samba - May 2018 - Scripting the next UID/GID number to use

On Tue, 2018-05-29 at 21:00 +0100, Rowland Penny via samba
wrote:
> On Tue, 29 May 2018 15:50:44 -0400
> lingpanda101 via samba <samba at lists.samba.org> wrote:
> 
> > Hello,
> > 
> >      I'm developing a script to create a user and pass along all
the
> > necessary unix attributes required. I'm successful except when I
go
> > to increment msSFU30MaxUidNumber or msSFU30MaxGidNumber. I'm not
sure
> > how to use ldbedit to script this process. Any guidance would be
> > great. Thanks.
> > 
> > - James
> > 
> > 
> > 
> 
> Something like this:
> 
> # UPDATE msSFU30MaxUidNumber/msSFU30MaxGidNumber
> # Input : $1 $2
> # $1: what to update (msSFU30MaxUidNumber or msSFU30MaxGidNumber)
> # $2: Next Number
> #
> # Output : Nothing
> _updatemax () {
> echo "Updating $1"
> 
> newid="dn:
CN=$domainNETBios,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,$domainDN
> changetype: modify
> replace: $1
> $1: $2"
Actually, you would want to use (something like this, not tested):

changetype: modify
add: $1
$1: $2
delete: $1
$1: $2

This is called a constrained update, and avoids a race where the value
changes between the search and the modify.

That will then be atomic (either succeeds or fails as a whole) on one
DC, but sadly not across the whole domain, which is why it isn't part
of our standard feature-set (we don't like to create tools that have
inherent races).

That just means always run this against one specific DC to be safe. 
> echo "${newid}" | $LDBMODIFYBIN -H "$ldbdb" >
/dev/null 2>&1
> if [ $? != 0 ]; then
>     echo "Error updating $1 in AD."
>     exit 1
> fi
> 
> echo "Successfully updated $1 in AD"
> }
> 
> Rowland
I hope this helps,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On Wed, 30 May 2018 08:09:50 +1200
Andrew Bartlett <abartlet at samba.org> wrote:
> On Tue, 2018-05-29 at 21:00 +0100, Rowland Penny via samba wrote:
> > On Tue, 29 May 2018 15:50:44 -0400
> > lingpanda101 via samba <samba at lists.samba.org> wrote:
> > 
> > > Hello,
> > > 
> > >      I'm developing a script to create a user and pass along
all
> > > the necessary unix attributes required. I'm successful except
> > > when I go to increment msSFU30MaxUidNumber or
> > > msSFU30MaxGidNumber. I'm not sure how to use ldbedit to
script
> > > this process. Any guidance would be great. Thanks.
> > > 
> > > - James
> > > 
> > > 
> > > 
> > 
> > Something like this:
> > 
> > # UPDATE msSFU30MaxUidNumber/msSFU30MaxGidNumber
> > # Input : $1 $2
> > # $1: what to update (msSFU30MaxUidNumber or msSFU30MaxGidNumber)
> > # $2: Next Number
> > #
> > # Output : Nothing
> > _updatemax () {
> > echo "Updating $1"
> > 
> > newid="dn:
> >
CN=$domainNETBios,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,$domainDN
> > changetype: modify replace: $1
> > $1: $2"
> 
> Actually, you would want to use (something like this, not tested):
> 
> changetype: modify
> add: $1
> $1: $2
> delete: $1
> $1: $2
> 
> This is called a constrained update, and avoids a race where the value
> changes between the search and the modify.
Fair comment, but 'msSFU30MaxUidNumber' is a single valued attribute
and surely the 'add' will fail because the attribute already exists.
Following on from this, the delete will fail because the value to be
deleted isn't what is there now

So I think it what you actually mean is:

changetype: modify
delete: $1
$1: ($2 - 1) # what is there now
-
add: $1
$1: $2
> 
> That will then be atomic (either succeeds or fails as a whole) on one
> DC, but sadly not across the whole domain, which is why it isn't part
> of our standard feature-set (we don't like to create tools that have
> inherent races).
> 
> That just means always run this against one specific DC to be safe.
Totally agree
 
Rowland

Mandi! Andrew Bartlett via samba
  In chel di` si favelave...
> > newid="dn:
CN=$domainNETBios,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,$domainDN
> > changetype: modify
> > replace: $1
> > $1: $2"
> 
> Actually, you would want to use (something like this, not tested):
> 
> changetype: modify
> add: $1
> $1: $2
> delete: $1
> $1: $2
> 
> This is called a constrained update, and avoids a race where the value
> changes between the search and the modify.
I'm a bit astonished.

So, in AD LDAP lingo, a 'modify' is not atomic, and a
'delete/add' yes?

Awake me, please... ;-)))

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On Wed, 30 May 2018 10:03:19 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! Andrew Bartlett via samba
>   In chel di` si favelave...
> 
> > > newid="dn:
> > >
CN=$domainNETBios,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,$domainDN
> > > changetype: modify replace: $1
> > > $1: $2"
> > 
> > Actually, you would want to use (something like this, not tested):
> > 
> > changetype: modify
> > add: $1
> > $1: $2
> > delete: $1
> > $1: $2
> > 
> > This is called a constrained update, and avoids a race where the
> > value changes between the search and the modify.
> 
> I'm a bit astonished.
> 
> So, in AD LDAP lingo, a 'modify' is not atomic, and a
'delete/add'
> yes?
> 
> Awake me, please... ;-)))
> 
Did you see my reply to what Andrew posted ?
I personally do not think that the above will actually work.

Rowland

On Tue, 2018-05-29 at 21:30 +0100, Rowland Penny via samba
wrote:
> 
> Fair comment, but 'msSFU30MaxUidNumber' is a single valued
attribute
> and surely the 'add' will fail because the attribute already
exists.
Correct. 
> Following on from this, the delete will fail because the value to be
> deleted isn't what is there now
Yep.
> So I think it what you actually mean is:
> 
> changetype: modify
> delete: $1
> $1: ($2 - 1) # what is there now
> -
> add: $1
> $1: $2
Yes, indeed the order matters.  Thanks!

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba