[PATCHES] Add Unix attributes to a user or group

Thu Sep 22 13:36:53 UTC 2016

On Thu, 2016-09-22 at 13:56 +0100, Rowland Penny wrote:
> Hi, these patches allow RFC2307 attributes to be added to a user
> or group created on ADUC.
> 
> The first patch for samdb.py actually does the addition/modification
> 
> The second & third patches will add the same attributes that windows
> adds via the Unix Attributes tab in ADUC (note: this tab does not
> exist
> on win10).
> 
> the fourth patch allows adding or modifying user attributes, either
> single or multiple attributes, these will be prompted for.

Thanks Rowland.  

I do very much appreciate your efforts to improve samba-tool.

As you have probably come to expect, my first request is to please
write up the matching automated tests.  

We need tests that run the various options (because python errors are
only discovered when code is run, so we must cover all the codepaths),
and we need tests that confirm that the values are correctly modified
in the database by comparing with the results in the LDB entries.

Regarding 'nisadd', I'm assuming we are specifying the invalid
unixUserPassword out of some caution that someone will foolishly use
this for real NIS, and missing might become an empty password?  Can you
check if this really happens?  I also think we should avoid making more
reference to NIS than we need to, it is old, outdated and no longer
relevant to what we are doing, it just happens to be where some of the
schema came from.  For that same reason, the --nis-domain option should
be omitted, and if we must fill it in for the windows GUI, then we
should just use our workgroup name or the value given for whole domain
if that is stored somewhere (check how provision specifies it).

Given all that, I think we should make this just part of a generic
'user modify' that fills out any required parts for rfc2307 when those
elements are specified, just like 'samba-tool user create'.  (I realise
that --nis-domain is specified there, but I would like that removed in
the long term).

For 'samba-tool user modaddrs' can you explain a little more what this
brings over ldbedit?  I ask as the tool is restricted to ldap attribute
names, does not show the existing values, and does not throw an error
for invalid attribute names (it seems to just continue).

Perhaps if you want to make it a friendly ldbedit, we should have it
display the object in that tool, just avoiding the search expression
steps?

I realise this is a lot of criticism, and I'm asking for a significant
amount more work, but we do need to take the time to get our user
interfaces correct, as once released, we should avoid changing them.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba