Matthias Leopold
2021-Apr-02 10:22 UTC
[Samba] Maintaining Unix Attributes in AD using ADUC?
Hi, after reading the documentation on RFC2307 attributes in Samba AD I still wasn't sure if UID/GID attributes would be _automatically_ assigned to new users/groups that where added with _ADUC_. wiki.samba.org says: "When using the ADUC utility, the user and group IDs are automatically tracked inside AD and incremented when creating a new user or group." (https://wiki.samba.org/index.php/Idmap_config_ad) "Every time a UID/GID number is assigned using Active Directory Users and Computers (ADUC), the next UID/GID number is stored inside the Active Directory. By default, ADUC starts assigning UID and GID numbers at 10000." (https://wiki.samba.org/index.php/Maintaining_Unix_Attributes_in_AD_using_ADUC) Now I tried it with a domain where RFC2307 was set up after provisioning (https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Installing_the_NIS_Extensions). Additionally I set msSFU30MaxUidNumber/msSFU30MaxGidNumber to custom values. I then created a user in ADUC, but uidnumber wasn't assigned, same for group and gidnumber. The question is: should these attributes have been assigned automatically? Did I miss something or is this not supposed to happen? To me this is essential, because I want to delegate group creation in AD to users, so if automatic GID assignment doesn't work I can't use RFC2307 in Samba AD. thx Matthias
On 02/04/2021 11:22, Matthias Leopold via samba wrote:> Hi, > > after reading the documentation on RFC2307 attributes in Samba AD I > still wasn't sure if UID/GID attributes would be _automatically_ > assigned to new users/groups that where added with _ADUC_. > > wiki.samba.org says: > "When using the ADUC utility, the user and group IDs are automatically > tracked inside AD and incremented when creating a new user or group." > (https://wiki.samba.org/index.php/Idmap_config_ad) > > "Every time a UID/GID number is assigned using Active Directory Users > and Computers (ADUC), the next UID/GID number is stored inside the > Active Directory. By default, ADUC starts assigning UID and GID > numbers at 10000." > (https://wiki.samba.org/index.php/Maintaining_Unix_Attributes_in_AD_using_ADUC) > > Now I tried it with a domain where RFC2307 was set up after > provisioning > (https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Installing_the_NIS_Extensions). > Additionally I set msSFU30MaxUidNumber/msSFU30MaxGidNumber to custom > values. > > I then created a user in ADUC, but uidnumber wasn't assigned, same for > group and gidnumber. The question is: should these attributes have > been assigned automatically? Did I miss something or is this not > supposed to happen? > To me this is essential, because I want to delegate group creation in > AD to users, so if automatic GID assignment doesn't work I can't use > RFC2307 in Samba AD. > > thx > Matthias > >Do you have the Unix attributes tabs ? Or to put it another way, are you using Windows 10 which does not have them ? Whilst Samba still has the ldap framework that the Unix Attributes tab relies on (Microsoft called it IDMU), Windows 10 no longer uses (or provides) IDMU. You can use samba-tool to create users and groups with RFC2307, but you will have to maintain the next Unix ID yourself. This is also ADMan, see here: https://gitlab.com/JonathonReinhart/adman Rowland