samba - Sep 2012 - samba4: samba-tool and (unix) uids

Hello,

at my universities CS computer pools we're trying to migrate our
samba3 based NT domain to AD with samba4-rc1. 
In the past we had a little script which our users could run on their
own from their linux account which created a samba user with
their own uid/gid and set their password (via smbpasswd).

We're trying to recreate this behaviour with "samba-tool user
create" but we couldn't
find a parameter to set the mapping SID <-> uid. 
Without the correct mapping we can't get the users profile/home permissions
right.

Will we have to manually correct the private/idmap.ldb each time we
add a user or are we missing something? Is it save to edit the idmap on
the fly?

With kind regards,
Thomas


-- 
Thomas Karmann                             Department of Computer Science IV
Martensstrasse 1  D-91058 Erlangen Germany  University of Erlangen-Nuremberg
                 http://wwwcip.informatik.uni-erlangen.de/

Hello,

perhaps fixing the problem mentioned by my colleague, please see the attached
patch to samba-tool.

It adds an option to create a UID/SID mapping when creating a user, replacing
the ldbedit step in
https://wiki.samba.org/index.php/Samba4/HOWTO#Step_1:_Adding_Users_into_Samba_4_Active_Directory
by
samba-tool create user alice --match-unix-uid --unix-uid 12345

I guess using samba-tool this way will not work on a remote server since using
IDmapDB needs access to the local ldb files. Also, perhaps some similar
mechanism
for groups should be implemented.



Ciao,

Alexander Wuerstlein.

From: Alexander Wuerstlein <arw at arw.name>

Reads Unix UID from NSS or commandline and creates a
UID/SID mapping when creating a new user.
---
 source4/scripting/python/samba/netcmd/user.py |   38 ++++++++++++++++++++----
 1 files changed, 31 insertions(+), 7 deletions(-)

diff --git a/source4/scripting/python/samba/netcmd/user.py
b/source4/scripting/python/samba/netcmd/user.py
index 1172f4e..44a37fd 100644
--- a/source4/scripting/python/samba/netcmd/user.py
+++ b/source4/scripting/python/samba/netcmd/user.py
@@ -22,6 +22,8 @@ import ldb
 from getpass import getpass
 from samba.auth import system_session
 from samba.samdb import SamDB
+from samba.idmap import IDmapDB
+import pwd
 from samba import (
     dsdb,
     gensec,
@@ -48,6 +50,8 @@ A user account enables a user to logon to a computer and
domain with an identity
 
 The command may be run from the root userid or another authorized userid.  The
-H or --URL= option can be used to execute the command against a remote server.
 
+With --match-unix-uid a SID/UID-mapping is created for the new user which is
used to map filesystem permissions from Unix filesystems to Windows. Optionally,
a UID can be explicitly given via --unix-uid, without an explicit UID NSS is
used to obtain the UID if possible. Creation of a SID/UID-mapping is not
possible when running samba-tool on a remote server.
+
 Example1:
 samba-tool user add User1 passw0rd --given-name=John --surname=Smith
--must-change-at-next-login -H ldap://samba.samdom.example.com
-Uadministrator%passw1rd
 
@@ -63,6 +67,11 @@ samba-tool user add User3 passw3rd --userou=OrgUnit
 
 Example3 shows how to create a new user in the OrgUnit organizational unit.
 
+Example4:
+samba-tool user create unixgod passw4rd --match-unix-uid --unix-uid 31337
+
+Example4 shows how to create a new user and map his windows SID to his Unix UID
31337.
+
 """
     synopsis = "%prog <username> [<password>] [options]"
 
@@ -96,6 +105,8 @@ Example3 shows how to create a new user in the OrgUnit
organizational unit.
         Option("--internet-address", help="User's home
page", type=str),
         Option("--telephone-number", help="User's phone
number", type=str),
         Option("--physical-delivery-office", help="User's
office location", type=str),
+        Option("--match-unix-uid", help="Set User's Unix UID
from NSS or from --unix-uid", action="store_true"),
+        Option("--unix-uid", help="Unix UID of the new
user", type=str),
     ]
 
     takes_args = ["username", "password?"]
@@ -107,13 +118,12 @@ Example3 shows how to create a new user in the OrgUnit
organizational unit.
         }
 
     def run(self, username, password=None, credopts=None, sambaopts=None,
-            versionopts=None, H=None, must_change_at_next_login=False,
-            random_password=False, use_username_as_cn=False, userou=None,
-            surname=None, given_name=None, initials=None, profile_path=None,
-            script_path=None, home_drive=None, home_directory=None,
+            versionopts=None, H=None, must_change_at_next_login=False,
random_password=False,
+            use_username_as_cn=False, userou=None, surname=None,
given_name=None, initials=None,
+            profile_path=None, script_path=None, home_drive=None,
home_directory=None,
             job_title=None, department=None, company=None, description=None,
-            mail_address=None, internet_address=None, telephone_number=None,
-            physical_delivery_office=None):
+            mail_address=None, internet_address=None, telephone_number=None,
physical_delivery_office=None,
+            match_unix_uid=False, unix_uid=None):
 
         if random_password:
             password = generate_random_password(128, 255)
@@ -133,12 +143,26 @@ Example3 shows how to create a new user in the OrgUnit
organizational unit.
         try:
             samdb = SamDB(url=H, session_info=system_session(),
                           credentials=creds, lp=lp)
-            samdb.newuser(username, password,
force_password_change_at_next_login_req=must_change_at_next_login,
+            samdb.newuser(username, password,
+                         
force_password_change_at_next_login_req=must_change_at_next_login,
                           useusernameascn=use_username_as_cn, userou=userou,
surname=surname, givenname=given_name, initials=initials,
                           profilepath=profile_path, homedrive=home_drive,
scriptpath=script_path, homedirectory=home_directory,
                           jobtitle=job_title, department=department,
company=company, description=description,
                           mailaddress=mail_address,
internetaddress=internet_address,
                           telephonenumber=telephone_number,
physicaldeliveryoffice=physical_delivery_office)
+            if match_unix_uid:
+		idmap = IDmapDB(lp=lp)
+		sids = samdb.search(samdb.get_default_basedn(), scope=ldb.SCOPE_SUBTREE,
+			expression=("(&(objectClass=user)(samaccountname=%s))" %
username),
+			attrs=["objectSid"])
+		if (len(sids) != 1):
+			raise CommandError("Failed to set Unix UID for '%s'" %
username, e)
+		if not unix_uid:
+			pwent = pwd.getpwnam(username)
+			unix_uid = pwent[2]
+		sid = samdb.schema_format_value("objectSid",
sids[0]["objectSid"][0])
+		self.outf.write("User '%s' matched to UID '%u' and SID
'%s'\n" % (username,unix_uid,sid))
+		idmap.setup_name_mapping(sid, idmap.TYPE_UID, unix_uid)
         except Exception, e:
             raise CommandError("Failed to add user '%s': " %
username, e)
 
-- 
1.7.2.5

2012-09-24 22:52 keltez?ssel, Thomas Karmann ?rta:
> Hello,
>
> at my universities CS computer pools we're trying to migrate our
> samba3 based NT domain to AD with samba4-rc1.
> In the past we had a little script which our users could run on their
> own from their linux account which created a samba user with
> their own uid/gid and set their password (via smbpasswd).
>
> We're trying to recreate this behaviour with "samba-tool user
create" but we couldn't
> find a parameter to set the mapping SID <-> uid.
> Without the correct mapping we can't get the users profile/home
permissions right.
>
> Will we have to manually correct the private/idmap.ldb each time we
> add a user or are we missing something? Is it save to edit the idmap on
> the fly?
>
> With kind regards,
> Thomas
>
>
Hi,

If you migrate via samba-tool classicupgrade it takes care of migrating 
existing uids gids shells and homedirectories to samba4. At the same 
time it sets idmap_ldb:use rfc2307 = yes in the global section of Samba4 
smb.conf. That means, that Samba4 winbind retrieves uids, gids from the 
directory.
Because of that you don't need to fiddle with idmap.ldb. So until 
samba-tool gets support for manipulating posix attributes I would 
recommend setting up those attributes by ldmodify against the directory 
(or if you prefer a gui via ADUC (if you install RSAT on Windows Vista/7))

Regards

Geza Gemes

On Tue, 2012-09-25 at 00:19 +0200, Alexander Wuerstlein
wrote:
> From: Alexander Wuerstlein <arw at arw.name>
> 
> Reads Unix UID from NSS or commandline and creates a
> UID/SID mapping when creating a new user.
As G?mes G?za mentions this really needs to honour idmap_ldb:use rfc2307
= yes and set it in the sam.ldb if that is set, and while useful in the
general case, for the case you are targeting, the classicupgrade will
work better.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org