[PATCH] samba-tool: make 'samba-tool user create' work like ADUC

Alexander Bokovoy ab at samba.org
Thu Jun 25 04:04:54 MDT 2015

On Thu, Jun 25, 2015 at 10:45:49AM +0100, Rowland Penny wrote:
> >>>knowledge about edge cases for trust-related operations that is not
> >>>really documented other than as a code.
> >>>
> >>>Adding samba-tool support for ADUC-like functionality isn't going to
> >>>solve it. It would create a heritage we would need to deal with later.
> >>>
> >>>
> >>And that last statement says it all, you *are* going to have deal with the
> >>heritage domains, or are you proposing that Samba does what Microsoft did
> >>with NT-4 and declare every version of Samba that works as it does now
> >>obsolete and tell everybody they will have to use a new version.
> >I think you misunderstood and I never said anything like that.
> Unless you deal with what is out there at the moment, in my opinion, in a
> round about way that is what you are saying.
No, I'm not and do not put that in my mouth. :)

> >
> >>Adding ADUC-like functionality to samba-tool isn't going to do anything but
> >>make it easier to create users and groups, it isn't adding *any*
> >>functionality above what is available on ADUC or what samba-tool already has
> >>(provided you have a pen & paper to keep track of last ID number used).
> >Unfortunately, your patch isn't forcing manual allocation with
> >pen&paper. Instead, it does go full way to auto-increment the IDs which
> >is what prompted the reaction -- it is incorrect way of doing it and it
> >would be better to have a way to request ID allocation from winbindd
> >using whatever configured idmap plugin.
> OK, your average Samba sysadmin is sat at their terminal and needs to create
> a new AD Unix user with samba-tool. They start typing 'samba-tool user
> create User passw2rd --given-name=John --surname=Doe --nis-domain=samdom
> --unix-home=/home/User --login-shell=/bin/false --uid-number=???
> Hmm. what was the last uidNumber used, sysadmin then consults their records,
> post-it note stuck on terminal, file on computer, notepad -- you get the
> idea and comes up with a number '10005' , they add 1 to this number and type
> that in. Finally they need to add a gidnumber, back to records, what group
> to use, what is its gidNumber and they finally type  ' --gid-number=10000'
> on the end. They then press 'Enter' and create the user, they then go back
> and update their records with the uidNumber they just used.
> Would you like to explain how this is different from the way my patch works
> ?
You patch ignores ID allocation schemas that are configured on Samba AD
DC with Winbindd, completely. We need to have a single place where logic
to allocate IDs is done and that is winbindd. Do not add other logic,
please, use the one that is there already.

> >
> >This is what I meant by a heritage that we would need to deal with
> >later.
> >
> >Also, I don't like the mess that is created by combining formatting
> >changes with functional ones. It is going to beat us in future when any
> >specific bug arises and we'll be doing searches for the offending
> >commit. The way we deal with it is that formatting commits are separate
> >from functional changes.
> Could you explain what you mean by 'formatting' and 'functional' , I think I
> understand the later, but do not have a clue about the former.
More than half of your patch is reformatting existing code rather than
adding new feature. Split that into a separate patch, rather than
combining them together.
/ Alexander Bokovoy

More information about the samba-technical mailing list