[PATCH] samba-tool: make 'samba-tool user create' work like ADUC

Rowland Penny repenny241155 at gmail.com
Thu Jun 25 06:11:50 MDT 2015


On 25/06/15 13:05, Alexander Bokovoy wrote:
> On Thu, Jun 25, 2015 at 01:00:22PM +0100, Rowland Penny wrote:
>> On 25/06/15 12:35, Alexander Bokovoy wrote:
>>> On Thu, Jun 25, 2015 at 11:29:45AM +0100, Rowland Penny wrote:
>>>>>> to use, what is its gidNumber and they finally type  ' --gid-number=10000'
>>>>>> on the end. They then press 'Enter' and create the user, they then go back
>>>>>> and update their records with the uidNumber they just used.
>>>>>>
>>>>>> Would you like to explain how this is different from the way my patch works
>>>>>> ?
>>>>> You patch ignores ID allocation schemas that are configured on Samba AD
>>>>> DC with Winbindd, completely. We need to have a single place where logic
>>>>> to allocate IDs is done and that is winbindd. Do not add other logic,
>>>>> please, use the one that is there already.
>>>> Taking a member server as an example, windbind can be setup to work in at
>>>> least two ways, the 'ad' and 'rid' back ends. The 'rid' backend maps the
>>>> users AD RID to a number, this number should be the same on all member
>>>> servers, but not on a DC (at the moment). The 'ad' backend has nothing to do
>>>> with winbind apart from the fact winbind extracts the info from AD.
>>>> I am *not* adding logic, I am just using what is already there, but in a
>>>> different way. If you come right down to it, the two main ways of using
>>>> windbind do not allocate IDs, they are either mapped or extracted.
>>> You are increasing number of code paths that have logic to create IDs.
>>> We have that logic managed in idmap backens already so please use that.
>>> If backend returns you (uint32_t)-1 value, it means SID is not mapped or
>>> could not be mapped automatically so you would be able to tell that to
>>> the admin. However, incrementing on your own represents just one
>>> specific way of allocating the ID. I would rather ask the admin to
>>> confirm it.
>>>
>>> Additionally, Samba AD DC has idmap module that allocates
>>> uidNumber/gidNumber, see idmap_sid_to_xid() in source4/winbind/idmap.c.
>>> At the very least you want to be compatible with it.
>> I am getting lost here, I am updating a *python* script here,
>> I am not touching the actual samba c code in any way :-\
> What I'm saying is that your algorithm in Python code needs to be along
> the lines of how winbindd behaves in case of Samba AD DC. This is the
> algorithm above and you either would just call to it with libwbclient,
> which would create the mapping automatically if possible (in any
> winbindd setup) or would need to emulate that in your Python code. I'd
> prefer the former rather than the latter.
>

Thanks for explaining that, I will go and see if I can work out how to 
do that, this could take some time :-)

Thanks also for your patience.

Rowland



More information about the samba-technical mailing list