[PATCH] Re: Discuss: samba-tool configure subcommand
Alexander Bokovoy
ab at samba.org
Wed Apr 25 05:06:44 UTC 2018
On Tue, 24 Apr 2018, William Brown via samba-technical wrote:
> On Tue, 2018-04-24 at 16:05 +1000, William Brown via samba-technical
> wrote:
> > Hi,
> >
> > I've been setting up and trying to use samba 4 at home as my primary
> > authentication source. While doing this, I've noticed a few things in
> > samba-tool that could be improved to aid usability of the domain
> > controller functions for administrators.
> >
> > In my setup I would like to "easily" be able to change domain
> > configuration options and forest configuration options. Some obvious
> > ones that come to mind are:
> >
> > * CN=Directory Service,CN=Windows
> > NT,CN=Services,CN=Configuration,${DOMAIN}:
> > dsHeuristics: ...
> > * ${DOMAIN}: ms-DS-MachineAccountQuota
> >
> > I'm sure that as I continue I will find more of course. There is a
> > clear distinction between these though. First, the ${DOMAIN} settings
> > could be part of:
> >
> > samba-tool domain configure <setting>
> > OR
> > samba-tool domain <setting>
> >
> > For example, the passwordsettings are already in the domain
> > subcommand
> > so it could be logical to retain these here at the top level of the
> > domain command.
> >
> > The other part of this is that cn=configuration is replicated in the
> > forest, so a new subcommand could be a better location. For example,
> >
> > samba-tool forest <setting>
> > OR
> > samba-tool forest configure <setting>
> >
> > Having these in samba-tool is a good start as it means we can build
> > out
> > and extend what configurations can be altered from the CLI - avoiding
> > messy ldifs and changes.
> >
> > Thoughts and suggestions? For now I'll start writing the patch, but
> > I'll alter it based on comments later.
> >
> > Thanks,
> >
> > William
> >
>
> To start some more discussion here is an initial patch adding support
> for domain settings management, and forest configuration management. I
> still plan to add test cases, and I'm open to changing some of these
> values.
>
> domain currently has a translation mechanism to make settings "pretty",
> but I can see a case to remove this.
>
> Forest has a framework to support multiple types of settings display
> and setting based on the different objects that may exists. This omits
> the translation mech for simplicity. I think I prefer this approach.
The code looks OK, I haven't tested it yet. In general, we want commits
to be smaller as we often backport between releases. Here you have two
independent sets of commands that can be splitted into two commits.
In set commands it would be good to have a confirmation that a value was
indeed set. Right now you get an empty output, would probably be good to
do 'get' after 'set' to avoid running a new command?
>
> An example usage is:
>
> I0> /usr/local/samba/bin/samba-tool forest directory_service show -H
> ldaps://localhost --simple-bind-
> dn='administrator at adt.blackhats.net.au'
> Password for [administrator at adt.blackhats.net.au]:
> Settings for CN=Directory Service,CN=Windows
> NT,CN=Services,CN=Configuration,DC=adt,DC=blackhats,DC=net,DC=au
> dsheuristics: 0000000
>
> I0> /usr/local/samba/bin/samba-tool forest directory_service
> dsheuristics 0000002 -H ldaps://localhost --simple-bind-
> dn='administrator at adt.blackhats.net.au'
> Password for [administrator at adt.blackhats.net.au]:
>
> I0> /usr/local/samba/bin/samba-tool forest directory_service show -H
> ldaps://localhost --simple-bind-dn='administrator at adt.blackhats.net.au'
> Password for [administrator at adt.blackhats.net.au]:
> Settings for CN=Directory Service,CN=Windows
> NT,CN=Services,CN=Configuration,DC=adt,DC=blackhats,DC=net,DC=au
> dsheuristics: 0000002
>
> Thanks!
>
> William
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list