[PATCH] Add Unix attributes to a user or group in AD

Rowland Penny repenny241155 at gmail.com
Fri Nov 20 10:09:08 UTC 2015 

On 20/11/15 09:37, Michael Adam wrote:
> On 2015-11-20 at 09:27 +0000, Rowland Penny wrote:
>> On 20/11/15 08:13, Michael Adam wrote:
>>> On 2015-11-16 at 19:14 +0000, Rowland Penny wrote:
>>>> On 16/11/15 14:34, Michael Adam wrote:
>>>>> Rowland,
>>>>>
>>>>> I lost track of the most up-to-date patches.
>>>>> (Scattered over several mail threads, I think.)
>>>>> Could you please re-send the latest, complete
>>>>> patchset for this?
>>>>>
>>>>> Thanks a lot!
>>>>>
>>>>> Michael
>>>>>
>>>>>
>>>> OK, here are the patches as requested by Michael Adam:
>>> Thanks for updating the patches!
>>>
>>> I'd really like someone who is more into our python/samba-tool
>>> code to review. Generally the patches look pretty good to me.
>>> Just two comments right now:
>>>
>>> - I still don't quite understand, why you taken an all-or-nothing
>>>    approach instead of possibly selectively setting unix
>>>    attributes. And allowing for modification / addition of attribs
>>>    on objects that already have a nis attribute. It does not
>>>    seem natural to me.
>> I am only doing what happens when you add rfc2307 attributes with ADUC,
> What is ADUC ?

Oh come on Michael, are you being serious, :-D

ADUC = Active Directory Users and Computers, the windows mmc tool


>
>> this is also the way samba-tool works when you create a user
>> with rfc2307 attributes i.e.
> Yeah, creation is OK.
> But i don't see a reason to separate full adding and modifying.
> I think the most useful tool would be one that can set individual
> attributes.
>
> I'd like to hear more opinions. I just thing that we should not
> restrict ourselves unnecessarily. This is our tool and we can
> define how it works. :-)

I totally agree that Samba needs a tool to do what you are saying, but 
Samba also needs a tool that is compatible with the way windows works, 
or rather (as far as I understand) doesn't work now if you are using 
ADUC on windows 10, there is no Unix Attributes tab on windows 10 ADUC.

>
>> samba-tool user add User5 passw5rd --nis-domain=samdom
>> --unix-home=/home/User5
>> --uid-number=10005 --login-shell=/bin/false --gid-number=10000
>>
>> I entirely agree that samba-tool needs something to add/mod attributes, but
>> this will need to be another patch.
> Not sure. One tool for that would be sufficient imho.

Do not agree, windows has two tools for this, One is the Unix Attribute 
tab that does what these patches do and the other is an attribute 
modification tool.
What Samba also needs is a tool to add/remove/change any attribute, 
however this concept is totally different from making a user or group a 
Unix user or group.

There are other things that need changing first, for instance, when you 
join a new DC to the domain its NS record does not get added to the SOA 
records, I think this is because the code seems to only want to create a 
new SOA and as it already exists, this will fail.

Rowland

>
>>> - In the first patch, this part seems slightly inconsistent:
>>>
>>>> +        if len(res) == 0:
>>>> +            raise Exception('Unable to find object "%s"' %
>>>> +                            search_filter)
>>>> +        assert(len(res) == 1)
>>> Why once an exception and then assert?
>>> I could imagine s/th like:
>>> if len(res) > 1:
>>>    raise Exception('More than one obj found...")
>> Yes the patch could be better, still learning python :-)
> So am I. :-)
>
>> Will come up with a new patch
> Thanks!
>
> Cheers - Michael
>
>
>

More information about the samba-technical mailing list