Question about things on TODO list

Rowland Penny repenny241155 at gmail.com
Sat Oct 17 12:14:13 UTC 2015


On 17/10/15 09:14, Rowland Penny wrote:
> On 17/10/15 04:05, Scott Lovenberg wrote:
>> On Fri, Oct 16, 2015 at 7:18 PM, John Lewis <oflameo2 at gmail.com> wrote:
>>> Has anyone started working on these?
>>>
>>>    * Support RODC
>>>    * RFC 2307 in samba-tool
>>>    * Add cifsfs+rsync interim script for group policy replication
>>>
>>>
>> Hi John,
>>
>> That interim rsync script has been on the list forever.  I think now
>> that we've got the details on the GP replication protocol, we should
>> stay away from a stop gap measure that would be "good enough" and
>> never get replaced.  I looked at it about two years ago or so, but the
>> amount of domain knowledge and protocol knowledge was more than I
>> could hope learn and implement cleanly in any reasonable amount of
>> time.  I'd probably still be working on it.
>> RODC support has had some work done, but I can't recall who was
>> looking at that or where they're at with it.  I'm reasonably certain
>> there's a git branch around somewhere that has parts of the RODC
>> implemented if it hasn't made it to master yet.
>>
>> No idea on RFC 2307 in the samba-tool, but that's probably a very
>> approachable topic if you're familiar with Python.  The best place to
>> start would be dropping into #samba-technical over on EFNET.  I think
>> the samba-tool stuff is Jelmer's domain, but I seem to recall a few
>> people patching it somewhat recently.
>
> It all depends on what you mean by RFC2307, I submitted patches to 
> make samba-tool work in the same way as ADUC and they were rejected, 
> because they worked just like ADUC.
>
> Rowland
>
>>
>> There's also an item not on that list that has been getting the bump
>> from releases since the dawn of the Unix epoch - one way domain
>> trusts.  That's been on the back burner since around 4.0 if it's
>> something you're interested in.
>>
>> That's all I know off the top of my head and I'm not sure that info is
>> entirely accurate or timely, but a trip over to the IRC channel would
>> verify or refute this info.  Hope that helps!
>>
>

OK, so I dusted off my old patches, removed the parts that nobody seemed 
to like and have attached the result.

The first patch is for samdb.py and obtains an objects DN from its 
samaccountname

The second patch adds the Unix attributes to a domain group, you must 
supply the NIS domain, what uidNumber to use, the users 
UnixHomeDirectory and shell, You can optionally add a gidNumber.

The third patch adds the Unix attributes to a domain user, you must 
supply the NIS domain and the gidNumber to use.

Rowland

-------------- next part --------------
From 6eeeb5ee0163390a2c5077f35320ed7e4c3cc03d Mon Sep 17 00:00:00 2001
From: Rowland Penny <repenny241155 at gmail.com>
Date: Sat, 17 Oct 2015 12:45:30 +0100
Subject: [PATCH] Add the ability to obtain a objects DN from its
 sAMAccountName Signed-off-by: Rowland Penny
 <repenny241155 at gmail.com>

---
 python/samba/samdb.py |   16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/python/samba/samdb.py b/python/samba/samdb.py
index 817fbdb..cbbb357 100644
--- a/python/samba/samdb.py
+++ b/python/samba/samdb.py
@@ -921,3 +921,19 @@ accountExpires: %u
         '''get the server DN from the rootDSE'''
         res = self.search(base="", scope=ldb.SCOPE_BASE, attrs=["serverName"])
         return res[0]["serverName"][0]
+
+    def get_object_dn(self, search_filter):
+        """Gets an objects DN
+
+        :param search_filter: LDAP filter to find the object (eg
+            samaccountname=name)
+        """
+        res = self.search(base=self.domain_dn(), 
+                          scope=ldb.SCOPE_SUBTREE,
+                          expression=search_filter,
+                          attrs=["dn", "sAMAccountName"])
+        if len(res) == 0:
+            raise Exception('Unable to find object "%s"' % 
+                            search_filter)
+        assert(len(res) == 1)
+        return res[0].dn
-- 
1.7.10.4

-------------- next part --------------
From f5a40c109d8eadbb1c90f550b7516432cebc9ed7 Mon Sep 17 00:00:00 2001
From: Rowland Penny <repenny241155 at gmail.com>
Date: Sat, 17 Oct 2015 12:53:53 +0100
Subject: [PATCH 2/2] Add Unix attributes to a Domain group Signed-off-by:
 Rowland Penny <repenny241155 at gmail.com>

---
 python/samba/netcmd/group.py |   95 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 95 insertions(+)

diff --git a/python/samba/netcmd/group.py b/python/samba/netcmd/group.py
index 722bcc4..c0e5666 100644
--- a/python/samba/netcmd/group.py
+++ b/python/samba/netcmd/group.py
@@ -408,6 +408,99 @@ samba-tool group listmembers \"Domain Users\" -H ldap://samba.samdom.example.com
             raise CommandError('Failed to list members of "%s" group ' % groupname, e)
 
 
+class cmd_group_nis_add(Command):
+    """Add NIS attributes to a group.
+
+This command adds NIS info to a group account in the Active Directory domain.  
+The groupname specified on the command is the sAMaccountName.
+
+Unix (RFC2307) attributes will be added to the group account. 
+Configure 'idmap_ldb:use rfc2307 = Yes' in smb.conf to use these GID mapping 
+attributes.
+
+The command may be run from the root userid or another authorized userid.  
+The -H or --URL= option can be used to execute the command against a remote 
+server.
+
+Example:
+samba-tool group nisadd Group1 --nis-domain=samdom --gid-number=12345
+
+The example shows how to add RFC2307/NIS attributes to a domain enabled group 
+account. The groups gidNumber will be set to '12345' 
+
+"""
+    synopsis = "%prog <groupname> [options]"
+
+    takes_optiongroups = {
+        "sambaopts": options.SambaOptions,
+        "credopts": options.CredentialsOptions,
+        "versionopts": options.VersionOptions,
+    }
+
+    takes_options = [
+        Option("-H", "--URL", help="LDB URL for database or target server", 
+               type=str, metavar="URL", dest="H"),
+        Option("--gid-number", help="Group's Unix/RFC2307 GID number", type=int),
+        Option("--nis-domain", help="Group's Unix/RFC2307 NIS domain", 
+               type=str),
+    ]
+
+    takes_args = ["groupname"]
+
+
+    def run(self, groupname, credopts=None, sambaopts=None, versionopts=None, 
+            H=None, nis_domain=None, gid_number=None):
+
+        lp = sambaopts.get_loadparm()
+        creds = credopts.get_credentials(lp)
+
+        samdb = SamDB(url=H, session_info=system_session(),
+                      credentials=creds, lp=lp)
+
+        if (gid_number is None and nis_domain is not None) or \
+           (gid_number is not None and nis_domain is None):
+            raise CommandError('Both --gid-number and --nis-domain'
+                               ' have to be set for a RFC2307-enabled group.'
+                               'Operation cancelled.')
+
+        domain_dn = samdb.domain_dn()
+        search_filter = "(samaccountname=%s)" % groupname
+        group_dn = samdb.get_object_dn(search_filter)
+
+        # what if group already is a NIS group??
+        res = samdb.search(group_dn,
+                           scope=ldb.SCOPE_BASE, 
+                           attrs=["gidNumber"])
+        if "gidNumber" in res[0]:
+            raise CommandError("Group %s already is a NIS group." % groupname) 
+
+        if not lp.get("idmap_ldb:use rfc2307"):
+            self.outf.write("You are setting a Unix/RFC2307 GID. \
+You may want to set 'idmap_ldb:use rfc2307 = Yes' in smb.conf to \
+use this attribute for XID/SID-mapping.\n")
+
+        update_group = """
+dn: %s
+changetype: modify
+add: msSFU30NisDomain
+msSFU30NisDomain: %s
+-
+add: msSFU30Name
+msSFU30Name: %s
+-
+add: gidNumber
+gidNumber: %s
+-
+""" % (group_dn, nis_domain, groupname,  gid_number)
+
+        try:
+            samdb.modify_ldif(update_group)
+        except Exception, e:
+            raise CommandError("Failed to update group '%s': " % groupname, e)
+
+        self.outf.write("Group '%s' updated successfully\n" % groupname)
+
+
 class cmd_group(SuperCommand):
     """Group management."""
 
@@ -418,3 +511,5 @@ class cmd_group(SuperCommand):
     subcommands["removemembers"] = cmd_group_remove_members()
     subcommands["list"] = cmd_group_list()
     subcommands["listmembers"] = cmd_group_list_members()
+    subcommands["nisadd"] = cmd_group_nis_add()
+
-- 
1.7.10.4

-------------- next part --------------
From 44cc1c9051ba8eda06667f7852b55c81285a2480 Mon Sep 17 00:00:00 2001
From: Rowland Penny <repenny241155 at gmail.com>
Date: Sat, 17 Oct 2015 12:59:28 +0100
Subject: [PATCH 3/3] Add Unix attributes to a Domain User Signed-off-by:
 Rowland Penny <repenny241155 at gmail.com>

---
 python/samba/netcmd/user.py |  156 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 156 insertions(+)

diff --git a/python/samba/netcmd/user.py b/python/samba/netcmd/user.py
index 2bc5522..7d39818 100644
--- a/python/samba/netcmd/user.py
+++ b/python/samba/netcmd/user.py
@@ -611,6 +611,161 @@ Example3 shows how an administrator would reset TestUser3 user's password to pas
         self.outf.write("Changed password OK\n")
 
 
+class cmd_user_nis_add(Command):
+    """Add NIS attributes to a user.
+
+This command adds NIS info to a user account in the Active 
+Directory domain.  
+The username specified on the command is the sAMaccountName.
+
+Unix (RFC2307) attributes will be added to the user account. 
+Add 'idmap_ldb:use rfc2307 = Yes' to smb.conf to use these 
+attributes for UID/GID mapping.
+
+The command may be run from the root userid or another authorized userid.  
+The -H or --URL= option can be used to execute the command 
+against a remote server.
+
+Example:
+samba-tool user nisadd User1 --nis-domain=samdom --uid-number=10005 \
+--unix-home=/home/User1 --login-shell=/bin/false [--group-name=unixgroup]
+
+The example shows how to add RFC2307/NIS attributes to a domain 
+enabled user account. 
+The first four parameters are mandatory. 
+
+if the parameter '--group-name' is given, then the groups 'gidNumber' 
+will be obtained and used for the users 'gidNumber' attribute, this 
+does of course mean that the group MUST have a 'gidNumber.
+
+If the last parameter, '--group-name' & is omitted, the users gidNumber 
+will be  set to the gidNumber found in Domain Users. 
+This means that 'Domain Users' MUST  have a gidNumber.
+"""
+    synopsis = "%prog <username> [options]"
+
+    takes_options = [
+        Option("-H", "--URL", help="LDB URL for database or target server", 
+                type=str, metavar="URL", dest="H"),
+        Option("--nis-domain", help="User's Unix/RFC2307 NIS domain",
+                type=str),
+        Option("--unix-home", help="User's Unix/RFC2307 home directory", 
+                type=str),
+        Option("--group-name", help="A Unix/RFC2307 enabled AD group", 
+                type=str), 
+        Option("--login-shell", help="User's Unix/RFC2307 login shell", 
+                type=str),
+        Option("--uid-number", help="User's Unix/RFC2307 numeric UID",
+                type=str),
+        Option("--gid-number", help="User's Unix/RFC2307 numeric GID number",
+                type=str),
+
+    ]
+
+    takes_args = ["username"]
+
+    takes_optiongroups = {
+        "sambaopts": options.SambaOptions,
+        "credopts": options.CredentialsOptions,
+        "versionopts": options.VersionOptions,
+        }
+
+    def run(self, username, credopts=None, sambaopts=None, versionopts=None, 
+            H=None, nis_domain=None, unix_home=None, uid_number=None, 
+            gid_number=None, group_name=None, login_shell=None):
+
+        lp = sambaopts.get_loadparm()
+        creds = credopts.get_credentials(lp)
+
+        samdb = SamDB(url=H, session_info=system_session(), credentials=creds, 
+                      lp=lp)
+
+        if None in (nis_domain, uid_number, login_shell, unix_home):
+            raise CommandError('Missing parameters. To enable NIS features, '
+                               'the following options have to be given: '
+                               '--nis-domain=, --uid-number, --login-shell=,'
+                               ' --unix-home=, Operation cancelled.')
+
+        domain_dn = samdb.domain_dn()
+        search_filter = "(samaccountname=%s)" % username
+        user_dn = samdb.get_object_dn(search_filter)
+ 
+        # what if user already is a NIS user??
+        res = samdb.search(user_dn,
+                          scope=ldb.SCOPE_BASE, 
+                          attrs=["uidNumber"])
+        if "uidNumber" in res[0]:
+            raise CommandError("User %s already is a NIS user." % username) 
+
+        if group_name is not None:
+            # get users primary GID from group_name
+            search_filter = "samaccountname=%s" % group_name
+            group_dn = samdb.get_object_dn(search_filter)
+            try:
+                res = samdb.search(group_dn,
+                                   scope=ldb.SCOPE_SUBTREE, 
+                                   attrs=["gidNumber"])
+                assert len(res) == 1
+                gid_number = res[0]["gidNumber"][0]
+            except:
+                raise CommandError("Group %s does not have a gidNumber" % 
+                                    group_name)
+
+        if group_name is None:
+            # set users primary GID to the one from Domain Users
+            du_dn = "CN=Domain Users,CN=Users," + domain_dn
+            try:
+                res = samdb.search(du_dn,
+                                   scope=ldb.SCOPE_SUBTREE, 
+                                   attrs=["gidNumber"])
+                assert len(res) == 1
+                gid_number = res[0]["gidNumber"][0]
+            except:
+                raise CommandError("Domain Users Group does \
+not have a gidNumber attribute")
+
+        if not lp.get("idmap_ldb:use rfc2307"):
+            self.outf.write("You are setting a Unix/RFC2307 UID or GID. \
+You may want to set 'idmap_ldb:use rfc2307 = Yes' in smb.conf to use those \
+attributes for XID/SID-mapping.\n")
+
+        update_user = """
+dn: %s
+changetype: modify
+add: uid
+uid: %s
+-
+add: msSFU30Name
+msSFU30Name: %s
+-
+add: msSFU30NisDomain
+msSFU30NisDomain: %s
+-
+add: uidNumber
+uidNumber: %s
+-
+add: gidNumber
+gidNumber: %s
+-
+add: loginShell
+loginShell: %s
+-
+add: unixHomeDirectory
+unixHomeDirectory: %s
+-
+add: unixUserPassword
+unixUserPassword: ABCD!efgh12345$67890
+""" % (user_dn, username, username, nis_domain, uid_number, gid_number, 
+       login_shell, unix_home)
+
+        try:
+            samdb.modify_ldif(update_user)
+        except Exception, e:
+            raise CommandError("Failed to update user '%s': " % username, e)
+
+        self.outf.write("User '%s' updated successfully\n" % username)
+
+
 class cmd_user(SuperCommand):
     """User management."""
 
@@ -624,3 +779,4 @@ class cmd_user(SuperCommand):
     subcommands["setexpiry"] = cmd_user_setexpiry()
     subcommands["password"] = cmd_user_password()
     subcommands["setpassword"] = cmd_user_setpassword()
+    subcommands["nisadd"] = cmd_user_nis_add()
-- 
1.7.10.4



More information about the samba-technical mailing list