Samba4 patch for manipulating Unix attributes via ADUC

Andrew Bartlett abartlet at samba.org
Thu Jul 12 03:53:37 MDT 2012 

On Thu, 2012-07-12 at 11:45 +0200, Gémes Géza wrote:
> 2012-07-12 11:13 keltezéssel, Gémes Géza írta:
> > 2012-07-12 11:08 keltezéssel, Andrew Bartlett írta:
> >> On Thu, 2012-07-12 at 10:26 +0200, Gémes Géza wrote:
> >>> 2012-07-12 10:00 keltezéssel, Andrew Bartlett írta:
> >>>> On Thu, 2012-07-12 at 07:46 +0200, Gémes Géza wrote:
> >>>>> 2012-07-12 03:11 keltezéssel, Andrew Bartlett írta:
> >>>>>> On Wed, 2012-07-11 at 23:55 +0200, Gémes Géza wrote:
> >>>>>>> Hi,
> >>>>>>>
> >>>>>>> The attached patch makes it possible to provision in a way
> >>>>>>> (--fake-ypserver=yes) that allows manipulating the Unix 
> >>>>>>> attributes of
> >>>>>>> users/groups via ADUC.
> >>>>>>> It does that by provisioning as if it would be used by the MS 
> >>>>>>> NIS server.
> >>>>>>>
> >>>>>>> Please review the attached patch.
> >>>>>> It certainly looks like a good idea, and I really appreciate getting
> >>>>>> patches for important practical administration issues such as this.
> >>>>>>
> >>>>>> I have a few questions/concerns:
> >>>>>>
> >>>>>> How does the max uid/gid thing work, particularly with 
> >>>>>> distributed user
> >>>>>> creation?  (This is why we never tried this before, because we 
> >>>>>> were told
> >>>>>> that no such mechanism existed).
> >>>>>>
> >>>>>> We need to ensure the default for these values is sensible for s3
> >>>>>> upgrades, and is somehow correlated with the default idmap range
> >>>>>> otherwise
> >>>>>>
> >>>>>> I think that this should be tied to setting 'use rfc2307' by 
> >>>>>> default in
> >>>>>> the smb.conf, and we should probably refer to it as NIS or NIS/YP 
> >>>>>> rather
> >>>>>> than YP.  To avoid adding too many different parameters to 
> >>>>>> provision,
> >>>>>> the NIS domain should just be the netbios domain name (folks can 
> >>>>>> always
> >>>>>> change it later if need be).
> >>>>>>
> >>>>>> The other UID allocation scheme we should consider is the
> >>>>>> trustPosixOffset and RID scheme.
> >>>>>>
> >>>>>> Andrew Bartlett
> >>>>>>
> >>>>> Hi,
> >>>>>
> >>>>> The patch does no more than the MS approach: transfers the
> >>>>> responsibility to the administrator. It does not enforce any policy
> >>>>> except a suggestion based on the current MAXUID/MAXGID.
> >>>> So it becomes a default in a GUI somewhere, or?  What is it used for?
> >>> If you try to allocate posix attributes (via ADUC) the default uid
> >>> offered is the value set for MAXUID, the same holds true for gids.
> >> Thanks.
> >>
> >>>>> For the s3 upgrade code I think MAXUID/MAXGID is going to be set 
> >>>>> to the
> >>>>> max of current uids/gids + 1.
> >>>>>
> >>>>> Do you suggest to change the patch to provision the fake NIS if
> >>>>> use_rfc2307 was set? I didn't want to be that invasive, but if you as
> >>>>> the author of that option says so I'm happy to reduce the number of
> >>>>> options.
> >>>> I think less configuration combinations is a better thing.
> >>> Will modify it accordingly
> >>>>> Currently the nisdomain is nothing but domainname.lower()
> >>>> I noticed, which is why I suggested to push it further down the stack.
> >>> Do you suggest to replace nisdomain occurrences altogether by
> >>> domainname.lower() ?
> >> Just do it as the argument to provision_fake_ypserver()
> >>
> >>>>> TrustPossixOffset would certainly reduce the crossdomain uid/gid
> >>>>> allocation problems.
> >>>> As always, this needs someone to implement it :-)
> >>>>
> >>>> (Including the PDC master handling the allocation of offsets)
> >>>>
> >>>> Andrew Bartlett
> >>>>
> >>> Geza Gemes
> >> Some further comments:
> >>
> >> Please try to minimise the ldif, while still getting the right entries.
> >>
> >> A number of attributes don't need to be specified, as we will
> >> automatically add them.  name is one example, but also check things like
> >> showInAdvancedViewOnly, admin*,  In particular, things like name don't
> >> need to be set.  Even cn doesn't need to be set, if it is already in the
> >> DN.
> >>
> >> Use samba-tool ldapcmp to compare directory trees to validate the
> >> output.
> >>
> >> Thanks!
> >>
> >> Andrew Bartlett
> >>
> > Going to implement the suggested changes, will send the revised patch 
> > shortly.
> >
> > Cheers
> >
> > Geza Gemes
> >
> Hi,
> 
> Please review the revised patch.

This is looking good.  As msSFU30MaxUidNumber/msSFU30MaxGidNumber is not
a MUST attribute in the schema, could we consider making the default
None (and then not specify them into the db by default)?

This new default is the main aspect of the patch I am not comfortable
with at the moment.  What does the AD GUI do if these are not set?  

Skipping these would also allow us time to better express the command
line option help, as it needs to indicate clearly that Samba will never
actually allocate based on these parameters. 

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list