[PATCH] s4/provision: don't set idmap_ldb:use-rfc2307 on DC by default

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH] s4/provision: don't set idmap_ldb:use-rfc2307 on DC by default

Samba - samba-technical mailing list
From a76ff55b09ad981d1948b0c3c8fb0c9b09fc6467 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Jacke?= <[hidden email]>
Date: Wed, 13 Dec 2017 14:15:36 +0100
Subject: [PATCH] s4/provision: don't set idmap_ldb:use-rfc2307 on DC by
 default

The --use-rfc2307 parameter of provision should only trigger the ypServ
stuff in LDAP but not change idmapping on the DC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13187

Signed-off-by: Bjoern Jacke <[hidden email]>
---
 python/samba/provision/__init__.py | 2 --
 1 file changed, 2 deletions(-)

diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index ad14305..d95f46a 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -2003,8 +2003,6 @@ def provision(logger, session_info, smbconf=None,
 
     server_services = []
     global_param = {}
-    if use_rfc2307:
-        global_param["idmap_ldb:use rfc2307"] = ["yes"]
 
     if dns_backend != "SAMBA_INTERNAL":
         server_services.append("-dns")
--
2.7.4


Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] s4/provision: don't set idmap_ldb:use-rfc2307 on DC by default

Samba - samba-technical mailing list
On Wed, 2017-12-13 at 14:26 +0100, Björn Jacke via samba-technical
wrote:

> From a76ff55b09ad981d1948b0c3c8fb0c9b09fc6467 Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?Bj=C3=B6rn=20Jacke?= <[hidden email]>
> Date: Wed, 13 Dec 2017 14:15:36 +0100
> Subject: [PATCH] s4/provision: don't set idmap_ldb:use-rfc2307 on DC by
>  default
>
> The --use-rfc2307 parameter of provision should only trigger the ypServ
> stuff in LDAP but not change idmapping on the DC.
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13187

I would rather not change this at this point, until we can do a proper
do-over for idmapping on the AD DC.  The current situation sucks, but
we should limit the configurations we have deployed.  

In any case, the ypServ stuff in LDAP isn't much use any more, the
admin tools it helped make work are going away.

There are as many (perhaps more) views on IDMAP amoung team members as
there are team members, and I would rather not change this until we can
get something that is a definite improvement.

In that direction:  There is no good reason why Samba as an AD DC can't
use the real winbind idmap backends.  Naturally there is an upgrade
problem, but if you want to start on this, work out how to make
winbindd use idmap_ad et al and the nss info backends.  

Sorry,

Andrew Bartlett
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] s4/provision: don't set idmap_ldb:use-rfc2307 on DC by default

Samba - samba-technical mailing list
On 2017-12-14 at 06:58 +1300 Andrew Bartlett via samba-technical sent off:
> > The --use-rfc2307 parameter of provision should only trigger the ypServ
> > stuff in LDAP but not change idmapping on the DC.
> >
> > BUG: https://bugzilla.samba.org/show_bug.cgi?id=13187
>
> I would rather not change this at this point, until we can do a proper
> do-over for idmapping on the AD DC.  The current situation sucks, but
> we should limit the configurations we have deployed.  

the default configuration is idmap ldb on the AD DC and this is the one which
works most stable. rfc2307 is just causing problems. On a DC, which should not
have more than the sysvol share (but this one should work stable!) there is no
point to enable rfc2307 mappings.

> In any case, the ypServ stuff in LDAP isn't much use any more, the
> admin tools it helped make work are going away.
>
> There are as many (perhaps more) views on IDMAP amoung team members as
> there are team members, and I would rather not change this until we can
> get something that is a definite improvement.
>
> In that direction:  There is no good reason why Samba as an AD DC can't
> use the real winbind idmap backends.  Naturally there is an upgrade
> problem, but if you want to start on this, work out how to make
> winbindd use idmap_ad et al and the nss info backends.  

idmap_ad is not the alternative. The point about this patch is to leave our
(stable) default, which is idmap ldb - also for provisioning of systems where
the yp server is enabled in ldap. You said you want to limit the configurations
we have deployed, then this is what this patch is doing also.

As mentioned in the bug report already, the option to enable the ypserver
(--use-rfc2307) is quite fuzzy and misleading unfortunately.

Björn
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] s4/provision: don't set idmap_ldb:use-rfc2307 on DC by default

Samba - samba-technical mailing list
On Thu, 14 Dec 2017 12:31:46 +0100
Björn Jacke via samba-technical <[hidden email]> wrote:

> On 2017-12-14 at 06:58 +1300 Andrew Bartlett via samba-technical sent
> off:
> > > The --use-rfc2307 parameter of provision should only trigger the
> > > ypServ stuff in LDAP but not change idmapping on the DC.
> > >
> > > BUG: https://bugzilla.samba.org/show_bug.cgi?id=13187
> >
> > I would rather not change this at this point, until we can do a
> > proper do-over for idmapping on the AD DC.  The current situation
> > sucks, but we should limit the configurations we have deployed.  
>
> the default configuration is idmap ldb on the AD DC and this is the
> one which works most stable. rfc2307 is just causing problems. On a
> DC, which should not have more than the sysvol share (but this one
> should work stable!) there is no point to enable rfc2307 mappings.

Who actually says that a DC should only have the sysvol share ? Just
having the sysvol share (and no others) is causing problems because
idmap ldb on different DCs gives different results and you have to copy
idmap.ldb from the first DC to any other DCs. You can use a DC as a
fileserver, you just have to be aware of the limitations.

>
> > In any case, the ypServ stuff in LDAP isn't much use any more, the
> > admin tools it helped make work are going away.
> >
> > There are as many (perhaps more) views on IDMAP amoung team members
> > as there are team members, and I would rather not change this until
> > we can get something that is a definite improvement.
> >
> > In that direction:  There is no good reason why Samba as an AD DC
> > can't use the real winbind idmap backends.  Naturally there is an
> > upgrade problem, but if you want to start on this, work out how to
> > make winbindd use idmap_ad et al and the nss info backends.  
>
> idmap_ad is not the alternative. The point about this patch is to
> leave our (stable) default, which is idmap ldb - also for
> provisioning of systems where the yp server is enabled in ldap. You
> said you want to limit the configurations we have deployed, then this
> is what this patch is doing also.

Andrew didn't say idmap_ad specifically, he said 'idmap backends', I
also think this is the way to go, Samba is halfway there now, winbindd
is used on DCs and Unix domain members. I just wish I understood 'C'

>
> As mentioned in the bug report already, the option to enable the
> ypserver (--use-rfc2307) is quite fuzzy and misleading unfortunately.
>
> Björn

Rowland