[Samba] samba-tool modifying AD
Rowland Penny
rpenny at samba.org
Sat Aug 27 07:01:42 UTC 2016
On Sat, 27 Aug 2016 15:26:21 +1200
Andrew Bartlett <abartlet at samba.org> wrote:
> On Fri, 2016-08-26 at 22:06 +0100, Rowland Penny via samba wrote:
> > On Sat, 27 Aug 2016 08:33:02 +1200
> > Andrew Bartlett <abartlet at samba.org> wrote:
> >
> > >
> > > On Mon, 2016-08-22 at 09:21 +0100, Rowland Penny via samba wrote:
> > > >
> > > > On Mon, 22 Aug 2016 13:38:06 +1200
> > > > Andrew Bartlett via samba <samba at lists.samba.org> wrote:
> > > >
> > > > >
> > > > >
> > > > > On Sat, 2016-08-20 at 18:29 -0700, David Bear via samba wrote:
> > > > > >
> > > > > >
> > > > > > Is it possible to use the samba-tool to create/update user
> > > > > > accounts
> > > > > > in a
> > > > > > standard windows AD domain ?
> > > > >
> > > > > Yes.
> > > > >
> > > > > Andrew Bartlett
> > > > >
> > > >
> > > > Well, yes, you can create new users with samba-tool, but update
> > > > them, that would be a very big NO
> > >
> > > Rowland,
> > >
> > > What breaks specifically for you? The tools are expected to
> > > manage a
> > > Windows server in the same way as a Samba one, for operations
> > > performed over LDAP. If there is a difference in the behaviour,
> > > we should be logging a bug and testing for that.
> > >
> > > Given your comments presumably you have hit such an issue?
> > >
> > > Thanks,
> > >
> > > Andrew Bartlett
> > >
> >
> > Andrew, you know that whilst you can create a user with samba-tool,
> > even adding the RFC2307 attributes whilst creating the user, you
> > cannot
> > add the RFC2307 atrributes to a user created on ADUC with
> > samba-tool, you also cannot change individual attributes with
> > samba-tool.
>
> Correct, for general-purpose modifications, see ldbmodify/ldbedit.
> However the enable/disable/setpassword/setexpiry should work, with
> appropriate permissions. That is all I meant.
>
People don't really want to use the ldb tools, they want to use
something that holds their hands. Whilst you know what you meant, it
didn't come over that way.
> > You also know that I proposed patches to allow samba-tool to add the
> > RFC2307 attributes and they came to nothing.
>
> Correct, we couldn't take your patches to use msSFU30MaxUidNumber
> because they were not multi-master safe.
>
I re-wrote them so that they worked exactly like creating a user, but
without actually creating the user i.e. you could add the same RFC2307
attributes to a user that the ADUC Unix Attributes does.
Whilst I can accept what you say about multi-master safe, surely this
also goes for the way that ADUC does it and how is storing a number in
AD different from storing it else where i.e. scribbled on a piece of
paper?
> > I even told you that Windows 10 doesn't have IDMU, so there is no
> > way to add RFC2307 attributes from win10, apart from attribute by
> > attibute.
>
> I'm a little lost as to where rfc2307 attributes came into this.
What do think most people want/need to do ? they want to add RFC2307
attributes and if they now have only win10 clients, they have no way to
add RFC2307 attributes to a user they create in ADUC. No easy way that
is, they either need to add them attribute by attribute, or resort to a
script they have written themselves and most people don't want to do
anything like this.
>
> I hope this clarifies things,
No it doesn't
Rowland
More information about the samba
mailing list