Greetings, Rowland Penny!> On 10/04/15 08:54, Luca Olivetti wrote: >> El 09/04/15 a les 18:31, Rowland Penny ha escrit: >> >>> If your tools rely on the posix objectclasses being there, then they are >>> broken. The posix objectclasses are auxiliaries of other AD >>> objectclasses and as such, no windows tools will add them. >> but, e.g., samba-tool with --uid will:> Yes, I know, but it shouldn't!Ok, what other schema contains the following attributes: uidNumber unixHomeDirectory loginShell gidNumber ?> I believe it is this line in samdb.py that adds it:> ldbmessage2["objectClass"] = ldb.MessageElement('posixAccount', > ldb.FLAG_MOD_ADD, 'objectClass')> If I knew how to format a patch, I would propose its removal, because > A) I think it shouldn't be there > B) I know it works without it> Also, the classicupgrade shouldn't add the posix objectclasses either.> Why shouldn't you add the posix objectclasses ? Well consider this, you > have a domain with two admins, one who adds users from Unix using tools > that add the posix objectclasses and one that uses ADUC and the UNIX > Attributes tab. The Unix based admin uses tools that rely on the posix > objectclasses and can see all the users they added, but they will not > see any users that the ADUC based admin added.> Or to put it another way, Samba 4 working in AD mode is trying to be > compatible with windows AD, so Samba shouldn't add anything that windows > doesn't.You're making no sense whatsoever. How would your proposed Samba communicate with POSIX system it is running on then? -- With best regards, Andrey Repin Friday, April 10, 2015 15:51:04 Sorry for my terrible english...
On 10/04/15 14:22, Andrey Repin wrote:> Greetings, Rowland Penny! > >> On 10/04/15 08:54, Luca Olivetti wrote: >>> El 09/04/15 a les 18:31, Rowland Penny ha escrit: >>> >>>> If your tools rely on the posix objectclasses being there, then they are >>>> broken. The posix objectclasses are auxiliaries of other AD >>>> objectclasses and as such, no windows tools will add them. >>> but, e.g., samba-tool with --uid will: >> Yes, I know, but it shouldn't! > Ok, what other schema contains the following attributes: > uidNumber > unixHomeDirectory > loginShell > gidNumber > ? > >> I believe it is this line in samdb.py that adds it: >> ldbmessage2["objectClass"] = ldb.MessageElement('posixAccount', >> ldb.FLAG_MOD_ADD, 'objectClass') >> If I knew how to format a patch, I would propose its removal, because >> A) I think it shouldn't be there >> B) I know it works without it >> Also, the classicupgrade shouldn't add the posix objectclasses either. >> Why shouldn't you add the posix objectclasses ? Well consider this, you >> have a domain with two admins, one who adds users from Unix using tools >> that add the posix objectclasses and one that uses ADUC and the UNIX >> Attributes tab. The Unix based admin uses tools that rely on the posix >> objectclasses and can see all the users they added, but they will not >> see any users that the ADUC based admin added. >> Or to put it another way, Samba 4 working in AD mode is trying to be >> compatible with windows AD, so Samba shouldn't add anything that windows >> doesn't. > You're making no sense whatsoever. How would your proposed Samba communicate > with POSIX system it is running on then? > >Because you do not understand the term 'auxiliary'. This means that you get all the rfc2307 attributes without needing to add the actual posix objectclasses. Don't believe me??? use the Samba tool 'ldbedit' open sam.ldb, choose a user at random that doesn't have a 'uidNumber' attribute, add 'uidNumber: 20000' . Do not add anything else Close and save ldbedit Reopen ldbedit, go to the user you added the 'uidNumber' to, oh look it is still there, check the objectclasses, oh look, there isn't a posix objectclass!! Rowland
Greetings, Rowland Penny!>>>>> If your tools rely on the posix objectclasses being there, then they are >>>>> broken. The posix objectclasses are auxiliaries of other AD >>>>> objectclasses and as such, no windows tools will add them. >>>> but, e.g., samba-tool with --uid will: >>> Yes, I know, but it shouldn't! >> Ok, what other schema contains the following attributes: >> uidNumber >> unixHomeDirectory >> loginShell >> gidNumber >> ? >> >>> I believe it is this line in samdb.py that adds it: >>> ldbmessage2["objectClass"] = ldb.MessageElement('posixAccount', >>> ldb.FLAG_MOD_ADD, 'objectClass') >>> If I knew how to format a patch, I would propose its removal, because >>> A) I think it shouldn't be there >>> B) I know it works without it >>> Also, the classicupgrade shouldn't add the posix objectclasses either. >>> Why shouldn't you add the posix objectclasses ? Well consider this, you >>> have a domain with two admins, one who adds users from Unix using tools >>> that add the posix objectclasses and one that uses ADUC and the UNIX >>> Attributes tab. The Unix based admin uses tools that rely on the posix >>> objectclasses and can see all the users they added, but they will not >>> see any users that the ADUC based admin added. >>> Or to put it another way, Samba 4 working in AD mode is trying to be >>> compatible with windows AD, so Samba shouldn't add anything that windows >>> doesn't. >> You're making no sense whatsoever. How would your proposed Samba communicate >> with POSIX system it is running on then? >> >>> Because you do not understand the term 'auxiliary'.> This means that you get all the rfc2307 attributes without needing to > add the actual posix objectclasses.> Don't believe me???> use the Samba tool 'ldbedit' open sam.ldb, choose a user at random that > doesn't have a 'uidNumber' attribute, add 'uidNumber: 20000' . Do not > add anything else > Close and save ldbedit> Reopen ldbedit, go to the user you added the 'uidNumber' to, oh look it > is still there, check the objectclasses, oh look, there isn't a posix > objectclass!!You don't understand or you don't want to understand? Do you know, what "schema" means? It is a contract and validator for data objects. You pull up object, read its objectClass list, read its properties list, and go over them comparing. "Ahha, there we have an "uid" attribute. Where it is defined? Ahha, it was posixAccount! Do we have objectClass=posixAccount? Aye, it's there. This object is valid." If object doesn't fit the contract, it is either violating or missing one. Most likely violating. Do you seriously suggest me to create records that violate the contract? And will likely get dropped by any migration software in the future? -- With best regards, Andrey Repin Saturday, April 11, 2015 01:50:22 Sorry for my terrible english...