Bug 5605 - Add posix schema to enable unix clients
Add posix schema to enable unix clients
Product: Samba 4.0
Classification: Unclassified
Component: Other
All Linux
: P3 enhancement
: ---
Assigned To: Andrew Bartlett
Andrew Bartlett
Depends on:
  Show dependency treegraph
Reported: 2008-07-10 04:47 UTC by David Markey
Modified: 2009-04-13 08:21 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description David Markey 2008-07-10 04:47:45 UTC
I would like to see an option to add posix(user/group) stuff to samba4 so it can be used with unixes without much hassle, and exop so password changes would work with pam_ldap and ldappasswd and all passwords would keep in sync.

Test plan,

When a user is added to the directory they should be given a uid and groups a gid. They should also be given a gcos and their shell(/bin/sh or whatever).

In Centos/redhat use authconfig to set up nss lookups to the samba4 LDAP server, this will only work with the posix stuff(as i understand). the ldap users should be then visable using getent  passwd and getent group.

Then use ldappasswd to change a users password, eith binding as themselves or as the administrator.

In openldap the required schema files are nis.schema, inetorg.schema might also be needed.
Comment 1 Andrew Bartlett 2008-07-10 17:24:13 UTC
One bug per bug please.  Please re-file the exop password changes in a new bug. 

Comment 2 Matthias Dieter Wallnöfer 2008-08-07 13:23:13 UTC
We at the moment aren't concerned to implement such a possibility in this way. In fact the mapping of AD to posix attributes and the handling of them should be the task of the new Winbind daemon which is under development yet.
Comment 3 Andrew Bartlett 2008-08-07 17:50:03 UTC
I do expect to implement the posixAccount schema in Samba4, at least as far as the extended schema in windows 2008.  While winbindd should remain responsible for the mappings to UID and GID, I would be very happy if once chosen those mappings were maintained in this schema, for direct inspection by such clients.

Comment 4 David Markey 2008-08-11 03:29:48 UTC
For simple user authentication and domain controlling which im interested in theres actually no need to have users existing on the machine locally. In this case winbind isnt needed and the posix attributes could be very easily added to each user/group entry and the uid and gid could be generated to enable unix clients use the samba ldap for user info and kerberos for user authentication.
Comment 5 Matthias Dieter Wallnöfer 2009-04-13 08:21:53 UTC
We've added now the POSIX schema in SAMBA 4. If there are further problems, please reopen!