samba-tool posix user/group improvements
Rowland Penny
repenny241155 at gmail.com
Thu Oct 10 02:04:22 MDT 2013
On 10/10/13 07:01, Alexander Bokovoy wrote:
> Hi Rowland,
>
>
> On Wed, Oct 9, 2013 at 11:23 PM, Rowland Penny
> <repenny241155 at gmail.com <mailto:repenny241155 at gmail.com>> wrote:
>
> On 09/10/13 20:29, Andrew Bartlett wrote:
>
> On Wed, 2013-10-09 at 11:35 +0100, Rowland Penny wrote:
>
> HI, I will say this once again, anything Samba does to the
> AD database
> should match what Windows does.
>
> Windows does NOT add either the 'posixAccount' or 'posixGroup'
> attributes so Stephanes patch should not add this line:
>
> + ldbmessage2["objectClass"] =
> ldb.MessageElement('posixGroup', ldb.FLAG_MOD_ADD,
> 'objectClass')
>
> it should be removing this line:
>
> ldbmessage2["objectClass"] =
> ldb.MessageElement('posixAccount', ldb.FLAG_MOD_ADD,
> 'objectClass')
>
> This is a distinct issue from the rest of the patch, because
> this patch
> follows the pattern already established. Adding these values
> improves
> compatibility with LDAP clients, because many do (correctly)
> filter on
> this objectclass.
>
> Just because it an established way of doing things, does not make
> it right. As for ldap clients filtering on the posix
> objectclasses, would they do this against a windows server and
> more to the point would it work ?
>
> The reason this is set on posixAccount is that, as I read the
> schema,
> otherwise you simply can't set for example gecos or loginShell
> on the
> account. Have you tested your proposed modification and shown
> that
> everything sill works?
>
> Dont know about the gecos attribute, but here is a user created
> through ADUC, using msSFU30MaxUidNumber:
>
> # Test User, Users, example.com <http://example.com>
> dn: CN=Test User,CN=Users,DC=example,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: Test User
> sn: User
> givenName: Test
> instanceType: 4
> whenCreated: 20131003143825.0Z
> displayName: Test User
> uSNCreated: 3899
> name: Test User
> objectGUID:: hWsXjePINUupa6KtGBtMsQ==
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> primaryGroupID: 513
> objectSid:: AQUAAAAAAAUVAAAA5aGURJHhLId0AF+HVwQAAA==
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: testuser1
> sAMAccountType: 805306368
> userPrincipalName: testuser1 at example.com
> <mailto:testuser1 at example.com>
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
> pwdLastSet: 130252847060000000
> userAccountControl: 512
> msSFU30NisDomain: example
> uidNumber: 10002
> loginShell: /bin/sh
> unixexampleDirectory: /example/testuser1
> gidNumber: 100
> msSFU30Name: testuser1
> unixUserPassword: ABCD!efgh12345$67890
> uid: testuser1
> whenChanged: 20131003143924.0Z
> uSNChanged: 3904
> distinguishedName: CN=Test User,CN=Users,DC=example,DC=com
>
> Oh look, the loginShell attribute is there, but there is
> definitely no posixAccount objectClass
>
>
>
> Samba certainly shouldn't require the posixAccount or posixGroup
> attributes to get uid and gid values, and we fixed that up in the
> idmap_ldb:use rfc2307 code a while back, but adding these seems
> beneficial for a number of use cases.
>
> The posix objectClasses do not need to be added at all, try
> looking at the 'user' objectClass, it has an auxiliaryClass!
>
> Since user object class has posixAccount already included, your user
> definition is allowed to contain attributes from posixAccount object
> class. Without it adding an attribute from posixAccount class that is
> not present in any other class would cause an error on LDAP/LDB side.
>
> So your schema already includes implicitly posixAccount, thus no need
> to include it explicitly. But posixAccount is still there and in use.
>
> --
> / Alexander Bokovoy
Which is what I have been saying, windows will not add the objectClasses
posixAccount & posixGroup to anything because it already has added them
in the background, so no unix tools should either. Just think about it,
if a user is created in ADUC and given the unix attributes, the
posixAccount objectClass would not be added, but at present a samba-tool
created user has the objectClass added. If a unix tool now did a search
that relied on the posixAccount objectClass, only the user created by
samba-tool would be found, even if there were hundreds of ADUC created
users.
Rowland
More information about the samba-technical
mailing list