[PATCH] samba-tool: make 'samba-tool user create' work like ADUC

Alexander Bokovoy ab at samba.org
Wed Jun 24 15:01:51 MDT 2015

On Wed, Jun 24, 2015 at 08:40:00PM +0100, Rowland Penny wrote:
> On 24/06/15 20:20, Andrew Bartlett wrote:
> >On Wed, 2015-06-24 at 08:21 +0100, Rowland Penny wrote:
> >>  I feel if it is a
> >>problem with my patch, then it must be a problem with ADUC as well.
> >It is.  That doesn't make the situation any better however.
> In that case, why are you objecting to this patch ? I personally think you
> are being a bit hypocritical here, if my patch shouldn't be used, you should
> also be saying 'We shouldn't advise people to use ADUC.'
> >
> >As I said, we haven't left this issue in such a difficult spot because
> >there were easy answers, but because there are no easy, safe, answers.
> Again, if, in the long term, there are not going to be major changes in this
> area, why are you objecting to this patch ? This patch would make it easier
> to add users & groups, just like ADUC, but on the command line. If or when
> major changes are made (and I assume these will have to be accepted by
> Microsoft), the way users & groups are added will have to be changed and a
> new python script will be required, but until then, we have to work with
> what we have got and do it the easiest way.
Let me give you some perspective. At SambaXP we discussed with Andrew on
how to ease this aspect of maintaining POSIX attributes in a Samba AD
domain. In general, we agreed we want to do better than Windows in this
particular area.

In FreeIPA realm we have practical solution to this problem with
Active Directory users, based on two features:

 - FreeIPA supports ID ranges which are used to assign IDs to users and
   groups, there are different types of ranges available, namely
   algorithmic and manually assigned

 - FreeIPA server exposes a custom LDAP control that allows SSSD running
   on a FreeIPA client to ask "what are POSIX attributes for this AD
   user, addressed by name or SID?" type of questions. The answers to
   this question are given by SSSD running on the FreeIPA master.

In case of the algorithmic ID range assigned to AD domain, SSSD on the
FreeIPA master will use a predetermined algorithm to derive uidNumber
and gidNumber for AD users belonging to that domain.

In case the range has been set up to provide manual assignments to each
individual AD user/group, SSSD on the FreeIPA master will pick that
information up from AD LDAP.

There is also a mechanism to override these manual assignments in
FreeIPA LDAP store to allow assigning own IDs to AD users in case you
cannot modify AD to support POSIX attributes or you are dealing with
older ('legacy') clients which can't use SSSD. See my talk at SambaXP'15
on day 3 about this specific aspect.

So what this approach gives us when applied to Samba AD?

Samba AD could have implementation of the same LDAP control that FreeIPA
does. SSSD on clients will then be able to retrieve IDs from Samba AD
LDAP for any user or group, if uidNumber/gidNumber values miss in the
Samba AD LDAP for them. This retrieval attempt can be used by Samba AD
LDAP to actually allocate the values automatically, using winbindd and a
the same algorithm with ID ranges. The algorithm is predictive, depends
on RID and domain SID, thus always producing the same ID regardless of
the order of ID allocation.

samba-tool then could be used to allow setting up ranges and
uidNumber/gidNumber with similar approach -- asking Samba AD LDAP with
the same LDAP control or setting the values directly if they were
specified manually.

/ Alexander Bokovoy

More information about the samba-technical mailing list