[PATCH] samba-tool: make 'samba-tool user create' work like ADUC

Alexander Bokovoy ab at samba.org
Thu Jun 25 06:05:30 MDT 2015 

On Thu, Jun 25, 2015 at 01:00:22PM +0100, Rowland Penny wrote:
> On 25/06/15 12:35, Alexander Bokovoy wrote:
> >On Thu, Jun 25, 2015 at 11:29:45AM +0100, Rowland Penny wrote:
> >>>>to use, what is its gidNumber and they finally type  ' --gid-number=10000'
> >>>>on the end. They then press 'Enter' and create the user, they then go back
> >>>>and update their records with the uidNumber they just used.
> >>>>
> >>>>Would you like to explain how this is different from the way my patch works
> >>>>?
> >>>You patch ignores ID allocation schemas that are configured on Samba AD
> >>>DC with Winbindd, completely. We need to have a single place where logic
> >>>to allocate IDs is done and that is winbindd. Do not add other logic,
> >>>please, use the one that is there already.
> >>Taking a member server as an example, windbind can be setup to work in at
> >>least two ways, the 'ad' and 'rid' back ends. The 'rid' backend maps the
> >>users AD RID to a number, this number should be the same on all member
> >>servers, but not on a DC (at the moment). The 'ad' backend has nothing to do
> >>with winbind apart from the fact winbind extracts the info from AD.
> >>I am *not* adding logic, I am just using what is already there, but in a
> >>different way. If you come right down to it, the two main ways of using
> >>windbind do not allocate IDs, they are either mapped or extracted.
> >You are increasing number of code paths that have logic to create IDs.
> >We have that logic managed in idmap backens already so please use that.
> >If backend returns you (uint32_t)-1 value, it means SID is not mapped or
> >could not be mapped automatically so you would be able to tell that to
> >the admin. However, incrementing on your own represents just one
> >specific way of allocating the ID. I would rather ask the admin to
> >confirm it.
> >
> >Additionally, Samba AD DC has idmap module that allocates
> >uidNumber/gidNumber, see idmap_sid_to_xid() in source4/winbind/idmap.c.
> >At the very least you want to be compatible with it.
> 
> I am getting lost here, I am updating a *python* script here,
> I am not touching the actual samba c code in any way :-\
What I'm saying is that your algorithm in Python code needs to be along
the lines of how winbindd behaves in case of Samba AD DC. This is the
algorithm above and you either would just call to it with libwbclient,
which would create the mapping automatically if possible (in any
winbindd setup) or would need to emulate that in your Python code. I'd
prefer the former rather than the latter.

-- 
/ Alexander Bokovoy

More information about the samba-technical mailing list