s4: new classicupgrade and uids

>
> 2. 'Administrator' hasn't got an uidNumber (while it had it in
> openldap), so it makes me map it manually. Is it a bug or feature?
>
> 3. To have an ability to manage user's uid, gid, etc. through dsa.msc we
> need to add NIS domain to AD. And then add some attributes to
> accounts/groups. Why not to add NIS domain (it's a simple ldif) to
> config while provisioning (named as workgroup by default and also have
> an provision/classicupgrade option to change the name) and then
> additionally modify users like this:
> changetype: modify
> replace: msSFU30NisDomain
> msSFU30NisDomain: $NISDOMAIN
> -
> replace: msSFU30Name
> msSFU30Name: $USER
>
> and groups like this:
>
> changetype: modify
> replace: msSFU30NisDomain
> msSFU30NisDomain: $NISDOMAIN
> -
> replace: msSFU30Name
> msSFU30Name: $GROUP
>
> Thanks.
>

> On 06/21/2012 02:43 PM, Sergey Urushkin wrote:
>> Hi!
>> I've just made a test upgrade from s3 with the new uid/gid migration
>> feature and I have some questions:
>>
>> 1. Computer accounts have objectclass:posixAccount and uidNumber
>> attributes. What is it for? As far as I know unix computer accounts are
>> needed only for s3 dc, that we can join Linux clients to those
>> attributes so am I right? If so, than computer accounts should
>> be excluded somehow.
> Hi
> We use those attributes so that we can join Linux clients to the
> domain and users can login with them without having to use winbind.

>>
>> 3. To have an ability to manage user's uid, gid, etc. through dsa.msc we
>> need to add NIS domain to AD. And then add some attributes to
>> accounts/groups. Why not to add NIS domain (it's a simple ldif) to
>> config while provisioning (named as workgroup by default and also have
>> an provision/classicupgrade option to change the name) and then
>> additionally modify users like this:
>> changetype: modify
>> replace: msSFU30NisDomain
>> msSFU30NisDomain: $NISDOMAIN
>> -
>> replace: msSFU30Name
>> msSFU30Name: $USER
>>
>> and groups like this:
>>
>> changetype: modify
>> replace: msSFU30NisDomain
>> msSFU30NisDomain: $NISDOMAIN
>> -
>> replace: msSFU30Name
>> msSFU30Name: $GROUP
>>
>> Thanks.
>>
> We made a simple script to do this without changing the schema. We
> manage most of the domain from the s4DC and rarely touch ADUC.

> Hi.
>
> 21.06.2012 19:09, steve написал:
>> On 06/21/2012 02:43 PM, Sergey Urushkin wrote:
>>> Hi!
>>> I've just made a test upgrade from s3 with the new uid/gid migration
>>> feature and I have some questions:
>>>
>>> 1. Computer accounts have objectclass:posixAccount and uidNumber
>>> attributes. What is it for? As far as I know unix computer accounts are
>>> needed only for s3 dc, that we can join Linux clients to those
>>> attributes so am I right? If so, than computer accounts should
>>> be excluded somehow.
>> Hi
>> We use those attributes so that we can join Linux clients to the
>> domain and users can login with them without having to use winbind.
> But how can computer's uidnumber attribute help us with this... Joining
> works without computer posix accounts. ldapd, sss, nss_ldap doesn't need
> computer accounts.

>>> 3. To have an ability to manage user's uid, gid, etc. through dsa.msc we
>>> need to add NIS domain to AD. And then add some attributes to
>>> accounts/groups. Why not to add NIS domain (it's a simple ldif) to
>>> config while provisioning (named as workgroup by default and also have
>>> an provision/classicupgrade option to change the name) and then
>>> additionally modify users like this:
>>> changetype: modify
>>> replace: msSFU30NisDomain
>>> msSFU30NisDomain: $NISDOMAIN
>>> -
>>> replace: msSFU30Name
>>> msSFU30Name: $USER
>>>
>>> and groups like this:
>>>
>>> changetype: modify
>>> replace: msSFU30NisDomain
>>> msSFU30NisDomain: $NISDOMAIN
>>> -
>>> replace: msSFU30Name
>>> msSFU30Name: $GROUP
>>>
>>> Thanks.
>>>
>> We made a simple script to do this without changing the schema. We
>> manage most of the domain from the s4DC and rarely touch ADUC.
> But we still don't have something like 'samba-tool user unix ...' and
> 'samba-tool domain nis ...' and all managing of unix attribs is made
> with external tools (you suggested, I have one too).

> Schema modification I made works and replicates well (I've been using it
> for tests for more then half of a year) , so I don't see actual reason
> why not just to implement it. In summary to begin we need one ldif with
> 2 params - basedn and nis domain, one option to provision/classicupgrade
> (--nis-domain), and user/group provisioning modifications showed above.
> I would be glad to make it but my python is not good, anyway I'm ready
> to help with testing.
>> The main reason we don't use winbind is because our unixHomeDrirectory
>> attributes do not all point at the same directory.
>>
> It's a problem for s4 winbind, but s3 winbind works nicely with rfc2307
> schema and respects attribs like uid, unixHomeDirectory.
>> The script is here. It has many similarities to your sfu example for
>> the most part.
>> http://dl.dropbox.com/u/45150875/s4bind.tar.gz
>>
> Thanks for the script.
>
> Also, another question appeared:
>
> 4. gidNumber for users is not set too. Until it's set we can not use s3
> winbind rfc2307 mode with s4 dc. Maybe it's also about loginshell,
> unixHomeDirectory...
>
> Thanks.
>

> 3. To have an ability to manage user's uid, gid, etc. through dsa.msc we
> need to add NIS domain to AD. And then add some attributes to
> accounts/groups. Why not to add NIS domain (it's a simple ldif) to
> config while provisioning (named as workgroup by default and also have
> an provision/classicupgrade option to change the name) and then
> additionally modify users like this:
> changetype: modify
> replace: msSFU30NisDomain
> msSFU30NisDomain: $NISDOMAIN
> -
> replace: msSFU30Name
> msSFU30Name: $USER
>
> and groups like this:
>
> changetype: modify
> replace: msSFU30NisDomain
> msSFU30NisDomain: $NISDOMAIN
> -
> replace: msSFU30Name
> msSFU30Name: $GROUP

> On Thu, 2012-06-21 at 16:43 +0400, Sergey Urushkin wrote:
>> Hi!
>> I've just made a test upgrade from s3 with the new uid/gid migration
>> feature and I have some questions:
>>
>> 1. Computer accounts have objectclass:posixAccount and uidNumber
>> attributes. What is it for? As far as I know unix computer accounts are
>> needed only for s3 dc, am I right? If so, than computer accounts should
>> be excluded somehow.
> Computers can log in and own files, and so we need to preserve the
> uidNumber that has been assigned, to preserve this file ownership.

>> 3. To have an ability to manage user's uid, gid, etc. through dsa.msc we
>> need to add NIS domain to AD. And then add some attributes to
>> accounts/groups. Why not to add NIS domain (it's a simple ldif) to
>> config while provisioning (named as workgroup by default and also have
>> an provision/classicupgrade option to change the name) and then
>> additionally modify users like this:
>> changetype: modify
>> replace: msSFU30NisDomain
>> msSFU30NisDomain: $NISDOMAIN
>> -
>> replace: msSFU30Name
>> msSFU30Name: $USER
>>
>> and groups like this:
>>
>> changetype: modify
>> replace: msSFU30NisDomain
>> msSFU30NisDomain: $NISDOMAIN
>> -
>> replace: msSFU30Name
>> msSFU30Name: $GROUP
> I thought that the whole point of the new rfc2307 support was to avoid
> needing to set these SFU attributes?

> HI.
>
> 22.06.2012 12:11, Andrew Bartlett написал:
> > On Thu, 2012-06-21 at 16:43 +0400, Sergey Urushkin wrote:
> >> Hi!
> >> I've just made a test upgrade from s3 with the new uid/gid migration
> >> feature and I have some questions:
> >>
> >> 1. Computer accounts have objectclass:posixAccount and uidNumber
> >> attributes. What is it for? As far as I know unix computer accounts are
> >> needed only for s3 dc, am I right? If so, than computer accounts should
> >> be excluded somehow.
> > Computers can log in and own files, and so we need to preserve the
> > uidNumber that has been assigned, to preserve this file ownership.
> I know they can with these settings, I'm just wondering where such
> ownership could be used with nix systems?
> >> 2. 'Administrator' hasn't got an uidNumber (while it had it in
> >> openldap), so it makes me map it manually. Is it a bug or feature?
> > Simply a bug.
> As I wrote in another branch - 'guest' is also affected. Should I write
> report, or it'll be fixed in place soon?
> >> 3. To have an ability to manage user's uid, gid, etc. through dsa.msc we
> >> need to add NIS domain to AD. And then add some attributes to
> >> accounts/groups. Why not to add NIS domain (it's a simple ldif) to
> >> config while provisioning (named as workgroup by default and also have
> >> an provision/classicupgrade option to change the name) and then
> >> additionally modify users like this:
> >> changetype: modify
> >> replace: msSFU30NisDomain
> >> msSFU30NisDomain: $NISDOMAIN
> >> -
> >> replace: msSFU30Name
> >> msSFU30Name: $USER
> >>
> >> and groups like this:
> >>
> >> changetype: modify
> >> replace: msSFU30NisDomain
> >> msSFU30NisDomain: $NISDOMAIN
> >> -
> >> replace: msSFU30Name
> >> msSFU30Name: $GROUP
> > I thought that the whole point of the new rfc2307 support was to avoid
> > needing to set these SFU attributes?
> Maybe I missed discussion about it, I'm just trying to say that support
> for these attributes (as a nis domain schema modification) are needed to
> manage unix account via dsa.msc.
> 'msSFU30NisDomain' (and that mean nis schema too) is needed to be able
> to change unix atrributes.
> 'msSFU30Name' seems to be optional, it is filled with account name by
> dsa.msc automatically after pressing apply button on unix tab, and since
> it can't be changed via dsa.msc (e.g. after renaming account), it can be
> leaved unmanaged by samba too, so resulting minimal ldif for
> users/groups is:
>
> changetype: modify
> replace: msSFU30NisDomain
> msSFU30NisDomain: $NISDOMAIN
>
> I don't understand what disadvantages we'll get after adding NIS support to s4?

> On Fri, 2012-06-22 at 13:42 +0400, Sergey Urushkin wrote:
>
>
> 22.06.2012 12:11, Andrew Bartlett написал:
>>> On Thu, 2012-06-21 at 16:43 +0400, Sergey Urushkin wrote:
>>>> 2. 'Administrator' hasn't got an uidNumber (while it had it in
>>>> openldap), so it makes me map it manually. Is it a bug or feature?
>>> Simply a bug.
>> As I wrote in another branch - 'guest' is also affected. Should I write
>> report, or it'll be fixed in place soon?

> On Wed, 2012-08-08 at 11:01 +0400, Sergey Urushkin wrote:
>> Hi.
>> Some time ago I sent the patch to the list, but didn't get answer. For
>> better readability it's attached again.
>> The problem with it now is that it may set administrator uid to non-zero
>> value (what will break GP editing, until appropriate posix acls is set.
>> As a workaround - chown -R administrator path/to/sysvol). It may need
>> additional warning message.
> My thoughts are that I don't like the upgrade handling any of the well
> known users, except perhaps to assign a UID.  Even then, things like
> administrator UID should be connected via the provision() stage.

>
> 08.08.2012 12:55, Andrew Bartlett пишет:
>
> > On Wed, 2012-08-08 at 11:01 +0400, Sergey Urushkin wrote:
> > > Hi.
> > > Some time ago I sent the patch to the list, but didn't get answer. For
> > > better readability it's attached again.
> > > The problem with it now is that it may set administrator uid to non-zero
> > > value (what will break GP editing, until appropriate posix acls is set.
> > > As a workaround - chown -R administrator path/to/sysvol). It may need
> > > additional warning message.
> > My thoughts are that I don't like the upgrade handling any of the well
> > known users, except perhaps to assign a UID.  Even then, things like
> > administrator UID should be connected via the provision() stage.
> Then, may be we should add some default uid/gid attributes to
> wellknown users/groups on the provision stage (if --use-rfc2307 is
> used add them to the directory too). That would also be a step to
> provision default posix acls for sysvol. Here is the list which I feel
> needed and suggested values.
>
> name : sid : uid/gid
> ---------------------------------
> Administrators    :    S-1-5-32-544    :    300544                -
> should to be synced on all dcs (it's a part of default ms's sysvol
> permissions)
> Server Operators    :    S-1-5-32-549    :    300549            - the
> same
> Authenticated Users    :    S-1-5-11    :    300011              - the
> same
> Local System    :    S-1-5-18    :    300018/300018             - the
> same
>
> Administrator    :    S-1-5-21domain-500    :    0/0
> Guest    :    S-1-5-21domain-501    :    nobody's uid/nobody's gid
> Anonymous    :    S-1-5-7    :    nobody's gid
>
> What do you think?

> > > Also, I have to say that "if entry['rid'] < 1000:" check gives an error
> > > at the "adding users to groups" stage (nonexisting user). Ways to solve it:
> > >  1. Stop provision with error if such accounts exist (think it's the best)
> > >  2. Add some workaround to the function that lists members
> > >  3. Remove this check.
> > I'm not entirely sure what you mean here.  I guess we do need to upgrade
> > groups of any well known users we find?
> >
> If group contains user with rid < 1000 (skipped), then
> add_users_to_group ends with error (because this user hasn't been
> actually imported), and upgrading fails.
> So, if there are 1000 users, we have to wait for a really long time
> (while all users are being imported) to just see an error at the end.
> I think we should give an error immediately, or test somehow for user
> existence in s4 db before trying to add it to some group.  

> On Wed, 2012-08-08 at 15:21 +0400, Sergey Urushkin wrote:
>> 08.08.2012 12:55, Andrew Bartlett пишет:
>>
>>> On Wed, 2012-08-08 at 11:01 +0400, Sergey Urushkin wrote:
>>>> Hi.
>>>> Some time ago I sent the patch to the list, but didn't get answer. For
>>>> better readability it's attached again.
>>>> The problem with it now is that it may set administrator uid to non-zero
>>>> value (what will break GP editing, until appropriate posix acls is set.
>>>> As a workaround - chown -R administrator path/to/sysvol). It may need
>>>> additional warning message.
>>> My thoughts are that I don't like the upgrade handling any of the well
>>> known users, except perhaps to assign a UID.  Even then, things like
>>> administrator UID should be connected via the provision() stage.
>> Then, may be we should add some default uid/gid attributes to
>> wellknown users/groups on the provision stage (if --use-rfc2307 is
>> used add them to the directory too). That would also be a step to
>> provision default posix acls for sysvol. Here is the list which I feel
>> needed and suggested values.
>>
>> name : sid : uid/gid
>> ---------------------------------
>> Administrators    :    S-1-5-32-544    :    300544                -
>> should to be synced on all dcs (it's a part of default ms's sysvol
>> permissions)
>> Server Operators    :    S-1-5-32-549    :    300549            - the
>> same
>> Authenticated Users    :    S-1-5-11    :    300011              - the
>> same
>> Local System    :    S-1-5-18    :    300018/300018             - the
>> same
>>
>> Administrator    :    S-1-5-21domain-500    :    0/0
>> Guest    :    S-1-5-21domain-501    :    nobody's uid/nobody's gid
>> Anonymous    :    S-1-5-7    :    nobody's gid
>>
>> What do you think?
> I don't mind assigning a UID in the directory based on the imported
> values to well known users, but I'm just saying we need to be careful
> about actually 'importing' the user.

>>>> Also, I have to say that "if entry['rid'] < 1000:" check gives an error
>>>> at the "adding users to groups" stage (nonexisting user). Ways to solve it:
>>>>  1. Stop provision with error if such accounts exist (think it's the best)
>>>>  2. Add some workaround to the function that lists members
>>>>  3. Remove this check.
>>> I'm not entirely sure what you mean here.  I guess we do need to upgrade
>>> groups of any well known users we find?
>>>
>> If group contains user with rid < 1000 (skipped), then
>> add_users_to_group ends with error (because this user hasn't been
>> actually imported), and upgrading fails.
>> So, if there are 1000 users, we have to wait for a really long time
>> (while all users are being imported) to just see an error at the end.
>> I think we should give an error immediately, or test somehow for user
>> existence in s4 db before trying to add it to some group.  
> What users are you importing with a sid below 1000 that Samba4 doesn't
> already define?
>

> 08.08.2012 15:29, Andrew Bartlett пишет:
> > On Wed, 2012-08-08 at 15:21 +0400, Sergey Urushkin wrote:
> >> 08.08.2012 12:55, Andrew Bartlett пишет:
> >>
> >>> On Wed, 2012-08-08 at 11:01 +0400, Sergey Urushkin wrote:
> >>>> Hi.
> >>>> Some time ago I sent the patch to the list, but didn't get answer. For
> >>>> better readability it's attached again.
> >>>> The problem with it now is that it may set administrator uid to non-zero
> >>>> value (what will break GP editing, until appropriate posix acls is set.
> >>>> As a workaround - chown -R administrator path/to/sysvol). It may need
> >>>> additional warning message.
> >>> My thoughts are that I don't like the upgrade handling any of the well
> >>> known users, except perhaps to assign a UID.  Even then, things like
> >>> administrator UID should be connected via the provision() stage.
> >> Then, may be we should add some default uid/gid attributes to
> >> wellknown users/groups on the provision stage (if --use-rfc2307 is
> >> used add them to the directory too). That would also be a step to
> >> provision default posix acls for sysvol. Here is the list which I feel
> >> needed and suggested values.
> >>
> >> name : sid : uid/gid
> >> ---------------------------------
> >> Administrators    :    S-1-5-32-544    :    300544                -
> >> should to be synced on all dcs (it's a part of default ms's sysvol
> >> permissions)
> >> Server Operators    :    S-1-5-32-549    :    300549            - the
> >> same
> >> Authenticated Users    :    S-1-5-11    :    300011              - the
> >> same
> >> Local System    :    S-1-5-18    :    300018/300018             - the
> >> same
> >>
> >> Administrator    :    S-1-5-21domain-500    :    0/0
> >> Guest    :    S-1-5-21domain-501    :    nobody's uid/nobody's gid
> >> Anonymous    :    S-1-5-7    :    nobody's gid
> >>
> >> What do you think?
> > I don't mind assigning a UID in the directory based on the imported
> > values to well known users, but I'm just saying we need to be careful
> > about actually 'importing' the user.
> If you are suggesting importing only uid and gid for wellknown accounts,
> then I'll change the patch such way.
> But could you explain why we need to import it via provision()? For
> example, "domain admins" is a wellknown account too, but we don't import
> it via provision().

> >>>> Also, I have to say that "if entry['rid'] < 1000:" check gives an error
> >>>> at the "adding users to groups" stage (nonexisting user). Ways to solve it:
> >>>>  1. Stop provision with error if such accounts exist (think it's the best)
> >>>>  2. Add some workaround to the function that lists members
> >>>>  3. Remove this check.
> >>> I'm not entirely sure what you mean here.  I guess we do need to upgrade
> >>> groups of any well known users we find?
> >>>
> >> If group contains user with rid < 1000 (skipped), then
> >> add_users_to_group ends with error (because this user hasn't been
> >> actually imported), and upgrading fails.
> >> So, if there are 1000 users, we have to wait for a really long time
> >> (while all users are being imported) to just see an error at the end.
> >> I think we should give an error immediately, or test somehow for user
> >> existence in s4 db before trying to add it to some group.  
> > What users are you importing with a sid below 1000 that Samba4 doesn't
> > already define?
> >
> I haven't yet met such users, I've got this issue while testing
> suggested patch (I changed the sid manually for one of the users). I'm
> just trying to say if someone's s3db contains such user (I guess some
> do), we'll need to do something with it, the more so because we already
> have this check.

> On Thu, 2012-08-09 at 10:25 +0400, Sergey Urushkin wrote:
>> 08.08.2012 15:29, Andrew Bartlett пишет:
>>> On Wed, 2012-08-08 at 15:21 +0400, Sergey Urushkin wrote:
>>>> 08.08.2012 12:55, Andrew Bartlett пишет:
>>>>
>>>>> On Wed, 2012-08-08 at 11:01 +0400, Sergey Urushkin wrote:
>>>>>> Hi.
>>>>>> Some time ago I sent the patch to the list, but didn't get answer. For
>>>>>> better readability it's attached again.
>>>>>> The problem with it now is that it may set administrator uid to non-zero
>>>>>> value (what will break GP editing, until appropriate posix acls is set.
>>>>>> As a workaround - chown -R administrator path/to/sysvol). It may need
>>>>>> additional warning message.
>>>>> My thoughts are that I don't like the upgrade handling any of the well
>>>>> known users, except perhaps to assign a UID.  Even then, things like
>>>>> administrator UID should be connected via the provision() stage.
>>>> Then, may be we should add some default uid/gid attributes to
>>>> wellknown users/groups on the provision stage (if --use-rfc2307 is
>>>> used add them to the directory too). That would also be a step to
>>>> provision default posix acls for sysvol. Here is the list which I feel
>>>> needed and suggested values.
>>>>
>>>> name : sid : uid/gid
>>>> ---------------------------------
>>>> Administrators    :    S-1-5-32-544    :    300544                -
>>>> should to be synced on all dcs (it's a part of default ms's sysvol
>>>> permissions)
>>>> Server Operators    :    S-1-5-32-549    :    300549            - the
>>>> same
>>>> Authenticated Users    :    S-1-5-11    :    300011              - the
>>>> same
>>>> Local System    :    S-1-5-18    :    300018/300018             - the
>>>> same
>>>>
>>>> Administrator    :    S-1-5-21domain-500    :    0/0
>>>> Guest    :    S-1-5-21domain-501    :    nobody's uid/nobody's gid
>>>> Anonymous    :    S-1-5-7    :    nobody's gid
>>>>
>>>> What do you think?
>>> I don't mind assigning a UID in the directory based on the imported
>>> values to well known users, but I'm just saying we need to be careful
>>> about actually 'importing' the user.
>> If you are suggesting importing only uid and gid for wellknown accounts,
>> then I'll change the patch such way.
>> But could you explain why we need to import it via provision()? For
>> example, "domain admins" is a wellknown account too, but we don't import
>> it via provision().
> We do create "domain admins" during provision.

>
>>>>>> Also, I have to say that "if entry['rid'] < 1000:" check gives an error
>>>>>> at the "adding users to groups" stage (nonexisting user). Ways to solve it:
>>>>>>  1. Stop provision with error if such accounts exist (think it's the best)
>>>>>>  2. Add some workaround to the function that lists members
>>>>>>  3. Remove this check.
>>>>> I'm not entirely sure what you mean here.  I guess we do need to upgrade
>>>>> groups of any well known users we find?
>>>>>
>>>> If group contains user with rid < 1000 (skipped), then
>>>> add_users_to_group ends with error (because this user hasn't been
>>>> actually imported), and upgrading fails.
>>>> So, if there are 1000 users, we have to wait for a really long time
>>>> (while all users are being imported) to just see an error at the end.
>>>> I think we should give an error immediately, or test somehow for user
>>>> existence in s4 db before trying to add it to some group.  
>>> What users are you importing with a sid below 1000 that Samba4 doesn't
>>> already define?
>>>
>> I haven't yet met such users, I've got this issue while testing
>> suggested patch (I changed the sid manually for one of the users). I'm
>> just trying to say if someone's s3db contains such user (I guess some
>> do), we'll need to do something with it, the more so because we already
>> have this check.
> I guess we should error out.
>