[PATCH] samba-tool: make 'samba-tool user create' work like ADUC

Alexander Bokovoy ab at samba.org
Thu Jun 25 03:09:09 MDT 2015

On Thu, Jun 25, 2015 at 09:00:40AM +0100, Rowland Penny wrote:
> >>Hmm, 'custom control' , this probably means extending the AD
> >>schema and will add something that ADUC will not be able to add.
> >Existence of the LDAP control is not related to extension of the schema,
> >these are orthogonal to each other.
> >
> >ADUC is not going to have support for POSIX attributes -- RSAT is already
> >deprecated from Windows Server 2012R2 and will be removed in the next
> >version (next year, I heard).
> This is sort of what I am getting at, samba4 only supports upto windows
> 2008R2, you cannot join a 2012 DC to a samba domain and next year there
> might me another version that cannot be joined.
Yes, this worries me too. 

> >>Samba can do is advise users to use the Windows tools because
> >>their own tools aren't up to it!
> >The fact that winbindd is complex is precisely one thing why we are
> >talking about refactoring for long time. With reduction to a single
> >winbind version in 4.2, next steps are in making possible to split up
> >schannel and topology related operations from ID management so that they
> >could be developed independently.
> >
> >This is what makes working on winbindd hard -- there is a body of
> >knowledge about edge cases for trust-related operations that is not
> >really documented other than as a code.
> >
> >Adding samba-tool support for ADUC-like functionality isn't going to
> >solve it. It would create a heritage we would need to deal with later.
> >
> >
> And that last statement says it all, you *are* going to have deal with the
> heritage domains, or are you proposing that Samba does what Microsoft did
> with NT-4 and declare every version of Samba that works as it does now
> obsolete and tell everybody they will have to use a new version.
I think you misunderstood and I never said anything like that.

> Adding ADUC-like functionality to samba-tool isn't going to do anything but
> make it easier to create users and groups, it isn't adding *any*
> functionality above what is available on ADUC or what samba-tool already has
> (provided you have a pen & paper to keep track of last ID number used).
Unfortunately, your patch isn't forcing manual allocation with
pen&paper. Instead, it does go full way to auto-increment the IDs which
is what prompted the reaction -- it is incorrect way of doing it and it
would be better to have a way to request ID allocation from winbindd
using whatever configured idmap plugin.

This is what I meant by a heritage that we would need to deal with

Also, I don't like the mess that is created by combining formatting
changes with functional ones. It is going to beat us in future when any
specific bug arises and we'll be doing searches for the offending
commit. The way we deal with it is that formatting commits are separate
from functional changes.

/ Alexander Bokovoy

More information about the samba-technical mailing list