It is actually rather easy to set the attributes via powershell, and
that is probably the best way to add them in a Server 2012 R2
environment.
I wrote a powershell script to do this automatically for users and
groups in an entire domain that should be pretty generic to be reused.
It also mirrors the logic used in automatic winbind UID/GID generation
to be able to coexist in an environment where not all hosts are
migrated to rfc2307 yet. If you want it I can give it to you, but as
you proably would want to write your own powershell-script you would
set properties for users and groups using these two cmdlets and some
foreach-logic looping over your search bases, users and groups:
Set-ADUser -Identity $username -Replace
@{uidNumber=$uid;gidNumber=$primary_group_gid;unixHomeDirectory=$homedir;loginShell=$login_shell}
Set-ADGroup -Identity $groupname -Replace @{gidNumber=$gid}
On 29 January 2015 at 21:24, Lars Hanke <debian at lhanke.de>
wrote:> Am 29.01.2015 um 21:12 schrieb Tim:
>>
>> But if they take it away how to set them in future?
>
>
> If you need NIS, you probably have POSIX systems attached. So you can
always
> set RFC2307 attributes from POSIX systems.
>
>
>> Am 29. Januar 2015 19:50:22 MEZ, schrieb Andrew Bartlett
>> <abartlet at samba.org>:
>>>
>>> On Wed, 2015-01-28 at 17:22 +0100, Tim wrote:
>>>>
>>>> I got the chance to test samba 4 with windows 2012 R2 domain
>>>> controller on its highest functional level.
>>>>
>>>> Possibly it's important to know that M$ says that the
"server for NIS
>>>> Tools" which are needed to set rfc attributes are
deprecated.
>>>> I could install them but I can't choose a NIS domain
anymore in Unix
>>>> attributes.
>>>>
>>>> Will we run into problems with samba4? Is it time for thinking
about
>>>
>>> a
>>>>
>>>> new idmapping backend? I have an idea for this (based on rid
module)
>>>> but I like to know your thoughts.
>>>
>>>
>>> Even if they take away the admin tools, the schema changes
won't go
>>> away, so don't worry.
>>>
>>> --
>>> Andrew Bartlett http://samba.org/~abartlet/
>>> Authentication Developer, Samba Team http://samba.org
>>> Samba Developer, Catalyst IT
>>> http://catalyst.net.nz/services/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
@Hans-Kristian: I'd like to see it. How did you automate this? @Andrew: In another thread I suggested to set the rfc2307 info automatically when a domain is provisioned with --use-rfc2307. Possibly by an additional parameter. This would make things easier in my eyes. Thanks Tim Am 29. Januar 2015 22:02:14 MEZ, schrieb Hans-Kristian Bakke <hkbakke at gmail.com>:>It is actually rather easy to set the attributes via powershell, and >that is probably the best way to add them in a Server 2012 R2 >environment. > >I wrote a powershell script to do this automatically for users and >groups in an entire domain that should be pretty generic to be reused. >It also mirrors the logic used in automatic winbind UID/GID generation >to be able to coexist in an environment where not all hosts are >migrated to rfc2307 yet. If you want it I can give it to you, but as >you proably would want to write your own powershell-script you would >set properties for users and groups using these two cmdlets and some >foreach-logic looping over your search bases, users and groups: > >Set-ADUser -Identity $username -Replace >@{uidNumber=$uid;gidNumber=$primary_group_gid;unixHomeDirectory=$homedir;loginShell=$login_shell} > >Set-ADGroup -Identity $groupname -Replace @{gidNumber=$gid} > >On 29 January 2015 at 21:24, Lars Hanke <debian at lhanke.de> wrote: >> Am 29.01.2015 um 21:12 schrieb Tim: >>> >>> But if they take it away how to set them in future? >> >> >> If you need NIS, you probably have POSIX systems attached. So you can >always >> set RFC2307 attributes from POSIX systems. >> >> >>> Am 29. Januar 2015 19:50:22 MEZ, schrieb Andrew Bartlett >>> <abartlet at samba.org>: >>>> >>>> On Wed, 2015-01-28 at 17:22 +0100, Tim wrote: >>>>> >>>>> I got the chance to test samba 4 with windows 2012 R2 domain >>>>> controller on its highest functional level. >>>>> >>>>> Possibly it's important to know that M$ says that the "server for >NIS >>>>> Tools" which are needed to set rfc attributes are deprecated. >>>>> I could install them but I can't choose a NIS domain anymore in >Unix >>>>> attributes. >>>>> >>>>> Will we run into problems with samba4? Is it time for thinking >about >>>> >>>> a >>>>> >>>>> new idmapping backend? I have an idea for this (based on rid >module) >>>>> but I like to know your thoughts. >>>> >>>> >>>> Even if they take away the admin tools, the schema changes won't go >>>> away, so don't worry. >>>> >>>> -- >>>> Andrew Bartlett http://samba.org/~abartlet/ >>>> Authentication Developer, Samba Team http://samba.org >>>> Samba Developer, Catalyst IT >>>> http://catalyst.net.nz/services/samba >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba
On 29/01/15 22:27, Tim wrote:> @Hans-Kristian: > I'd like to see it. How did you automate this? > > @Andrew: > In another thread I suggested to set the rfc2307 info automatically when a domain is provisioned with --use-rfc2307. Possibly by an additional parameter. > This would make things easier in my eyes. >The problem with setting the rfc2307 info when the domain is provisioned is what number do you start at ? In theory this should be very easy, just set the msSFU30MaxUidNumber and msSFU30MaxGidNumber attributes and make samba-tool use them when creating a new user/group. But this would require developer time and there are probably other things that are more important (sysvol replication for example). Rowland
Ok, it's here: http://pastebin.com/JEnr5wUq The id_offset is that value because i initially didn't use rfc2307 attributes, but instead On 29 January 2015 at 23:27, Tim <lists at kiuni.de> wrote:> @Hans-Kristian: > I'd like to see it. How did you automate this? > > @Andrew: > In another thread I suggested to set the rfc2307 info automatically when a > domain is provisioned with --use-rfc2307. Possibly by an additional > parameter. > This would make things easier in my eyes. > > Thanks > Tim > > Am 29. Januar 2015 22:02:14 MEZ, schrieb Hans-Kristian Bakke > <hkbakke at gmail.com>: >> >> It is actually rather easy to set the attributes via powershell, and >> that is probably the best way to add them in a Server 2012 R2 >> environment. >> >> I wrote a powershell script to do this automatically for users and >> groups in an entire domain that should be pretty generic to be reused. >> It also mirrors the logic used in automatic winbind UID/GID generation >> to be able to coexist in an environment where not all hosts are >> migrated to rfc2307 yet. If you want it I can give it to you, but as >> you proably would want to write your own powershell-script you would >> set properties for users and groups using these two cmdlets and some >> foreach-logic looping over your search bases, users and groups: >> >> Set-ADUser -Identity $username -Replace >> >> @{uidNumber=$uid;gidNumber=$primary_group_gid;unixHomeDirectory=$homedir;loginShell=$login_shell} >> >> Set-ADGroup -Identity $groupname -Replace @{gidNumber=$gid} >> >> On 29 January 2015 at 21:24, Lars Hanke <debian at lhanke.de> wrote: >>> >>> Am 29.01.2015 um 21:12 schrieb Tim: >>>> >>>> >>>> But if they take it away how to set them in future? >>> >>> >>> >>> If you need NIS, you probably have POSIX systems attached. So you can >>> always >>> set RFC2307 attributes from POSIX systems. >>> >>> >>>> Am 29. Januar 2015 19:50:22 MEZ, schrieb Andrew Bartlett >>>> <abartlet at samba.org>: >>>>> >>>>> >>>>> On Wed, 2015-01-28 at 17:22 +0100, Tim wrote: >>>>>> >>>>>> >>>>>> I got the chance to test samba 4 with windows 2012 R2 domain >>>>>> controller on its highest functional level. >>>>>> >>>>>> Possibly it's important to know that M$ says that the "server for NIS >>>>>> Tools" which are needed to set rfc attributes are deprecated. >>>>>> I could install them but I can't choose a NIS domain anymore in Unix >>>>>> attributes. >>>>>> >>>>>> Will we run into problems with samba4? Is it time for thinking about >>>>> >>>>> >>>>> a >>>>>> >>>>>> >>>>>> new idmapping backend? I have an idea for this (based on rid module) >>>>>> but I like to know your thoughts. >>>>> >>>>> >>>>> >>>>> Even if they take away the admin tools, the schema changes won't go >>>>> away, so don't worry. >>>>> >>>>> -- >>>>> Andrew Bartlett >>>>> http://samba.org/~abartlet/ >>>>> Authentication Developer, Samba Team http://samba.org >>>>> Samba Developer, Catalyst IT >>>>> http://catalyst.net.nz/services/samba >>> >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba