On Fri, 19 Dec 2014 09:17:25 +0100 Tim <rintimtim at gmx.net> wrote:> I think Rowland meant to use rfc2307 attributes in your domain. > Therefore it is needed to provision your domain with --use-rfc2307 > parameter. When you have done this the schema doesn't need to be > extended.Hmmm well used rfc2307 on one of my previous attempts, but still saw no way to set the UID to what I wanted them to be. They were something like 5 or 6 digit numbers. So is there a way to force a particular UID, meaning can I create account smith with UID 553 in a Samba DC? My plan is after I figure this out to script the process and feed /etc/passwd into the AD. At the moment I do not have an MS-Windows box here yet, so I can not check what is shown in an MS-Windows control pannel. This task is in preparation for the arrival of a small flock of ms-windows boxes that are coming in for a special project, but they need to be integrated with the existing network of FreeBSD, Solaris, GNU/Linux and Mac OSX boxes, all of which are suing NIS and NFS. Since they can all authenticate against LDAP and Kerberos (AKA AD) my plan is to just move over to AD on a samba box, but if a user is on a Windows box I need him to have the same UID on created files as if he was on a Unix box. Did I miss something with smbpasswd or pdbedit where I can set specific UID just like I can by editing /etc/passwd? Here is something interesting..... root at prd2:/home/wynkoop # pdbedit -L | grep wynkoop wynkoop:34: root at prd2:/home/wynkoop # root at prd2:/home/wynkoop # id wynkoop uid=34(wynkoop) gid=34(wynkoop) groups=34(wynkoop),0(wheel),80(www) root at prd2:/home/wynkoop # root at prd2:/home/wynkoop # pdbedit -Lv wynkoop (config output snipped) ldb_wrap open of idmap.ldb Home server: prd2 Home server: prd2 Unix username: wynkoop NT username: Account Flags: [U ] User SID: S-1-5-21-3503051414-2097048719-4239445089-1105 Primary Group SID: S-1-5-21-3503051414-2097048719-4239445089-513 Full Name: Home Directory: HomeDir Drive: (null) Logon Script: Profile Path: Domain: Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: 0 Kickoff time: never Password last set: Mon, 15 Dec 2014 15:17:39 EST Password can change: Mon, 15 Dec 2014 15:17:39 EST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF Nowhere in the verbose output do I see 34, and then we have this: root at prd2:/archive/test # ls -l total 1 -rw-r--r-- 1 3000014 wheel 236 Dec 19 03:50 hosts root at prd2:/archive/test # Hosts was transferred into that directory using smbclient from another box and as you can see the owner is a user that does not exist on the system. How the heck did it come up with a UID of 3000014? So I think I am getting more confused as things go along. I have a mind to deinstall everything, remove all the database files and try again from scratch, but that still leaves the burning question how do I do something like this: root at prd2:/archive/test # adduser Username: bew Full name: B^C root at prd2:/archive/test # adduser Username: example Full name: Ex Ample Uid (Leave empty for default): 554 Login group [example]: Login group is example. Invite example into other groups? []: with Samba. I suppose I could drop back to samba 2 or 3, or run in legacy mode, but that is not what I would consider optimal. Thanks! -Brett -- wynkoop at wynn.com http://prd4.wynn.com/wynkoop/pgp-keys.txt 917-642-6925 929-272-0000 A free people ought to be armed. - George Washington
On 19/12/14 09:06, Brett Wynkoop wrote:> On Fri, 19 Dec 2014 09:17:25 +0100 > Tim <rintimtim at gmx.net> wrote: > >> I think Rowland meant to use rfc2307 attributes in your domain. >> Therefore it is needed to provision your domain with --use-rfc2307 >> parameter. When you have done this the schema doesn't need to be >> extended. > Hmmm well used rfc2307 on one of my previous attempts, but still saw no > way to set the UID to what I wanted them to be. They were something > like 5 or 6 digit numbers. > > So is there a way to force a particular UID, meaning can I create > account smith with UID 553 in a Samba DC? > > My plan is after I figure this out to script the process and > feed /etc/passwd into the AD. > > At the moment I do not have an MS-Windows box here yet, so I can not > check what is shown in an MS-Windows control pannel. > > This task is in preparation for the arrival of a small flock of > ms-windows boxes that are coming in for a special project, but they > need to be integrated with the existing network of FreeBSD, Solaris, > GNU/Linux and Mac OSX boxes, all of which are suing NIS and NFS. Since > they can all authenticate against LDAP and Kerberos (AKA AD) my plan is > to just move over to AD on a samba box, but if a user is on a > Windows box I need him to have the same UID on created files as if he > was on a Unix box. > > Did I miss something with smbpasswd or pdbedit where I can set specific > UID just like I can by editing /etc/passwd? > > > Here is something interesting..... > > root at prd2:/home/wynkoop # pdbedit -L | grep wynkoop > wynkoop:34: > root at prd2:/home/wynkoop # > > root at prd2:/home/wynkoop # id wynkoop > uid=34(wynkoop) gid=34(wynkoop) groups=34(wynkoop),0(wheel),80(www) > root at prd2:/home/wynkoop # > > > root at prd2:/home/wynkoop # pdbedit -Lv wynkoop > > (config output snipped) > > ldb_wrap open of idmap.ldb > Home server: prd2 > Home server: prd2 > Unix username: wynkoop > NT username: > Account Flags: [U ] > User SID: S-1-5-21-3503051414-2097048719-4239445089-1105 > Primary Group SID: S-1-5-21-3503051414-2097048719-4239445089-513 > Full Name: > Home Directory: > HomeDir Drive: (null) > Logon Script: > Profile Path: > Domain: > Account desc: > Workstations: > Munged dial: > Logon time: 0 > Logoff time: 0 > Kickoff time: never > Password last set: Mon, 15 Dec 2014 15:17:39 EST > Password can change: Mon, 15 Dec 2014 15:17:39 EST > Password must change: never > Last bad password : 0 > Bad password count : 0 > Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > > Nowhere in the verbose output do I see 34, and then we have this: > > root at prd2:/archive/test # ls -l > total 1 > -rw-r--r-- 1 3000014 wheel 236 Dec 19 03:50 hosts > root at prd2:/archive/test # > > > Hosts was transferred into that directory using smbclient from another > box and as you can see the owner is a user that does not exist on the > system. How the heck did it come up with a UID of 3000014? > > So I think I am getting more confused as things go along. I have a > mind to deinstall everything, remove all the database files and try > again from scratch, but that still leaves the burning question how do I > do something like this: > > root at prd2:/archive/test # adduser > Username: bew > Full name: B^C > root at prd2:/archive/test # adduser > Username: example > Full name: Ex Ample > Uid (Leave empty for default): 554 > Login group [example]: > Login group is example. Invite example into other groups? []: > > > with Samba. I suppose I could drop back to samba 2 or 3, or run in > legacy mode, but that is not what I would consider optimal. > > Thanks! > > -Brett > >OK, when you create a windows user, they get a SID-RID, the SID identifies the domain and the RID is the users unique ID number, the same goes for groups. An example of a SID-RID would be: S-1-5-21-3623811015-3361044348-30300820-1013 The SID being: S-1-5-21-3623811015-3361044348-30300820 and the RID: 1013 From the example, you can see that this is no good for Unix, so you need to map these numbers to something that Unix understands, or use something else. This is where the RFC2307 attributes come in, amongst which are 'uidNumber' & 'gidNumber', this is where you can set the user's or group's Unix ID. You can set these numbers to whatever you need, but having said that, I am struggling to understand why you need to map/use numbers like '50'. These low numbers on Unix are usually used for programs that run on Unix (apache, bind, etc) that do not really need to be in AD. If you feel that you want to take this discussion off-list, then contact me direct. Rowland
On 19/12/14 10:06, Brett Wynkoop wrote:> > So is there a way to force a particular UID, meaning can I create > account smith with UID 553 in a Samba DC?Yes. Simply add: uidNumber: 553 to the user's entry. That gets it into the database. You can use sssd or winbind to get it out. HTH
http://www.citi.umich.edu/projects/nfsv4/windows/readme.html? Mvh Davor Vusir -- Skickat fr?n mobilusken! -- ----- Ursprungligt meddelande ----- Fr?n: "Brett Wynkoop" <wynkoop+samba at wynn.com> Skickat: ?2014-?12-?19 10:06 Till: "samba at lists.samba.org" <samba at lists.samba.org> Kopia: "Tim" <rintimtim at gmx.net> ?mne: Re: [Samba] Samba 4 problems On Fri, 19 Dec 2014 09:17:25 +0100 Tim <rintimtim at gmx.net> wrote:> I think Rowland meant to use rfc2307 attributes in your domain. > Therefore it is needed to provision your domain with --use-rfc2307 > parameter. When you have done this the schema doesn't need to be > extended.Hmmm well used rfc2307 on one of my previous attempts, but still saw no way to set the UID to what I wanted them to be. They were something like 5 or 6 digit numbers. So is there a way to force a particular UID, meaning can I create account smith with UID 553 in a Samba DC? My plan is after I figure this out to script the process and feed /etc/passwd into the AD. At the moment I do not have an MS-Windows box here yet, so I can not check what is shown in an MS-Windows control pannel. This task is in preparation for the arrival of a small flock of ms-windows boxes that are coming in for a special project, but they need to be integrated with the existing network of FreeBSD, Solaris, GNU/Linux and Mac OSX boxes, all of which are suing NIS and NFS. Since they can all authenticate against LDAP and Kerberos (AKA AD) my plan is to just move over to AD on a samba box, but if a user is on a Windows box I need him to have the same UID on created files as if he was on a Unix box. Did I miss something with smbpasswd or pdbedit where I can set specific UID just like I can by editing /etc/passwd? Here is something interesting..... root at prd2:/home/wynkoop # pdbedit -L | grep wynkoop wynkoop:34: root at prd2:/home/wynkoop # root at prd2:/home/wynkoop # id wynkoop uid=34(wynkoop) gid=34(wynkoop) groups=34(wynkoop),0(wheel),80(www) root at prd2:/home/wynkoop # root at prd2:/home/wynkoop # pdbedit -Lv wynkoop (config output snipped) ldb_wrap open of idmap.ldb Home server: prd2 Home server: prd2 Unix username: wynkoop NT username: Account Flags: [U ] User SID: S-1-5-21-3503051414-2097048719-4239445089-1105 Primary Group SID: S-1-5-21-3503051414-2097048719-4239445089-513 Full Name: Home Directory: HomeDir Drive: (null) Logon Script: Profile Path: Domain: Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: 0 Kickoff time: never Password last set: Mon, 15 Dec 2014 15:17:39 EST Password can change: Mon, 15 Dec 2014 15:17:39 EST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF Nowhere in the verbose output do I see 34, and then we have this: root at prd2:/archive/test # ls -l total 1 -rw-r--r-- 1 3000014 wheel 236 Dec 19 03:50 hosts root at prd2:/archive/test # Hosts was transferred into that directory using smbclient from another box and as you can see the owner is a user that does not exist on the system. How the heck did it come up with a UID of 3000014? So I think I am getting more confused as things go along. I have a mind to deinstall everything, remove all the database files and try again from scratch, but that still leaves the burning question how do I do something like this: root at prd2:/archive/test # adduser Username: bew Full name: B^C root at prd2:/archive/test # adduser Username: example Full name: Ex Ample Uid (Leave empty for default): 554 Login group [example]: Login group is example. Invite example into other groups? []: with Samba. I suppose I could drop back to samba 2 or 3, or run in legacy mode, but that is not what I would consider optimal. Thanks! -Brett -- wynkoop at wynn.com http://prd4.wynn.com/wynkoop/pgp-keys.txt 917-642-6925 929-272-0000 A free people ought to be armed. - George Washington -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On Fri, 19 Dec 2014 11:35:58 +0100 steve <steve at steve-ss.com> wrote:> On 19/12/14 10:06, Brett Wynkoop wrote: > > > > > So is there a way to force a particular UID, meaning can I create > > account smith with UID 553 in a Samba DC? > > Yes. Simply add: > uidNumber: 553 > to the user's entry. That gets it into the database. You can use sssd > or winbind to get it out. > HTH > >Steve, Thanks for the above, but I found nothing in the pdbedit man page that I recognize as a way to "Simply add". A pointer would be appreciated. -Brett -- wynkoop at wynn.com http://prd4.wynn.com/wynkoop/pgp-keys.txt 917-642-6925 929-272-0000 A free people ought to be armed. - George Washington