Bug 6408 - net sam provision doesnt create any builtin groups
Summary: net sam provision doesnt create any builtin groups
Status: NEW
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: User & Group Accounts (show other bugs)
Version: unspecified
Hardware: Other Linux
: P3 enhancement
Target Milestone: ---
Assignee: Simo Sorce
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-05-26 04:57 UTC by David Markey
Modified: 2010-01-25 08:43 UTC (History)
0 users

See Also:


Attachments
Patch (7.73 KB, patch)
2009-06-18 11:20 UTC, David Markey
no flags Details
The first patch had the wrong group type, this one's fixed (7.73 KB, patch)
2009-06-18 13:25 UTC, David Markey
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description David Markey 2009-05-26 04:57:36 UTC
debian5:~# ldapsearch -LLL -x -b ou=groups,dc=samba,dc=org dn
dn: ou=groups,dc=samba,dc=org

dn: cn=domusers,ou=groups,dc=samba,dc=org

dn: cn=domadmins,ou=groups,dc=samba,dc=org

dn: cn=domguests,ou=groups,dc=samba,dc=org
Comment 1 Karolin Seeger 2009-05-29 03:52:42 UTC
David, please add the output of 'net sam provision -d10'. Thanks!
Comment 2 David Markey 2009-06-08 19:49:38 UTC
Here we go.


http://dmarkey.com/~dmarkey/net_sam_provision
Comment 3 David Markey 2009-06-18 10:17:31 UTC
I have a patch nearly completed that creates the following:

dn: cn=admins,ou=groups,dc=samba,dc=org
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: admins
displayName: Administrators
gidNumber: 1000002
sambaSID: S-1-5-32-544
sambaGroupType: 4

dn: cn=users,ou=groups,dc=samba,dc=org
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: users
displayName: Users
gidNumber: 1000003
sambaSID: S-1-5-32-545
sambaGroupType: 4

dn: cn=guests,ou=groups,dc=samba,dc=org
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: guests
displayName: Guests
gidNumber: 1000004
sambaSID: S-1-5-32-546
sambaGroupType: 4

dn: cn=powerusers,ou=groups,dc=samba,dc=org
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: powerusers
displayName: Power Users
gidNumber: 1000005
sambaSID: S-1-5-32-547
sambaGroupType: 4


1. How many of the builtin groups should be created?

2. What should be the POSIX name for builtin groups? e.g. powerusers localpowerusers "BUILTIN\Power Users"?


Comment 4 Simo Sorce 2009-06-18 10:26:42 UTC
(In reply to comment #3)
> 
> 1. How many of the builtin groups should be created?

I'd say the minimum necessary, do we really need Users or Power Users for a basic install ? Or just Administrators ?

> 2. What should be the POSIX name for builtin groups? e.g. powerusers
> localpowerusers "BUILTIN\Power Users"?

The latter I guess, these are special accounts and should not be confused with normal ones.

Simo.

Comment 5 David Markey 2009-06-18 10:35:42 UTC
(In reply to comment #4)
> (In reply to comment #3)
> > 
> > 1. How many of the builtin groups should be created?
> 
> I'd say the minimum necessary, do we really need Users or Power Users for a
> basic install ? Or just Administrators ?
> 

I dont know, is there any harm having them anyway?


> > 2. What should be the POSIX name for builtin groups? e.g. powerusers
> > localpowerusers "BUILTIN\Power Users"?
> 
> The latter I guess, these are special accounts and should not be confused with
> normal ones.

Having spaces in group names isnt posix compliant and the "Domain Admins" group has a posix name of domadmins, so would it not make sense to use localadmins? 

> 
> Simo.
> 

Comment 6 Simo Sorce 2009-06-18 10:38:00 UTC
(In reply to comment #5)
> I dont know, is there any harm having them anyway?

I tend to refrain from adding unneeded stuff, but I see no harm indeed.

> Having spaces in group names isnt posix compliant and the "Domain Admins"
> group has a posix name of domadmins, so would it not make sense to use
> localadmins? 

In this case I'd use builtinadmins, builtinusers, etc...

Simo.
Comment 7 David Markey 2009-06-18 11:20:49 UTC
Created attachment 4309 [details]
Patch

Heres a patch,

Works fine for me. See any obvious problems?
Comment 8 David Markey 2009-06-18 13:25:14 UTC
Created attachment 4313 [details]
The first patch had the wrong group type, this one's fixed
Comment 9 David Markey 2009-06-19 10:33:00 UTC
According to Microsoft "Domain Admins" should be a member of "BUILTIN\Administrators", Should this be done?

This raises the question of nested groups. nss_ldap wouldn't unroll nested groups.

Comment 10 Simo Sorce 2009-06-19 10:37:42 UTC
(In reply to comment #9)
> According to Microsoft "Domain Admins" should be a member of
> "BUILTIN\Administrators", Should this be done?
> 
> This raises the question of nested groups. nss_ldap wouldn't unroll nested
> groups.

Yep this was my concern, and probably the reason why we didn't add BUILTIN groups.
It seem you would need nss_winbind if you want BUILTIN groups ...

Comment 11 David Markey 2009-06-19 12:32:29 UTC
I really cant see how nss_ldap and nss_winbind can live together.

nss_ldap is going to supply the group name/GID (objectClass: posixGroup), so is nss_winbind going to fill in the group members?!?

It would be ideal if the functionality of nss_ldap could be absorbed into nss_winbind.
 
Comment 12 Volker Lendecke 2009-06-20 01:45:42 UTC
Within my pdb_ads efforts right now I'm working on exactly that.

Volker
Comment 13 David Markey 2009-06-20 03:57:05 UTC
cool!

so are you suggesting the amalgamation of pdb_ldap and pdb_ads? 
Comment 14 Volker Lendecke 2009-06-20 04:51:40 UTC
No, not yet :-)

But in that process I need winbind to also provide local users from passdb. Once that works fine, putting pdb_ldap into that picture should be simple.

Volker
Comment 15 David Markey 2009-06-21 03:44:13 UTC
Cool, so do you think your work should obsolete the use of nss_ldap? 
Comment 16 David Markey 2009-06-29 19:29:59 UTC
I noticed 3.4.0 RC1 creating the following:

14 sambaSID=S-1-5-32-544,dc=samba,dc=org
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 1000005
sambaSID: S-1-5-32-544

15 sambaSID=S-1-5-32-545,dc=samba,dc=org
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 1000006
sambaSID: S-1-5-32-545

16 sambaSID=S-1-5-32-546,dc=samba,dc=org
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
gidNumber: 1000007
sambaSID: S-1-5-32-546


smbd creates these after a provision, on first launch.

Is this expected behavior? Shouldn't the above have cn, displayName and sambaGroupType?


Maybe if we created the builtin groups in the provision it wouldnt create ones like these?




Comment 17 Karolin Seeger 2010-01-25 08:43:04 UTC
Too late for enhancements for 3.5. Raising version.