I'm testing the upgrade of some domains from NT mode (LDAP backend) to AD
mode.
In NT mode i was (ab)used to the smbldap-tools to user management, and
i've also extended a bit to manage, eg, email aliases and forwarding.
Now, in AD mode, i can relay only to samba-tool, and seems to me that
something misses. Apart the 'reset password' in other thread, for
example:
a) i've not found a way to modify a user: i can create and delete, but
not modify it (as smbldap-usermodify do).
b) group management seems to me only ''group centric'', eg i can
manage
membership in group, but not in users; eg, i can modify members of a
group, but not modify groups of a user (as smbldap-usermodify do).
I'm simply ''confused'' by that, i'm asking only some
feedback.
I'm looking at Samba4 and AD domains only by some weeks, so probably
there's good reason to do so, and i don't see them...
But i'm also ask a more generic question: smbldap-tools was perl code,
modular and was very easy to reuse most of the code to make some
''extensions''.
I want to create some ''samba-user'' addon script, there's
some code
documentation/walkthrou/examples... i can read on?
All the (modules) code is here, right?
https://github.com/samba-team/samba/tree/master/python/samba/netcmd
Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia''
http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On Wed, 21 Jun 2017 18:52:59 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> > I'm testing the upgrade of some domains from NT mode (LDAP backend) > to AD mode. > > > In NT mode i was (ab)used to the smbldap-tools to user management, and > i've also extended a bit to manage, eg, email aliases and forwarding. > > Now, in AD mode, i can relay only to samba-tool, and seems to me that > something misses. Apart the 'reset password' in other thread, for > example: > > a) i've not found a way to modify a user: i can create and delete, but > not modify it (as smbldap-usermodify do).smbldap-tools wasn't a Samba tool, but samba-tool is and there are several gaps in what it can do. So you need to do what the writers of smbldap-tools did, write your own scripts.> > b) group management seems to me only ''group centric'', eg i can > manage membership in group, but not in users; eg, i can modify > members of a group, but not modify groups of a user (as > smbldap-usermodify do).Not sure what you are getting at here, if you add a user to a group in AD, you not only get a record in the group object, you also get a record in the users object dn: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com ..... member: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com ..... memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com So you don't have to modify the user at all, again samba-tool can do things like this for you, see 'samba-tool group --help'> > I'm simply ''confused'' by that, i'm asking only some feedback. > I'm looking at Samba4 and AD domains only by some weeks, so probably > there's good reason to do so, and i don't see them... > > > > But i'm also ask a more generic question: smbldap-tools was perl code, > modular and was very easy to reuse most of the code to make some > ''extensions''. > > I want to create some ''samba-user'' addon script, there's some code > documentation/walkthrou/examples... i can read on? > > All the (modules) code is here, right? > https://github.com/samba-team/samba/tree/master/python/samba/netcmd > > > Thanks. >Yes that is the python code for most of 'samba-tool' Rowland
Mandi! Rowland Penny via samba In chel di` si favelave...> smbldap-tools wasn't a Samba tool, but samba-tool is and there are > several gaps in what it can do. So you need to do what the writers of > smbldap-tools did, write your own scripts.OK. Good. Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Mandi! Rowland Penny via samba In chel di` si favelave... Sorry, i come back to that:> Not sure what you are getting at here, if you add a user to a group in > AD, you not only get a record in the group object, you also get a > record in the users object > > dn: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com > ..... > member: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com > > dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com > ..... > memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com > > So you don't have to modify the user at all, again samba-tool can do > things like this for you, see 'samba-tool group --help'Because i've not clear how group management works in AD. I'm using 'Active Directory Users and Computers', so i think a pretty standard tool. Some question. a) i've not found 'member' in user object. b) membership are accounted in groups via the 'member' field in group object. Membership are expressed as full user DN. c) if, for the group object, i add some member in 'UNIX Attributes', they are not saved (eg, if i add some user and i do 'Apply' and then 'OK', if i came back to the group, UNIX attributes membership are empty. d) if, for a user, i set a primary group in 'Member of' (NOT UNIX attributes), user object get a 'primaryGroupID' data with the RID of the group, and DESAPPEAR the relative data 'member' in the group. Argh! So, seems to me that: 1) probably for my fault, some of the UNIX data (eg, group membership) does not work. I think also can be irrilevant, because winbind/sssd get unix membership by other way (eg, ''windows'' mempership and not UNIX/rfc2203 ones). 2) if i need to know what users belog to group 'X', i've to catch all DN listed in 'member' of that group, AND all users that have as 'primaryGroupID' the RID of the group. I'm again a bit confused... ;-((( -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)