Usability of 'samba-tool domain provision'

Rowland Penny repenny241155 at gmail.com
Wed Jun 29 15:20:18 UTC 2016 

On 29/06/16 15:06, Simo wrote:
> On Wed, 2016-06-29 at 09:20 +0100, Rowland Penny wrote:
>> On 29/06/16 02:47, Simo wrote:
>>> Mostly nitpicks and syntax, otherweise looks good, see comments
>>> inline
>>> please.
>> OK, see my replies inline
> comment inline as well
>
>>> Simo.
>>>
>>> On Tue, 2016-06-28 at 16:11 -0700, Jeremy Allison wrote:
>>>> On Mon, Jun 06, 2016 at 04:26:52PM +0100, Rowland Penny wrote:
>>>>> On 06/06/16 08:04, Rowland Penny wrote:
>>>>>> On 06/06/16 06:41, Andrew Bartlett wrote:
>>>>>>> On Fri, 2016-06-03 at 13:44 +0100, Rowland Penny wrote:
>>>>>>>>   From d5ce8d2545731f825a18b094eb86992b24dddd75 Mon Sep 17
>>>>>>>> 00:00:00
>>>>>>>> 2001
>>>>>>>> From: Rowland Penny <rpenny at samba.org>
>>>>>>>> Date: Thu, 2 Jun 2016 15:41:51 +0100
>>>>>>>> Subject: [PATCH] samba-tool domain provision, remove
>>>>>>>> unused
>>>>>>>> server roles.
>>>>>>> As per --use-xattrs, can we start by marking this
>>>>>>> deprecated?
>>>>>>>
>>>>>>> That will avoid needing to restructure the tests right now
>>>>>>> (which do
>>>>>>> use this option), and avoid breaking scripts that might
>>>>>>> specify
>>>>>>> the -
>>>>>>> -server-role=dc default.
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Andrew Bartlett
>>>>>>>
>>>>>> OK, I will also add something to the main help, along the
>>>>>> lines
>>>>>> of
>>>>>> 'only provisioning a DC actually works'.
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>> OK, lets try again, please see attached patches.
>>>> Ping. Can someone on the Team with python expertise review
>>>> Rowland's
>>>> patches
>>>> please ?
>>>>
>>>> I'd do it, but I'd really have to learn more python first :-).
>>>>
>>>> Jeremy.
>>>>
>>>>>   From 5ad2103038f8109906764d108af8422c1fef694e Mon Sep 17
>>>>> 00:00:00
>>>>> 2001
>>>>> From: Rowland Penny <rpenny at samba.org>
>>>>> Date: Mon, 6 Jun 2016 15:43:59 +0100
>>>>> Subject: [PATCH 1/5] samba-tool domain provision, mark '
>>>>> --server-
>>>>> role' option
>>>>>    as depreciated and don't ask for server_role if run
>>>>>    interactively.
>>>>>
>>>>> Signed-off-by: Rowland Penny <rpenny at samba.org>
>>>>> ---
>>>>>    python/samba/netcmd/domain.py |    4 ++--
>>>>>    1 file changed, 2 insertions(+), 2 deletions(-)
>>>>>
>>>>> diff --git a/python/samba/netcmd/domain.py
>>>>> b/python/samba/netcmd/domain.py
>>>>> index fd26d93..703441b 100644
>>>>> --- a/python/samba/netcmd/domain.py
>>>>> +++ b/python/samba/netcmd/domain.py
>>>>> @@ -221,7 +221,7 @@ class cmd_domain_provision(Command):
>>>>>                    choices=["fedora-ds", "openldap"]),
>>>>>             Option("--server-role", type="choice",
>>>>> metavar="ROLE",
>>>>>                    choices=["domain controller", "dc", "member
>>>>> server", "member", "standalone"],
>>>>> -                help="The server role (domain controller | dc
>>>>> |
>>>>> member server | member | standalone). Default is dc.",
>>>>> +                help="The server role (domain controller | dc
>>>>> |
>>>>> member server | member | standalone). Default is dc.
>>>>> (depreciated)",
>>> depreciated -> deprecated
>> I must learn how to spell deprecated :-)
>>
>>>
>>>>>                    default="domain controller"),
>>>>>             Option("--function-level", type="choice",
>>>>> metavar="FOR-
>>>>> FUN-LEVEL",
>>>>>                    choices=["2000", "2003", "2008", "2008_R2"],
>>>>> @@ -348,7 +348,7 @@ class cmd_domain_provision(Command):
>>>>>                if domain is None:
>>>>>                    raise CommandError("No domain set!")
>>>>>    
>>>>> -            server_role = ask("Server Role (dc, member,
>>>>> standalone)", "dc")
>>>>> +            server_role = "dc"
>>> Why stop asking ?
>>>
>>> In the comment I'd like the rationale.
>> Because, from my tests and what I was told, you can only provision a
>> DC,
>> anything else will not actually work.
>> I will add to the comment.
> I meant the commit, sorry, hopefully you understood what I meant and
> not what I said :)

Yes, I did add to the commit message.

>
>>>
>>>>>                dns_backend = ask("DNS backend (SAMBA_INTERNAL,
>>>>> BIND9_FLATFILE, BIND9_DLZ, NONE)", "SAMBA_INTERNAL")
>>>>>                if dns_backend in (None, ''):
>>>>> -- 
>>>>> 1.7.10.4
>>>>>
>>>>>
>>>>>   From cb917fa550770cfa2687b909f4d52f68743b4054 Mon Sep 17
>>>>> 00:00:00
>>>>> 2001
>>>>> From: Rowland Penny <rpenny at samba.org>
>>>>> Date: Mon, 6 Jun 2016 16:01:11 +0100
>>>>> Subject: [PATCH 2/5] samba-tool domain provision, make 'domain'
>>>>> help a bit
>>>>>    more friendly, it also checks if the domain name is not
>>>>>    the same as the 'realm' name.
>>>>>
>>>>> Signed-off-by: Rowland Penny <rpenny at samba.org>
>>>>> ---
>>>>>    python/samba/netcmd/domain.py |   13 ++++++++++---
>>>>>    1 file changed, 10 insertions(+), 3 deletions(-)
>>>>>
>>>>> diff --git a/python/samba/netcmd/domain.py
>>>>> b/python/samba/netcmd/domain.py
>>>>> index 703441b..0ca4c7f 100644
>>>>> --- a/python/samba/netcmd/domain.py
>>>>> +++ b/python/samba/netcmd/domain.py
>>>>> @@ -173,7 +173,7 @@ class cmd_domain_provision(Command):
>>>>>        takes_options = [
>>>>>             Option("--interactive", help="Ask for names",
>>>>> action="store_true"),
>>>>>             Option("--domain", type="string", metavar="DOMAIN",
>>>>> -                help="NetBIOS domain name to use"),
>>>>> +                help="The NetBIOS domain name to use (also
>>>>> known
>>>>> as 'workgroup'"),
>>>>>             Option("--domain-guid", type="string",
>>>>> metavar="GUID",
>>>>>                    help="set domainguid (otherwise random)"),
>>>>>             Option("--domain-sid", type="string", metavar="SID",
>>>>> @@ -348,6 +348,10 @@ class cmd_domain_provision(Command):
>>>>>                if domain is None:
>>>>>                    raise CommandError("No domain set!")
>>>>>    
>>>>> +            if realm == domain:
>>>>> +                raise CommandError("The NetBIOS domain name
>>>>> cannot
>>>>> be the same \
>>>>> +as the realm")
>>>>> +
>>>>>                server_role = "dc"
>>>>>    
>>>>>                dns_backend = ask("DNS backend (SAMBA_INTERNAL,
>>>>> BIND9_FLATFILE, BIND9_DLZ, NONE)", "SAMBA_INTERNAL")
>>>>> @@ -375,9 +379,12 @@ class cmd_domain_provision(Command):
>>>>>            else:
>>>>>                realm = sambaopts._lp.get('realm')
>>>>>                if realm is None:
>>>>> -                raise CommandError("No realm set!")
>>>>> +                raise CommandError("You must supply the realm
>>>>> name!")
>>>>>                if domain is None:
>>>>> -                raise CommandError("No domain set!")
>>>>> +                raise CommandError("You must supply the
>>>>> NetBIOS
>>>>> domain name!")
>>>>> +            if realm == domain:
>>>>> +                raise CommandError("The NetBIOS domain name
>>>>> cannot
>>>>> be the same \
>>>>> +as the realm")
>>> Windows defaults the netbios domain name to the domain/realm,
>>> chopping
>>> away anything after the first dot IIRC, maybe we should do the same
>>> ?
>> Does windows allow the setting of a netbios domain name ? What I mean
>> is
>> it always set to the first part of the domain/realm. If it isn't
>> settable, then we should follow windows and I will alter the code.
> Yes the NetBIOS domain Name can be set, but if not set the first part
> of the realm is used.
>
> I should have commented under the "domain is None" line, that check
> could be instead something like:
> if domain is None:
>      domain = realm.split('.')[0]
>

It will not be as easy as that, if we are going to set the netbios 
domain name automatically, we would also have to check that it isn't 
already in use and that isn't going to be easy, what with there being no 
browsing on a Samba AD DC.

Rowland

More information about the samba-technical mailing list