[PATCH] Re: Discuss: samba-tool configure subcommand

William Brown william at blackhats.net.au
Tue Apr 24 08:19:47 UTC 2018 

On Tue, 2018-04-24 at 16:05 +1000, William Brown via samba-technical
wrote:
> Hi,
> 
> I've been setting up and trying to use samba 4 at home as my primary
> authentication source. While doing this, I've noticed a few things in
> samba-tool that could be improved to aid usability of the domain
> controller functions for administrators.
> 
> In my setup I would like to "easily" be able to change domain
> configuration options and forest configuration options. Some obvious
> ones that come to mind are:
> 
> * CN=Directory Service,CN=Windows
> NT,CN=Services,CN=Configuration,${DOMAIN}:
> dsHeuristics: ...
> * ${DOMAIN}: ms-DS-MachineAccountQuota
> 
> I'm sure that as I continue I will find more of course. There is a
> clear distinction between these though. First, the ${DOMAIN} settings
> could be part of:
> 
> samba-tool domain configure <setting>
> OR
> samba-tool domain <setting>
> 
> For example, the passwordsettings are already in the domain
> subcommand
> so it could be logical to retain these here at the top level of the
> domain command.
> 
> The other part of this is that cn=configuration is replicated in the
> forest, so a new subcommand could be a better location. For example,
> 
> samba-tool forest <setting>
> OR
> samba-tool forest configure <setting>
> 
> Having these in samba-tool is a good start as it means we can build
> out
> and extend what configurations can be altered from the CLI - avoiding
> messy ldifs and changes. 
> 
> Thoughts and suggestions? For now I'll start writing the patch, but
> I'll alter it based on comments later.
> 
> Thanks,
> 
> William
> 

To start some more discussion here is an initial patch adding support
for domain settings management, and forest configuration management. I
still plan to add test cases, and I'm open to changing some of these
values.

domain currently has a translation mechanism to make settings "pretty",
but I can see a case to remove this.

Forest has a framework to support multiple types of settings display
and setting based on the different objects that may exists. This omits
the translation mech for simplicity. I think I prefer this approach.

An example usage is:

I0> /usr/local/samba/bin/samba-tool forest directory_service show -H
ldaps://localhost --simple-bind-
dn='administrator at adt.blackhats.net.au'  
Password for [administrator at adt.blackhats.net.au]:
Settings for CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration,DC=adt,DC=blackhats,DC=net,DC=au
dsheuristics: 0000000

I0> /usr/local/samba/bin/samba-tool forest directory_service
dsheuristics 0000002 -H ldaps://localhost --simple-bind-
dn='administrator at adt.blackhats.net.au'
Password for [administrator at adt.blackhats.net.au]:

I0> /usr/local/samba/bin/samba-tool forest directory_service show -H
ldaps://localhost --simple-bind-dn='administrator at adt.blackhats.net.au'
Password for [administrator at adt.blackhats.net.au]:
Settings for CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration,DC=adt,DC=blackhats,DC=net,DC=au
dsheuristics: 0000002

Thanks!

William
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-python-samba-netcmd-domain.py-forest.py-main.py-add-.patch
Type: text/x-patch
Size: 11632 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180424/16eee340/0001-python-samba-netcmd-domain.py-forest.py-main.py-add--0001.bin>

More information about the samba-technical mailing list