On Sat, 27 Aug 2016 08:33:02 +1200 Andrew Bartlett <abartlet at samba.org> wrote:> On Mon, 2016-08-22 at 09:21 +0100, Rowland Penny via samba wrote: > > On Mon, 22 Aug 2016 13:38:06 +1200 > > Andrew Bartlett via samba <samba at lists.samba.org> wrote: > > > > > > > > On Sat, 2016-08-20 at 18:29 -0700, David Bear via samba wrote: > > > > > > > > Is it possible to use the samba-tool to create/update user > > > > accounts > > > > in a > > > > standard windows AD domain ? > > > > > > Yes. > > > > > > Andrew Bartlett > > > > > > > Well, yes, you can create new users with samba-tool, but update > > them, that would be a very big NO > > Rowland, > > What breaks specifically for you? The tools are expected to manage a > Windows server in the same way as a Samba one, for operations > performed over LDAP. If there is a difference in the behaviour, we > should be logging a bug and testing for that. > > Given your comments presumably you have hit such an issue? > > Thanks, > > Andrew Bartlett >Andrew, you know that whilst you can create a user with samba-tool, even adding the RFC2307 attributes whilst creating the user, you cannot add the RFC2307 atrributes to a user created on ADUC with samba-tool, you also cannot change individual attributes with samba-tool. You also know that I proposed patches to allow samba-tool to add the RFC2307 attributes and they came to nothing. I even told you that Windows 10 doesn't have IDMU, so there is no way to add RFC2307 attributes from win10, apart from attribute by attibute. What do suggest now ? Rowland
On Fri, 2016-08-26 at 22:06 +0100, Rowland Penny via samba wrote:> On Sat, 27 Aug 2016 08:33:02 +1200 > Andrew Bartlett <abartlet at samba.org> wrote: > > > > > On Mon, 2016-08-22 at 09:21 +0100, Rowland Penny via samba wrote: > > > > > > On Mon, 22 Aug 2016 13:38:06 +1200 > > > Andrew Bartlett via samba <samba at lists.samba.org> wrote: > > > > > > > > > > > > > > > On Sat, 2016-08-20 at 18:29 -0700, David Bear via samba wrote: > > > > > > > > > > > > > > > Is it possible to use the samba-tool to create/update user > > > > > accounts > > > > > in a > > > > > standard windows AD domain ? > > > > > > > > Yes. > > > > > > > > Andrew Bartlett > > > > > > > > > > Well, yes, you can create new users with samba-tool, but update > > > them, that would be a very big NO > > > > Rowland, > > > > What breaks specifically for you? The tools are expected to manage > > a > > Windows server in the same way as a Samba one, for operations > > performed over LDAP. If there is a difference in the behaviour, we > > should be logging a bug and testing for that. > > > > Given your comments presumably you have hit such an issue? > > > > Thanks, > > > > Andrew Bartlett > > > > Andrew, you know that whilst you can create a user with samba-tool, > even adding the RFC2307 attributes whilst creating the user, you > cannot > add the RFC2307 atrributes to a user created on ADUC with samba-tool, > you also cannot change individual attributes with samba-tool.Correct, for general-purpose modifications, see ldbmodify/ldbedit. However the enable/disable/setpassword/setexpiry should work, with appropriate permissions. That is all I meant.> You also know that I proposed patches to allow samba-tool to add the > RFC2307 attributes and they came to nothing.Correct, we couldn't take your patches to use msSFU30MaxUidNumber because they were not multi-master safe.> I even told you that Windows 10 doesn't have IDMU, so there is no way > to add RFC2307 attributes from win10, apart from attribute by > attibute.I'm a little lost as to where rfc2307 attributes came into this. I hope this clarifies things, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
On Sat, 27 Aug 2016 15:26:21 +1200 Andrew Bartlett <abartlet at samba.org> wrote:> On Fri, 2016-08-26 at 22:06 +0100, Rowland Penny via samba wrote: > > On Sat, 27 Aug 2016 08:33:02 +1200 > > Andrew Bartlett <abartlet at samba.org> wrote: > > > > > > > > On Mon, 2016-08-22 at 09:21 +0100, Rowland Penny via samba wrote: > > > > > > > > On Mon, 22 Aug 2016 13:38:06 +1200 > > > > Andrew Bartlett via samba <samba at lists.samba.org> wrote: > > > > > > > > > > > > > > > > > > > On Sat, 2016-08-20 at 18:29 -0700, David Bear via samba wrote: > > > > > > > > > > > > > > > > > > Is it possible to use the samba-tool to create/update user > > > > > > accounts > > > > > > in a > > > > > > standard windows AD domain ? > > > > > > > > > > Yes. > > > > > > > > > > Andrew Bartlett > > > > > > > > > > > > > Well, yes, you can create new users with samba-tool, but update > > > > them, that would be a very big NO > > > > > > Rowland, > > > > > > What breaks specifically for you? The tools are expected to > > > manage a > > > Windows server in the same way as a Samba one, for operations > > > performed over LDAP. If there is a difference in the behaviour, > > > we should be logging a bug and testing for that. > > > > > > Given your comments presumably you have hit such an issue? > > > > > > Thanks, > > > > > > Andrew Bartlett > > > > > > > Andrew, you know that whilst you can create a user with samba-tool, > > even adding the RFC2307 attributes whilst creating the user, you > > cannot > > add the RFC2307 atrributes to a user created on ADUC with > > samba-tool, you also cannot change individual attributes with > > samba-tool. > > Correct, for general-purpose modifications, see ldbmodify/ldbedit. > However the enable/disable/setpassword/setexpiry should work, with > appropriate permissions. That is all I meant. >People don't really want to use the ldb tools, they want to use something that holds their hands. Whilst you know what you meant, it didn't come over that way.> > You also know that I proposed patches to allow samba-tool to add the > > RFC2307 attributes and they came to nothing. > > Correct, we couldn't take your patches to use msSFU30MaxUidNumber > because they were not multi-master safe. >I re-wrote them so that they worked exactly like creating a user, but without actually creating the user i.e. you could add the same RFC2307 attributes to a user that the ADUC Unix Attributes does. Whilst I can accept what you say about multi-master safe, surely this also goes for the way that ADUC does it and how is storing a number in AD different from storing it else where i.e. scribbled on a piece of paper?> > I even told you that Windows 10 doesn't have IDMU, so there is no > > way to add RFC2307 attributes from win10, apart from attribute by > > attibute. > > I'm a little lost as to where rfc2307 attributes came into this.What do think most people want/need to do ? they want to add RFC2307 attributes and if they now have only win10 clients, they have no way to add RFC2307 attributes to a user they create in ADUC. No easy way that is, they either need to add them attribute by attribute, or resort to a script they have written themselves and most people don't want to do anything like this.> > I hope this clarifies things,No it doesn't Rowland