samba - Apr 2015 - How can I have new users/groups to include posixAccount/posixGroup schema automatically?

Greetings, Rowland Penny!
>> I've added a few domain users/groups for test, but they don't
have ?idNumber,
>> even though the relevant schema is loaded?
>> How can I tell it to include relevant schema for all newly created
>> users/groups?
>>
>>
> Well, you could try walking up to the DC and giving it a good talking to 
> :-D
> But seriously, your choices are a bit limited, you can use ADUC on a 
> windows machine, this involves creating a user and then adding the 
> required attributes with the UNIX attributes tab. You could create your 
> users with samba-tool, but you will need the latest samba 4 to get all 
> the required attributes and you will still have to keep a record of the 
> uidNumbers & gidNumbers you have used, samba-tool will not do this. 
> Other than this, you can write your own scripts in your favourite 
> computer language.
That's kind of not what I would expect from Linux system.
smbldap-tools were crude, but an order of magnitude more effective, as they
allowed me to have working installation for years without an issue other, than
inability to correctly join only Win7 machine I had in the network.
I have ~50 users in the domain, of them, 10 are Linux systems and 6 Windows,
25 are users that accessing Linux systems directly in one or another way, so
they do need correct uidNumber at all times, and 8 that only access Linux file
server through Samba share. While not necessary, I would still like to see
their SID's resolved to uid properly, when viewing the share from Linux
side.
The last account? That is me. It have uid=1000 and is basically duplicated on
all Linux systems already.


-- 
With best regards,
Andrey Repin
Thursday, April 9, 2015 19:10:25

Sorry for my terrible english...

On 09/04/15 17:17, Andrey Repin wrote:
> Greetings, Rowland Penny!
>
>>> I've added a few domain users/groups for test, but they
don't have ?idNumber,
>>> even though the relevant schema is loaded?
>>> How can I tell it to include relevant schema for all newly created
>>> users/groups?
>>>
>>>
>> Well, you could try walking up to the DC and giving it a good talking
to
>> :-D
>> But seriously, your choices are a bit limited, you can use ADUC on a
>> windows machine, this involves creating a user and then adding the
>> required attributes with the UNIX attributes tab. You could create your
>> users with samba-tool, but you will need the latest samba 4 to get all
>> the required attributes and you will still have to keep a record of the
>> uidNumbers & gidNumbers you have used, samba-tool will not do this.
>> Other than this, you can write your own scripts in your favourite
>> computer language.
> That's kind of not what I would expect from Linux system.
> smbldap-tools were crude, but an order of magnitude more effective, as they
> allowed me to have working installation for years without an issue other,
than
> inability to correctly join only Win7 machine I had in the network.
> I have ~50 users in the domain, of them, 10 are Linux systems and 6
Windows,
> 25 are users that accessing Linux systems directly in one or another way,
so
> they do need correct uidNumber at all times, and 8 that only access Linux
file
> server through Samba share. While not necessary, I would still like to see
> their SID's resolved to uid properly, when viewing the share from Linux
side.
> The last account? That is me. It have uid=1000 and is basically duplicated
on
> all Linux systems already.
>
>
well tough, the smbldap-tools were written to do a job, map windows 
users to unix users and vice versa. So what you need now is something to 
do the same, except you don't have separate Unix users any more, just 
users in AD who can also be Unix users.

If you want your Unix users to have the same IDs everywhere, you need to 
use the RFC2307 attributes, at the moment, how the attributes get into 
AD is up to you, use ADUC, samba-tool or write your own scripts.

Rowland

El 09/04/15 a les 18:39, Rowland Penny ha escrit:
> If you want your Unix users to have the same IDs everywhere, you need to
> use the RFC2307 attributes, at the moment, how the attributes get into
> AD is up to you, use ADUC, samba-tool or write your own scripts.
The problem that both Andrey and me are facing (and I'm sure we're not
the only ones) is that to manage users with samba3+openldap there were
several tools available, both command line and web based (e.g. I'm
currently using an old version of ldap account manager so that
non-technical staff can manage users).
Now that I'm planning a migration to samba 4 I see that there are no
ready made tools to do the same. Yes, you can do everything with ADUC
but you have to install it first and then the sequence of steps to get
everything (AD+unix attributes) right is cumbersome, and even then I
have to write some tools that do the "unixy" things I'm currently
doing
automatically once a user is created, like creating a mailbox and a home
directory.
Not that I'm complaining, it's just something I have to keep in mind and
allocate time for.

Bye
-- 
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004  Fax +34 935883007

Greetings, Rowland Penny!
> well tough, the smbldap-tools were written to do a job, map windows
> users to unix users and vice versa.
No. smbldap-tools were doing exactly the same as AD do: kept all users in one
database.
> So what you need now is something to do the same, except you don't have
> separate Unix users any more,
I never had separate unix users ever (aside from one user - myself, but that
was more of a requirement of OS installation process).
> just users in AD who can also be Unix users.
> If you want your Unix users to have the same IDs everywhere, you need to 
> use the RFC2307 attributes,
Already.
> at the moment, how the attributes get into AD is up to you, use ADUC,
Time-consuming, requires available Win7 machine. In short - not an option.
> samba-tool
Doesn't work, as evidently demonstrated recently in the list.
> or write your own scripts.
The problem with any homemade script is that it isn't portable, and only go
as
far, as the script writer's understanding of the things at hand.
My personal understanding of the AD schema is very limited. I could throw
something together, but in reality, I'd rather not do anything like that
myself.

All that being said, I see the situation as very disturbing. The lack of the
very basic, essential tools to manage user/group creation... I'm speechless.


-- 
With best regards,
Andrey Repin
Thursday, April 9, 2015 21:34:27

Sorry for my terrible english...