute, which will be empty in most cases, as neither
>>>>>>> Samba AD nor Windows with IDMU assigns a value to it by default.
>>>>>>>
>>>>>>> As a result Samba servers pulling nss info via winbind will show empty
>>>>>>> gecos fields. Wouldn't it make sense to pull the gecos info from
>>>>>>> another attribute like displayName in case gecos is empty?
>>>>>>>
>>>>>>> Review&comments appreciated. Thanks!
>>>>>>>
>>>>>>> -Ralph
>>>>>>>
>>>>>> er, you do realise that if you create a user with samba-tool
>>>>>> 'samba-tool user create username' you do not get a displayName
>>>>>> attribute either,
>>>>> yes, but using MS tools will.
>>>>>
>>>>>> so what are your plans to fall back to ?
>>>>> That's not the point.
>>>>>
>>>>>> Or to put it another way, you cannot presume the displayName
>>>>>> attribute will be populated either, so why bother ?
>>>>> Because when using MS tools gecos will always be empty while
>>>>> displayName will contain something. For Samba users in an MS AD
>>>>> environment that makes a difference I guess.
>>>>>
>>>>> Cheerio!
>>>>> -Ralph
>>>> Hi Ralph, I think you are missing the point :-)
>>>>
>>>> You cannot be sure that displayName will be populated, so if you want
>>>> 'gecos' to seemingly contain something, you need to either patch 'samba-tool
>>>> user create' to refuse to create the user unless the users first and last
>>>> names are also given i.e. just like windows, or test if gecos is empty, if
>>>> so, use displayName contents and if this is also empty, fall back to
>>>> samaccountname.
>>> Well, in case of SSSD we synthesize it from 'cn' (which couldn't be
>>> missing). I'd prefer a common behavior here but otherwise I agree with
>>> you.
>> According to the commit message in SSSD, that's compliant with
>> section 5.3 of RFC 2307 which states:
>>
>> An account's GECOS field is preferably determined by a value of the
>> gecos attribute. If no gecos attribute exists, the value of the cn
>> attribute MUST be used.
> updated patchset attached.
>
> -Ralph
>

Hi Ralph, I think you missed something :-)

138+         * use the MS displayName attribute as a fallback.

Rowland

More information about the samba-technical mailing list