[PATCH] samba-tool: make 'samba-tool user create' work like ADUC

Ralph Böhme slow at samba.org
Thu Jun 25 02:05:23 MDT 2015


On Thu, Jun 25, 2015 at 02:37:21AM +0300, Alexander Bokovoy wrote:
> On Wed, Jun 24, 2015 at 10:33:15PM +0100, Rowland Penny wrote:
> > On 24/06/15 22:01, Alexander Bokovoy wrote:
> > >On Wed, Jun 24, 2015 at 08:40:00PM +0100, Rowland Penny wrote:
> > >>On 24/06/15 20:20, Andrew Bartlett wrote:
> > >>>On Wed, 2015-06-24 at 08:21 +0100, Rowland Penny wrote:
> > >>>>  I feel if it is a
> > >>>>problem with my patch, then it must be a problem with ADUC as well.
> > >>>It is.  That doesn't make the situation any better however.
> > >>In that case, why are you objecting to this patch ? I personally think you
> > >>are being a bit hypocritical here, if my patch shouldn't be used, you should
> > >>also be saying 'We shouldn't advise people to use ADUC.'
> > >>
> > >>>As I said, we haven't left this issue in such a difficult spot because
> > >>>there were easy answers, but because there are no easy, safe, answers.
> > >>Again, if, in the long term, there are not going to be major changes in this
> > >>area, why are you objecting to this patch ? This patch would make it easier
> > >>to add users & groups, just like ADUC, but on the command line. If or when
> > >>major changes are made (and I assume these will have to be accepted by
> > >>Microsoft), the way users & groups are added will have to be changed and a
> > >>new python script will be required, but until then, we have to work with
> > >>what we have got and do it the easiest way.
> > >Let me give you some perspective. At SambaXP we discussed with Andrew on
> > >how to ease this aspect of maintaining POSIX attributes in a Samba AD
> > >domain. In general, we agreed we want to do better than Windows in this
> > >particular area.
> > >
> > >In FreeIPA realm we have practical solution to this problem with
> > >Active Directory users, based on two features:
> > >
> > >  - FreeIPA supports ID ranges which are used to assign IDs to users and
> > >    groups, there are different types of ranges available, namely
> > >    algorithmic and manually assigned
> > 
> > This sounds very like the winbind 'rid' & 'ad' backends
> No, there is substantial difference.
> 
> idmap_rid:
>        The Unix ID for a RID is calculated this way:
> 
>           ID = RID - BASE_RID + LOW_RANGE_ID.
> 
> idmap_ad:
>        The Unix ID is taken from uidNumber/gidNumber values directly and
>        filtered by the range.
> 
> sssd-ad:
>        The ID space for the forest is split into equal slices, each for
>        the separate domain.
> 
>        The Unix ID for a <SID,RID> pair is calculated by taking a murmurhash3 value
>        of the domain SID (32-bit integer) and then taking a modulus of
>        this value to determine a slice and final value is calculated
>        similar to idmap_rid based on the slice.

fwiw:
=> idmap_autorid

-Ralph


More information about the samba-technical mailing list