[PATCH] samba-tool: make 'samba-tool user create' work like ADUC
ab at samba.org
Thu Jun 25 04:04:54 MDT 2015
On Thu, Jun 25, 2015 at 10:45:49AM +0100, Rowland Penny wrote:
> >>>knowledge about edge cases for trust-related operations that is not
> >>>really documented other than as a code.
> >>>Adding samba-tool support for ADUC-like functionality isn't going to
> >>>solve it. It would create a heritage we would need to deal with later.
> >>And that last statement says it all, you *are* going to have deal with the
> >>heritage domains, or are you proposing that Samba does what Microsoft did
> >>with NT-4 and declare every version of Samba that works as it does now
> >>obsolete and tell everybody they will have to use a new version.
> >I think you misunderstood and I never said anything like that.
> Unless you deal with what is out there at the moment, in my opinion, in a
> round about way that is what you are saying.
No, I'm not and do not put that in my mouth. :)
> >>Adding ADUC-like functionality to samba-tool isn't going to do anything but
> >>make it easier to create users and groups, it isn't adding *any*
> >>functionality above what is available on ADUC or what samba-tool already has
> >>(provided you have a pen & paper to keep track of last ID number used).
> >Unfortunately, your patch isn't forcing manual allocation with
> >pen&paper. Instead, it does go full way to auto-increment the IDs which
> >is what prompted the reaction -- it is incorrect way of doing it and it
> >would be better to have a way to request ID allocation from winbindd
> >using whatever configured idmap plugin.
> OK, your average Samba sysadmin is sat at their terminal and needs to create
> a new AD Unix user with samba-tool. They start typing 'samba-tool user
> create User passw2rd --given-name=John --surname=Doe --nis-domain=samdom
> --unix-home=/home/User --login-shell=/bin/false --uid-number=???
> Hmm. what was the last uidNumber used, sysadmin then consults their records,
> post-it note stuck on terminal, file on computer, notepad -- you get the
> idea and comes up with a number '10005' , they add 1 to this number and type
> that in. Finally they need to add a gidnumber, back to records, what group
> to use, what is its gidNumber and they finally type ' --gid-number=10000'
> on the end. They then press 'Enter' and create the user, they then go back
> and update their records with the uidNumber they just used.
> Would you like to explain how this is different from the way my patch works
You patch ignores ID allocation schemas that are configured on Samba AD
DC with Winbindd, completely. We need to have a single place where logic
to allocate IDs is done and that is winbindd. Do not add other logic,
please, use the one that is there already.
> >This is what I meant by a heritage that we would need to deal with
> >Also, I don't like the mess that is created by combining formatting
> >changes with functional ones. It is going to beat us in future when any
> >specific bug arises and we'll be doing searches for the offending
> >commit. The way we deal with it is that formatting commits are separate
> >from functional changes.
> Could you explain what you mean by 'formatting' and 'functional' , I think I
> understand the later, but do not have a clue about the former.
More than half of your patch is reformatting existing code rather than
adding new feature. Split that into a separate patch, rather than
combining them together.
/ Alexander Bokovoy
More information about the samba-technical