[PATCH] samba-tool: make 'samba-tool user create' work like ADUC
ab at samba.org
Thu Jun 25 02:48:36 MDT 2015
On Thu, Jun 25, 2015 at 10:05:23AM +0200, Ralph Böhme wrote:
> On Thu, Jun 25, 2015 at 02:37:21AM +0300, Alexander Bokovoy wrote:
> > On Wed, Jun 24, 2015 at 10:33:15PM +0100, Rowland Penny wrote:
> > > On 24/06/15 22:01, Alexander Bokovoy wrote:
> > > >On Wed, Jun 24, 2015 at 08:40:00PM +0100, Rowland Penny wrote:
> > > >>On 24/06/15 20:20, Andrew Bartlett wrote:
> > > >>>On Wed, 2015-06-24 at 08:21 +0100, Rowland Penny wrote:
> > > >>>> I feel if it is a
> > > >>>>problem with my patch, then it must be a problem with ADUC as well.
> > > >>>It is. That doesn't make the situation any better however.
> > > >>In that case, why are you objecting to this patch ? I personally think you
> > > >>are being a bit hypocritical here, if my patch shouldn't be used, you should
> > > >>also be saying 'We shouldn't advise people to use ADUC.'
> > > >>
> > > >>>As I said, we haven't left this issue in such a difficult spot because
> > > >>>there were easy answers, but because there are no easy, safe, answers.
> > > >>Again, if, in the long term, there are not going to be major changes in this
> > > >>area, why are you objecting to this patch ? This patch would make it easier
> > > >>to add users & groups, just like ADUC, but on the command line. If or when
> > > >>major changes are made (and I assume these will have to be accepted by
> > > >>Microsoft), the way users & groups are added will have to be changed and a
> > > >>new python script will be required, but until then, we have to work with
> > > >>what we have got and do it the easiest way.
> > > >Let me give you some perspective. At SambaXP we discussed with Andrew on
> > > >how to ease this aspect of maintaining POSIX attributes in a Samba AD
> > > >domain. In general, we agreed we want to do better than Windows in this
> > > >particular area.
> > > >
> > > >In FreeIPA realm we have practical solution to this problem with
> > > >Active Directory users, based on two features:
> > > >
> > > > - FreeIPA supports ID ranges which are used to assign IDs to users and
> > > > groups, there are different types of ranges available, namely
> > > > algorithmic and manually assigned
> > >
> > > This sounds very like the winbind 'rid' & 'ad' backends
> > No, there is substantial difference.
> > idmap_rid:
> > The Unix ID for a RID is calculated this way:
> > ID = RID - BASE_RID + LOW_RANGE_ID.
> > idmap_ad:
> > The Unix ID is taken from uidNumber/gidNumber values directly and
> > filtered by the range.
> > sssd-ad:
> > The ID space for the forest is split into equal slices, each for
> > the separate domain.
> > The Unix ID for a <SID,RID> pair is calculated by taking a murmurhash3 value
> > of the domain SID (32-bit integer) and then taking a modulus of
> > this value to determine a slice and final value is calculated
> > similar to idmap_rid based on the slice.
> => idmap_autorid
Yes, this is one option from which sssd-ad derived its inspiration.
There is a difference, though, as autorid tends to produce
non-deterministic ordering of the domain-to-range mappings.
/ Alexander Bokovoy
More information about the samba-technical