[PATCH] samba-tool: make 'samba-tool user create' work like ADUC

Rowland Penny repenny241155 at gmail.com
Thu Jun 25 03:45:49 MDT 2015

On 25/06/15 10:09, Alexander Bokovoy wrote:
> On Thu, Jun 25, 2015 at 09:00:40AM +0100, Rowland Penny wrote:
>>>> Hmm, 'custom control' , this probably means extending the AD
>>>> schema and will add something that ADUC will not be able to add.
>>> Existence of the LDAP control is not related to extension of the schema,
>>> these are orthogonal to each other.
>>> ADUC is not going to have support for POSIX attributes -- RSAT is already
>>> deprecated from Windows Server 2012R2 and will be removed in the next
>>> version (next year, I heard).
>> This is sort of what I am getting at, samba4 only supports upto windows
>> 2008R2, you cannot join a 2012 DC to a samba domain and next year there
>> might me another version that cannot be joined.
> Yes, this worries me too.
>>>> Samba can do is advise users to use the Windows tools because
>>>> their own tools aren't up to it!
>>> The fact that winbindd is complex is precisely one thing why we are
>>> talking about refactoring for long time. With reduction to a single
>>> winbind version in 4.2, next steps are in making possible to split up
>>> schannel and topology related operations from ID management so that they
>>> could be developed independently.
>>> This is what makes working on winbindd hard -- there is a body of
>>> knowledge about edge cases for trust-related operations that is not
>>> really documented other than as a code.
>>> Adding samba-tool support for ADUC-like functionality isn't going to
>>> solve it. It would create a heritage we would need to deal with later.
>> And that last statement says it all, you *are* going to have deal with the
>> heritage domains, or are you proposing that Samba does what Microsoft did
>> with NT-4 and declare every version of Samba that works as it does now
>> obsolete and tell everybody they will have to use a new version.
> I think you misunderstood and I never said anything like that.

Unless you deal with what is out there at the moment, in my opinion, in 
a round about way that is what you are saying.

>> Adding ADUC-like functionality to samba-tool isn't going to do anything but
>> make it easier to create users and groups, it isn't adding *any*
>> functionality above what is available on ADUC or what samba-tool already has
>> (provided you have a pen & paper to keep track of last ID number used).
> Unfortunately, your patch isn't forcing manual allocation with
> pen&paper. Instead, it does go full way to auto-increment the IDs which
> is what prompted the reaction -- it is incorrect way of doing it and it
> would be better to have a way to request ID allocation from winbindd
> using whatever configured idmap plugin.

OK, your average Samba sysadmin is sat at their terminal and needs to 
create a new AD Unix user with samba-tool. They start typing 'samba-tool 
user create User passw2rd --given-name=John --surname=Doe 
--nis-domain=samdom --unix-home=/home/User --login-shell=/bin/false 

Hmm. what was the last uidNumber used, sysadmin then consults their 
records, post-it note stuck on terminal, file on computer, notepad -- 
you get the idea and comes up with a number '10005' , they add 1 to this 
number and type that in. Finally they need to add a gidnumber, back to 
records, what group to use, what is its gidNumber and they finally type  
' --gid-number=10000' on the end. They then press 'Enter' and create the 
user, they then go back and update their records with the uidNumber they 
just used.

Would you like to explain how this is different from the way my patch 
works ?

> This is what I meant by a heritage that we would need to deal with
> later.
> Also, I don't like the mess that is created by combining formatting
> changes with functional ones. It is going to beat us in future when any
> specific bug arises and we'll be doing searches for the offending
> commit. The way we deal with it is that formatting commits are separate
> from functional changes.

Could you explain what you mean by 'formatting' and 'functional' , I 
think I understand the later, but do not have a clue about the former.


More information about the samba-technical mailing list