[Samba] SambaPosix tool
Rowland Penny
rowlandpenny at googlemail.com
Wed Nov 5 15:18:01 MST 2014
On 05/11/14 22:07, Lars Hanke wrote:
> Am 05.11.2014 um 22:31 schrieb Rowland Penny:
>> On 05/11/14 21:17, Lars Hanke wrote:
>>> As announced several weeks ago, I'd share my tool to manage POSIX
>>> attributes in Samba4 AD LDAP.
>>>
>>> You can find it at https://github.com/laotse/SambaPosix.
>>>
>>> It works on my particular system, but it is largely untested and
>>> weakly documented. But it supports a --dry-run mode, which produces
>>> LDIF, if you don't trust the tool. ;)
>>>
>>> I'll welcome contributions: tests, documentation, comments,
>>> extensions, fixes, ...
>>>
>>> Have fun,
>>> - lars.
>> After a quick scan, it would appear that you are adding 'posixAccount'
>> to a user, please don't do this, ADUC doesn't do this because the
>> 'posix*' objectClasses are auxiliaries of other objectClasses, like
>> 'user'.
>
> In a LDAP with schema these would even be required. I accept that M$
> doesn't do it, so it might call for another option.
>
> In my particular setup, I did not posixify all users and groups. E.g.
> Administrator is no POSIX user. Having the object classes around helps
> to filter out these, so nslcd and friends don't have to bother with
> incomplete RFC fields. This is to say, I see a benefit in having the
> objectClasses. So far I did not encounter problems. Is there any
> trouble known?
>
> Regards,
> - lars.
>
OK, I see where you are coming from, but what if you come up with
something that requires these objectClasses, but somebody then decides
to add a large group of users with ADUC (these will not have the posix
objectClasses), these users will not show up in whatever it is that you
are using that requires the posix objectClasses. I personally think that
it is better to only rely on objectClasses & attributes that ADUC would
add, that way you can never have problems caused by the posix
objectClasses being there or not.
What you have to remember is, you are now dealing with AD not LDAP.
Rowland
More information about the samba
mailing list