[Samba] samba-tool modifying AD

Andrew Bartlett abartlet at samba.org
Sat Aug 27 03:26:21 UTC 2016 

On Fri, 2016-08-26 at 22:06 +0100, Rowland Penny via samba wrote:
> On Sat, 27 Aug 2016 08:33:02 +1200
> Andrew Bartlett <abartlet at samba.org> wrote:
> 
> > 
> > On Mon, 2016-08-22 at 09:21 +0100, Rowland Penny via samba wrote:
> > > 
> > > On Mon, 22 Aug 2016 13:38:06 +1200
> > > Andrew Bartlett via samba <samba at lists.samba.org> wrote:
> > > 
> > > > 
> > > > 
> > > > On Sat, 2016-08-20 at 18:29 -0700, David Bear via samba wrote:
> > > > > 
> > > > > 
> > > > > Is it possible to use the samba-tool to create/update user
> > > > > accounts
> > > > > in a
> > > > > standard windows AD domain ?
> > > > 
> > > > Yes.
> > > > 
> > > > Andrew Bartlett
> > > > 
> > > 
> > > Well, yes, you can create new users with samba-tool, but update
> > > them, that would be a very big NO
> > 
> > Rowland,
> > 
> > What breaks specifically for you?  The tools are expected to manage
> > a
> > Windows server in the same way as a Samba one, for operations
> > performed over LDAP.  If there is a difference in the behaviour, we
> > should be logging a bug and testing for that.
> > 
> > Given your comments presumably you have hit such an issue?
> > 
> > Thanks,
> > 
> > Andrew Bartlett
> > 
> 
> Andrew, you know that whilst you can create a user with samba-tool,
> even adding the RFC2307 attributes whilst creating the user, you
> cannot
> add the RFC2307 atrributes to a user created on ADUC with samba-tool,
> you also cannot change individual attributes with samba-tool.

Correct, for general-purpose modifications, see ldbmodify/ldbedit.
 However the enable/disable/setpassword/setexpiry should work, with
appropriate permissions.  That is all I meant. 

> You also know that I proposed patches to allow samba-tool to add the
> RFC2307 attributes and they came to nothing. 

Correct, we couldn't take your patches to use msSFU30MaxUidNumber
because they were not multi-master safe.  

> I even told you that Windows 10 doesn't have IDMU, so there is no way
> to add RFC2307 attributes from win10, apart from attribute by
> attibute.

I'm a little lost as to where rfc2307 attributes came into this.

I hope this clarifies things,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list