samba - Apr 2015 - samba member logon.. question.

El 09/04/15 a les 18:31, Rowland Penny ha escrit:
> 
> If your tools rely on the posix objectclasses being there, then they are
> broken. The posix objectclasses are auxiliaries of other AD
> objectclasses and as such, no windows tools will add them.
but, e.g., samba-tool with --uid will:

luca at ubutest:~$ sudo samba-tool user add tararo tarari
--use-username-as-cn --given-name=Tararo --surname=QueTeVi
--mail-address=tararo at wetron.es --uid=tararo --gid-number=513
User 'tararo' created successfully
luca at ubutest:~$ ldapsearch -H ldap://localhost -x -D
'CN=luca,CN=Users,DC=samba,DC=wetron,DC=es' -W -b
'dc=samba,dc=wetron,dc=es' '(cn=tararo)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=samba,dc=wetron,dc=es> with scope subtree
# filter: (cn=tararo)
# requesting: ALL
#

# tararo, Users, samba.wetron.es
dn: CN=tararo,CN=Users,DC=samba,DC=wetron,DC=es
cn: tararo
sn: QueTeVi
givenName: Tararo
instanceType: 4
whenCreated: 20150410075219.0Z
whenChanged: 20150410075219.0Z
displayName: Tararo QueTeVi
uSNCreated: 9330
name: tararo
objectGUID:: Fbd97R84oEqCI6vpoOXk2g=badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAHRf8UdaAOYEc27XqKxAAAA=accountExpires:
9223372036854775807
logonCount: 0
sAMAccountName: tararo
sAMAccountType: 805306368
userPrincipalName: tararo at samba.wetron.es
objectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=samba,DC=wetron,DC=es
mail: tararo at wetron.es
uid: tararo
gidNumber: 513
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
pwdLastSet: 130731259390000000
userAccountControl: 512
uSNChanged: 9334
distinguishedName: CN=tararo,CN=Users,DC=samba,DC=wetron,DC=es

# search reference
ref: ldap://samba.wetron.es/CN=Configuration,DC=samba,DC=wetron,DC=es

# search reference
ref: ldap://samba.wetron.es/DC=DomainDnsZones,DC=samba,DC=wetron,DC=es

# search reference
ref: ldap://samba.wetron.es/DC=ForestDnsZones,DC=samba,DC=wetron,DC=es

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3


Bye
-- 
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004  Fax +34 935883007

On 10/04/15 08:54, Luca Olivetti wrote:
> El 09/04/15 a les 18:31, Rowland Penny ha escrit:
>
>> If your tools rely on the posix objectclasses being there, then they
are
>> broken. The posix objectclasses are auxiliaries of other AD
>> objectclasses and as such, no windows tools will add them.
> but, e.g., samba-tool with --uid will:
Yes, I know, but it shouldn't!

I believe it is this line in samdb.py that adds it:

ldbmessage2["objectClass"] =
ldb.MessageElement('posixAccount',
ldb.FLAG_MOD_ADD, 'objectClass')

If I knew how to format a patch, I would propose its removal, because
A) I think it shouldn't be there
B) I know it works without it

Also, the classicupgrade shouldn't add the posix objectclasses either.

Why shouldn't you add the posix objectclasses ? Well consider this, you 
have a domain with two admins, one who adds users from Unix using tools 
that add the posix objectclasses and one that uses ADUC and the UNIX 
Attributes tab. The Unix based admin uses tools that rely on the posix 
objectclasses and can see all the users they added, but they will not 
see any users that the ADUC based admin added.

Or to put it another way, Samba 4 working in AD mode is trying to be 
compatible with windows AD, so Samba shouldn't add anything that windows 
doesn't.

Rowland
>
> luca at ubutest:~$ sudo samba-tool user add tararo tarari
> --use-username-as-cn --given-name=Tararo --surname=QueTeVi
> --mail-address=tararo at wetron.es --uid=tararo --gid-number=513
> User 'tararo' created successfully
> luca at ubutest:~$ ldapsearch -H ldap://localhost -x -D
> 'CN=luca,CN=Users,DC=samba,DC=wetron,DC=es' -W -b
> 'dc=samba,dc=wetron,dc=es' '(cn=tararo)'
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <dc=samba,dc=wetron,dc=es> with scope subtree
> # filter: (cn=tararo)
> # requesting: ALL
> #
>
> # tararo, Users, samba.wetron.es
> dn: CN=tararo,CN=Users,DC=samba,DC=wetron,DC=es
> cn: tararo
> sn: QueTeVi
> givenName: Tararo
> instanceType: 4
> whenCreated: 20150410075219.0Z
> whenChanged: 20150410075219.0Z
> displayName: Tararo QueTeVi
> uSNCreated: 9330
> name: tararo
> objectGUID:: Fbd97R84oEqCI6vpoOXk2g=> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> primaryGroupID: 513
> objectSid:: AQUAAAAAAAUVAAAAHRf8UdaAOYEc27XqKxAAAA=> accountExpires:
9223372036854775807
> logonCount: 0
> sAMAccountName: tararo
> sAMAccountType: 805306368
> userPrincipalName: tararo at samba.wetron.es
> objectCategory:
> CN=Person,CN=Schema,CN=Configuration,DC=samba,DC=wetron,DC=es
> mail: tararo at wetron.es
> uid: tararo
> gidNumber: 513
> objectClass: top
> objectClass: posixAccount
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> pwdLastSet: 130731259390000000
> userAccountControl: 512
> uSNChanged: 9334
> distinguishedName: CN=tararo,CN=Users,DC=samba,DC=wetron,DC=es
>
> # search reference
> ref: ldap://samba.wetron.es/CN=Configuration,DC=samba,DC=wetron,DC=es
>
> # search reference
> ref: ldap://samba.wetron.es/DC=DomainDnsZones,DC=samba,DC=wetron,DC=es
>
> # search reference
> ref: ldap://samba.wetron.es/DC=ForestDnsZones,DC=samba,DC=wetron,DC=es
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 5
> # numEntries: 1
> # numReferences: 3
>
>
> Bye

Greetings, Rowland Penny!
> On 10/04/15 08:54, Luca Olivetti wrote:
>> El 09/04/15 a les 18:31, Rowland Penny ha escrit:
>>
>>> If your tools rely on the posix objectclasses being there, then
they are
>>> broken. The posix objectclasses are auxiliaries of other AD
>>> objectclasses and as such, no windows tools will add them.
>> but, e.g., samba-tool with --uid will:
> Yes, I know, but it shouldn't!
Ok, what other schema contains the following attributes:
uidNumber
unixHomeDirectory
loginShell
gidNumber
?
> I believe it is this line in samdb.py that adds it:
> ldbmessage2["objectClass"] =
ldb.MessageElement('posixAccount',
> ldb.FLAG_MOD_ADD, 'objectClass')
> If I knew how to format a patch, I would propose its removal, because
> A) I think it shouldn't be there
> B) I know it works without it
> Also, the classicupgrade shouldn't add the posix objectclasses either.
> Why shouldn't you add the posix objectclasses ? Well consider this, you
> have a domain with two admins, one who adds users from Unix using tools 
> that add the posix objectclasses and one that uses ADUC and the UNIX 
> Attributes tab. The Unix based admin uses tools that rely on the posix 
> objectclasses and can see all the users they added, but they will not 
> see any users that the ADUC based admin added.
> Or to put it another way, Samba 4 working in AD mode is trying to be 
> compatible with windows AD, so Samba shouldn't add anything that
windows
> doesn't.
You're making no sense whatsoever. How would your proposed Samba communicate
with POSIX system it is running on then?


-- 
With best regards,
Andrey Repin
Friday, April 10, 2015 15:51:04

Sorry for my terrible english...