samba - Dec 2014 - uidNumber. ( Was: What is --rfc2307-from-nss ??)

Rowland,

How are you selecting you UID to store in the AD uidNumber attribute?   I
initially thought UID could be pulled from the last set of digits from
SID,  ut this does not appear to be what others are doing :(

What are you using determine the UID number???

Thanks

On 01/12/14 08:40, Greg Zartman wrote:
>
> Rowland,
>
> How are you selecting you UID to store in the AD uidNumber 
> attribute?   I initially thought UID could be pulled from the last set 
> of digits from SID,  ut this does not appear to be what others are 
> doing :(
>
> What are you using determine the UID number???
>
> Thanks
>
I do what windows does, it ignores the RID (what you call 'the last set 
of digits from SID') and uses a builtin mechanism to store the next uid 
& gidNumber.

If you create a user and then goto to the UNIX_Attributes tab in ADUC, 
firstly you will find a 'uidNumber' is assigned to your user (if it is 
the first user, this will be 10000) and when you add the attributes, you 
will then find in the users object in AD that the following attributes 
will have been added:

uid
msSFU30Name
msSFU30NisDomain
uidNumber
gidNumber
loginShell
unixHomeDirectory
unixUserPassword: ABCD!efgh12345$67890  <-- the password is always this, 
unless password sync is installed and it doesn't (yet) exist on S4

the next 'uidNumber' & 'gidNumber' are stored in the 
'msSFU30MaxUidNumber' and 'msSFU30MaxGidNumber' attributes,
stored at:

CN=<lowercase workgroup 
name>,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=example,DC=com

Unfortunately, these attributes do not exist as standard, so you would 
either have to add a user with ADUC or manually add them yourselves with 
ldbedit. As standard on windows, they both start at '10000', though you 
can set them to whatever you require, just make sure that they do not 
interfere with any local Unix users.

Rowland

Greg,

 > Unfortunately, these attributes do not exist as standard, so you
would
> either have to add a user with ADUC or manually add them yourselves with
> ldbedit. As standard on windows, they both start at '10000', though
you
> can set them to whatever you require, just make sure that they do not
> interfere with any local Unix users.
If you like to manage Unix users from the Unix side and ldbedit seems 
too awkward, you might try my Python script: 
https://github.com/laotse/SambaPosix

I appreciate comments, experiences, and contributions to make it a 
useful tool.

Cheers,
  - lars.

On Mon, Dec 1, 2014 at 1:33 AM, Rowland Penny <rowlandpenny at
googlemail.com>
wrote:
>
>> I do what windows does, it ignores the RID (what you call 'the last
set
> of digits from SID') and uses a builtin mechanism to store the next uid
&
> gidNumber.

The builtin users/groups use the RID for the GID/UID.


If you create a user and then goto to the UNIX_Attributes tab in
ADUC,
> firstly you will find a 'uidNumber' is assigned to your user (if it
is the
> first user, this will be 10000) and when you add the attributes, you will
> then find in the users object in AD that the following attributes will have
> been added:
>
> uid
> msSFU30Name
> msSFU30NisDomain
> uidNumber
> gidNumber
> loginShell
> unixHomeDirectory
>
Do you have to go back and add these values to the buildin groups/users
like "Domain Admins"?

> unixUserPassword: ABCD!efgh12345$67890  <-- the password is always this,
> unless password sync is installed and it doesn't (yet) exist on S4
>
You are saying this exact string is the same no matter what?   What's it
used for then?


> Unfortunately, these attributes do not exist as standard, so you would
> either have to add a user with ADUC or manually add them yourselves with
> ldbedit. As standard on windows, they both start at '10000', though
you can
> set them to whatever you require, just make sure that they do not interfere
> with any local Unix users.

Quite alot of this stuff isn't standard, nor documented.  It is incredibly
frustrating to deploy Samba 4 in a mixed windows/*nix envir.

Greg