Discussion:
Discuss: samba-tool configure subcommand
William Brown via samba-technical
2018-04-24 06:05:48 UTC
Permalink
Hi,

I've been setting up and trying to use samba 4 at home as my primary
authentication source. While doing this, I've noticed a few things in
samba-tool that could be improved to aid usability of the domain
controller functions for administrators.

In my setup I would like to "easily" be able to change domain
configuration options and forest configuration options. Some obvious
ones that come to mind are:

* CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration,${DOMAIN}:
dsHeuristics: ...
* ${DOMAIN}: ms-DS-MachineAccountQuota

I'm sure that as I continue I will find more of course. There is a
clear distinction between these though. First, the ${DOMAIN} settings
could be part of:

samba-tool domain configure <setting>
OR
samba-tool domain <setting>

For example, the passwordsettings are already in the domain subcommand
so it could be logical to retain these here at the top level of the
domain command.

The other part of this is that cn=configuration is replicated in the
forest, so a new subcommand could be a better location. For example,

samba-tool forest <setting>
OR
samba-tool forest configure <setting>

Having these in samba-tool is a good start as it means we can build out
and extend what configurations can be altered from the CLI - avoiding
messy ldifs and changes.

Thoughts and suggestions? For now I'll start writing the patch, but
I'll alter it based on comments later.

Thanks,

William
William Brown via samba-technical
2018-04-24 08:19:47 UTC
Permalink
On Tue, 2018-04-24 at 16:05 +1000, William Brown via samba-technical
Post by William Brown via samba-technical
Hi,
I've been setting up and trying to use samba 4 at home as my primary
authentication source. While doing this, I've noticed a few things in
samba-tool that could be improved to aid usability of the domain
controller functions for administrators.
In my setup I would like to "easily" be able to change domain
configuration options and forest configuration options. Some obvious
* CN=Directory Service,CN=Windows
dsHeuristics: ...
* ${DOMAIN}: ms-DS-MachineAccountQuota
I'm sure that as I continue I will find more of course. There is a
clear distinction between these though. First, the ${DOMAIN} settings
samba-tool domain configure <setting>
OR
samba-tool domain <setting>
For example, the passwordsettings are already in the domain
subcommand
so it could be logical to retain these here at the top level of the
domain command.
The other part of this is that cn=configuration is replicated in the
forest, so a new subcommand could be a better location. For example,
samba-tool forest <setting>
OR
samba-tool forest configure <setting>
Having these in samba-tool is a good start as it means we can build out
and extend what configurations can be altered from the CLI - avoiding
messy ldifs and changes.
Thoughts and suggestions? For now I'll start writing the patch, but
I'll alter it based on comments later.
Thanks,
William
To start some more discussion here is an initial patch adding support
for domain settings management, and forest configuration management. I
still plan to add test cases, and I'm open to changing some of these
values.

domain currently has a translation mechanism to make settings "pretty",
but I can see a case to remove this.

Forest has a framework to support multiple types of settings display
and setting based on the different objects that may exists. This omits
the translation mech for simplicity. I think I prefer this approach.

An example usage is:

I0> /usr/local/samba/bin/samba-tool forest directory_service show -H
ldaps://localhost --simple-bind-
dn='***@adt.blackhats.net.au'
Password for [***@adt.blackhats.net.au]:
Settings for CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration,DC=adt,DC=blackhats,DC=net,DC=au
dsheuristics: 0000000

I0> /usr/local/samba/bin/samba-tool forest directory_service
dsheuristics 0000002 -H ldaps://localhost --simple-bind-
dn='***@adt.blackhats.net.au'
Password for [***@adt.blackhats.net.au]:

I0> /usr/local/samba/bin/samba-tool forest directory_service show -H
ldaps://localhost --simple-bind-dn='***@adt.blackhats.net.au'
Password for [***@adt.blackhats.net.au]:
Settings for CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration,DC=adt,DC=blackhats,DC=net,DC=au
dsheuristics: 0000002

Thanks!

William
Alexander Bokovoy via samba-technical
2018-04-25 05:06:44 UTC
Permalink
Post by William Brown via samba-technical
On Tue, 2018-04-24 at 16:05 +1000, William Brown via samba-technical
Post by William Brown via samba-technical
Hi,
I've been setting up and trying to use samba 4 at home as my primary
authentication source. While doing this, I've noticed a few things in
samba-tool that could be improved to aid usability of the domain
controller functions for administrators.
In my setup I would like to "easily" be able to change domain
configuration options and forest configuration options. Some obvious
* CN=Directory Service,CN=Windows
dsHeuristics: ...
* ${DOMAIN}: ms-DS-MachineAccountQuota
I'm sure that as I continue I will find more of course. There is a
clear distinction between these though. First, the ${DOMAIN} settings
samba-tool domain configure <setting>
OR
samba-tool domain <setting>
For example, the passwordsettings are already in the domain
subcommand
so it could be logical to retain these here at the top level of the
domain command.
The other part of this is that cn=configuration is replicated in the
forest, so a new subcommand could be a better location. For example,
samba-tool forest <setting>
OR
samba-tool forest configure <setting>
Having these in samba-tool is a good start as it means we can build out
and extend what configurations can be altered from the CLI - avoiding
messy ldifs and changes.
Thoughts and suggestions? For now I'll start writing the patch, but
I'll alter it based on comments later.
Thanks,
William
To start some more discussion here is an initial patch adding support
for domain settings management, and forest configuration management. I
still plan to add test cases, and I'm open to changing some of these
values.
domain currently has a translation mechanism to make settings "pretty",
but I can see a case to remove this.
Forest has a framework to support multiple types of settings display
and setting based on the different objects that may exists. This omits
the translation mech for simplicity. I think I prefer this approach.
The code looks OK, I haven't tested it yet. In general, we want commits
to be smaller as we often backport between releases. Here you have two
independent sets of commands that can be splitted into two commits.

In set commands it would be good to have a confirmation that a value was
indeed set. Right now you get an empty output, would probably be good to
do 'get' after 'set' to avoid running a new command?
Post by William Brown via samba-technical
I0> /usr/local/samba/bin/samba-tool forest directory_service show -H
ldaps://localhost --simple-bind-
Settings for CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration,DC=adt,DC=blackhats,DC=net,DC=au
dsheuristics: 0000000
I0> /usr/local/samba/bin/samba-tool forest directory_service
dsheuristics 0000002 -H ldaps://localhost --simple-bind-
I0> /usr/local/samba/bin/samba-tool forest directory_service show -H
Settings for CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration,DC=adt,DC=blackhats,DC=net,DC=au
dsheuristics: 0000002
Thanks!
William
--
/ Alexander Bokovoy
William Brown via samba-technical
2018-04-26 01:54:17 UTC
Permalink
Post by William Brown via samba-technical
Post by William Brown via samba-technical
Thoughts and suggestions? For now I'll start writing the patch, but
I'll alter it based on comments later.
Thanks,
William
To start some more discussion here is an initial patch adding support
for domain settings management, and forest configuration management. I
still plan to add test cases, and I'm open to changing some of these
values.
domain currently has a translation mechanism to make settings
"pretty",
but I can see a case to remove this.
Forest has a framework to support multiple types of settings display
and setting based on the different objects that may exists. This omits
the translation mech for simplicity. I think I prefer this approach.
I0> /usr/local/samba/bin/samba-tool forest directory_service show -H
ldaps://localhost --simple-bind-
Settings for CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration,DC=adt,DC=blackhats,DC=net,DC=au
dsheuristics: 0000000
I0> /usr/local/samba/bin/samba-tool forest directory_service
dsheuristics 0000002 -H ldaps://localhost --simple-bind-
I0> /usr/local/samba/bin/samba-tool forest directory_service show -H
ldaps://localhost --simple-bind-
Settings for CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration,DC=adt,DC=blackhats,DC=net,DC=au
dsheuristics: 0000002
Hi all,

I have updated this based on the feedback. This is now two patches. I
also opted to simplify the domain command to NOT have the "pretty"
option names, rather we can use docs and --help strings to help explain
these values. This makes code and references to MS or other docs
easier.

I have also added man page references and tests to verify the behaviour
of these commands. I hope that in time we can expand these commands to
be able to configure much more, but it's a simple and good start.

Note, apply the forest patch first, then the domain patch.

I hope this helps!

Thanks,

William
Alexander Bokovoy via samba-technical
2018-04-26 06:36:58 UTC
Permalink
Post by William Brown via samba-technical
Post by William Brown via samba-technical
Post by William Brown via samba-technical
Thoughts and suggestions? For now I'll start writing the patch, but
I'll alter it based on comments later.
Thanks,
William
To start some more discussion here is an initial patch adding support
for domain settings management, and forest configuration management. I
still plan to add test cases, and I'm open to changing some of these
values.
domain currently has a translation mechanism to make settings "pretty",
but I can see a case to remove this.
Forest has a framework to support multiple types of settings display
and setting based on the different objects that may exists. This omits
the translation mech for simplicity. I think I prefer this approach.
I0> /usr/local/samba/bin/samba-tool forest directory_service show -H
ldaps://localhost --simple-bind-
Settings for CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration,DC=adt,DC=blackhats,DC=net,DC=au
dsheuristics: 0000000
I0> /usr/local/samba/bin/samba-tool forest directory_service
dsheuristics 0000002 -H ldaps://localhost --simple-bind-
I0> /usr/local/samba/bin/samba-tool forest directory_service show -H
ldaps://localhost --simple-bind-
Settings for CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration,DC=adt,DC=blackhats,DC=net,DC=au
dsheuristics: 0000002
Hi all,
I have updated this based on the feedback. This is now two patches. I
also opted to simplify the domain command to NOT have the "pretty"
option names, rather we can use docs and --help strings to help explain
these values. This makes code and references to MS or other docs
easier.
I have also added man page references and tests to verify the behaviour
of these commands. I hope that in time we can expand these commands to
be able to configure much more, but it's a simple and good start.
Note, apply the forest patch first, then the domain patch.
Both patches look good now. RB+
We need another team reviewer.
--
/ Alexander Bokovoy
Douglas Bagnall via samba-technical
2018-04-25 23:10:27 UTC
Permalink
hi William,
Post by William Brown via samba-technical
I've been setting up and trying to use samba 4 at home as my primary
authentication source. While doing this, I've noticed a few things in
samba-tool that could be improved to aid usability of the domain
controller functions for administrators.
I'm not able to properly review these patches this week, but I would
like to encourage you to make improvements like this.

The intersection of people who simultaneously

1. understand the underlying concepts,
2. are new Samba users, and
3. have the means to make improvements

is vanishingly small (i.e. it's you). We need you to write these
patches before Stockholm syndrome sets in and you internalise the
existing UI as a-priori correct.

cheers,
Douglas
William Brown via samba-technical
2018-04-26 00:06:13 UTC
Permalink
Post by Douglas Bagnall via samba-technical
hi William,
Post by William Brown via samba-technical
I've been setting up and trying to use samba 4 at home as my
primary
authentication source. While doing this, I've noticed a few things in
samba-tool that could be improved to aid usability of the domain
controller functions for administrators.
I'm not able to properly review these patches this week, but I would
like to encourage you to make improvements like this.
The intersection of people who simultaneously
1. understand the underlying concepts,
2. are new Samba users, and
3. have the means to make improvements
is vanishingly small (i.e. it's you). We need you to write these
patches before Stockholm syndrome sets in and you internalise the
existing UI as a-priori correct.
Thank you for these awesome words of encouragement. I have plenty of
other ideas of CLI improvements that I would like to make in the coming
weeks. I'm currently in the process of converting my home network from
LDAP -> Samba 4, and as I hit these issues I "write the tool" rather
than applying raw ldifs. I know that if I find it annoying (and I'm an
LDAP person) everyone else must find it just as bad!

So far I've touched dsacls, and this, but I also want to add some
schema query commands (what objectClass takes this attribute?) and
maybe a security audit tool.

I hope that I can stave off stockholm-syndrome for as long as possible
in this case :)

Thanks again!

William
Loading...