samba - Dec 2014 - uidNumber. ( Was: What is --rfc2307-from-nss ??)

Greg,

 > Unfortunately, these attributes do not exist as standard, so you
would
> either have to add a user with ADUC or manually add them yourselves with
> ldbedit. As standard on windows, they both start at '10000', though
you
> can set them to whatever you require, just make sure that they do not
> interfere with any local Unix users.
If you like to manage Unix users from the Unix side and ldbedit seems 
too awkward, you might try my Python script: 
https://github.com/laotse/SambaPosix

I appreciate comments, experiences, and contributions to make it a 
useful tool.

Cheers,
  - lars.

On Mon, Dec 1, 2014 at 2:05 AM, Lars Hanke <debian at lhanke.de> wrote:
>
> If you like to manage Unix users from the Unix side and ldbedit seems too
> awkward, you might try my Python script: https://github.com/laotse/
> SambaPosix
>
> I appreciate comments, experiences, and contributions to make it a useful
> tool.
>

Thanks Lars.   I'm working on building a perl API for Samba 4 for use with
the SME Server (www.koozali.org).  Your python is a great check for what
needs to go into a perl API.

I think I've finally got this all sorted out.  After I setup a user using
samba-tool user create, I'll pull the RID for this new user and then set
the UID/GID = RID + 3000.   I'll then set xidNumber = UIDNumber(GIDNumber),
as appropriate.

The other attributes can be set in a similar fashion as you have done.

I'm not finding where we need these though for *nix auth:

uid
msSFU30Name
msSFU30NisDomain

Can someone clarify what these are needed for?  SSSD doesn't seem to use
them.

Greg

On 02/12/14 08:29, Greg Zartman wrote:
> On Mon, Dec 1, 2014 at 2:05 AM, Lars Hanke <debian at lhanke.de>
wrote:
>
>> If you like to manage Unix users from the Unix side and ldbedit seems
too
>> awkward, you might try my Python script: https://github.com/laotse/
>> SambaPosix
>>
>> I appreciate comments, experiences, and contributions to make it a
useful
>> tool.
>>
>
> Thanks Lars.   I'm working on building a perl API for Samba 4 for use
with
> the SME Server (www.koozali.org).  Your python is a great check for what
> needs to go into a perl API.
>
> I think I've finally got this all sorted out.  After I setup a user
using
> samba-tool user create, I'll pull the RID for this new user and then
set
> the UID/GID = RID + 3000.   I'll then set xidNumber =
UIDNumber(GIDNumber),
> as appropriate.
If you do this, you must ensure that ADUC is never used to add Unix 
attributes to a user, ADUC will never work like this.
>
> The other attributes can be set in a similar fashion as you have done.
>
> I'm not finding where we need these though for *nix auth:
>
> uid
> msSFU30Name
> msSFU30NisDomain
I do not think that these are really required at the moment, but they 
are added by ADUC. My personal feelings are, because we are working with 
what is basically a windows server, we need to do things the windows 
way. This will stop problems happening if/when users/groups etc are 
added by ADUC, i.e. if windows does it, we should do it and vice versa. 
The problem, as I see it, is that Unix sysadmins are used to doing 
things the Unix way against OpenLDAP etc. This was ok when dealing with 
just Unix products, but now they are dealing with a quasi windows 
product and are trying to bend it to Unix. This, in my opinion, will 
only lead to disaster, you need to work with AD, not try and bend it to 
suit your needs.

Rowland
> Can someone clarify what these are needed for?  SSSD doesn't seem to
use
> them.
>
> Greg

On 02/12/14 09:29, Greg Zartman wrote:
>
> I think I've finally got this all sorted out.  After I setup a user
using
> samba-tool user create, I'll pull the RID for this new user and then
set
> the UID/GID = RID + 3000.   I'll then set xidNumber =
UIDNumber(GIDNumber),
> as appropriate.
I'd recommend using only 1 database for all your users (AD) and leave 
xidNumber in the independent idmap database and use that only for the 
builtin groups. That way, your users get replicated with exactly the 
same attributes to all DCs. idmap is not replicated and so you end up 
with users only being recognised on the DC which happened to be queried 
when you created the user. In all cases ever know to mankind, that's a 
mess. Stick to AD if you possibly can. Windows does.
HTH,
Steve