Ok, it's here: http://pastebin.com/JEnr5wUq The id_offset is that value because i initially didn't use rfc2307 attributes, but instead On 29 January 2015 at 23:27, Tim <lists at kiuni.de> wrote:> @Hans-Kristian: > I'd like to see it. How did you automate this? > > @Andrew: > In another thread I suggested to set the rfc2307 info automatically when a > domain is provisioned with --use-rfc2307. Possibly by an additional > parameter. > This would make things easier in my eyes. > > Thanks > Tim > > Am 29. Januar 2015 22:02:14 MEZ, schrieb Hans-Kristian Bakke > <hkbakke at gmail.com>: >> >> It is actually rather easy to set the attributes via powershell, and >> that is probably the best way to add them in a Server 2012 R2 >> environment. >> >> I wrote a powershell script to do this automatically for users and >> groups in an entire domain that should be pretty generic to be reused. >> It also mirrors the logic used in automatic winbind UID/GID generation >> to be able to coexist in an environment where not all hosts are >> migrated to rfc2307 yet. If you want it I can give it to you, but as >> you proably would want to write your own powershell-script you would >> set properties for users and groups using these two cmdlets and some >> foreach-logic looping over your search bases, users and groups: >> >> Set-ADUser -Identity $username -Replace >> >> @{uidNumber=$uid;gidNumber=$primary_group_gid;unixHomeDirectory=$homedir;loginShell=$login_shell} >> >> Set-ADGroup -Identity $groupname -Replace @{gidNumber=$gid} >> >> On 29 January 2015 at 21:24, Lars Hanke <debian at lhanke.de> wrote: >>> >>> Am 29.01.2015 um 21:12 schrieb Tim: >>>> >>>> >>>> But if they take it away how to set them in future? >>> >>> >>> >>> If you need NIS, you probably have POSIX systems attached. So you can >>> always >>> set RFC2307 attributes from POSIX systems. >>> >>> >>>> Am 29. Januar 2015 19:50:22 MEZ, schrieb Andrew Bartlett >>>> <abartlet at samba.org>: >>>>> >>>>> >>>>> On Wed, 2015-01-28 at 17:22 +0100, Tim wrote: >>>>>> >>>>>> >>>>>> I got the chance to test samba 4 with windows 2012 R2 domain >>>>>> controller on its highest functional level. >>>>>> >>>>>> Possibly it's important to know that M$ says that the "server for NIS >>>>>> Tools" which are needed to set rfc attributes are deprecated. >>>>>> I could install them but I can't choose a NIS domain anymore in Unix >>>>>> attributes. >>>>>> >>>>>> Will we run into problems with samba4? Is it time for thinking about >>>>> >>>>> >>>>> a >>>>>> >>>>>> >>>>>> new idmapping backend? I have an idea for this (based on rid module) >>>>>> but I like to know your thoughts. >>>>> >>>>> >>>>> >>>>> Even if they take away the admin tools, the schema changes won't go >>>>> away, so don't worry. >>>>> >>>>> -- >>>>> Andrew Bartlett >>>>> http://samba.org/~abartlet/ >>>>> Authentication Developer, Samba Team http://samba.org >>>>> Samba Developer, Catalyst IT >>>>> http://catalyst.net.nz/services/samba >>> >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba
Something went wrong and the message got sent before it was finished. Here is the complete one: Ok, it's here: http://pastebin.com/JEnr5wUq The id_offset is that value because i initially didn't use rfc2307 attributes, but instead had idmap config EXAMPLE : range = 300000-499999 in smb.conf. To get identical uid/gids have to start with the same offset. If you have a fresh domain and just starting with AD-integration on your linux-boxes you can just pull out the logic for generating winbind compatible uids/gids. - Regards, Hans-Kristian On 29 January 2015 at 23:53, Hans-Kristian Bakke <hkbakke at gmail.com> wrote:> Ok, it's here: http://pastebin.com/JEnr5wUq > > The id_offset is that value because i initially didn't use rfc2307 > attributes, but instead > > > On 29 January 2015 at 23:27, Tim <lists at kiuni.de> wrote: >> @Hans-Kristian: >> I'd like to see it. How did you automate this? >> >> @Andrew: >> In another thread I suggested to set the rfc2307 info automatically when a >> domain is provisioned with --use-rfc2307. Possibly by an additional >> parameter. >> This would make things easier in my eyes. >> >> Thanks >> Tim >> >> Am 29. Januar 2015 22:02:14 MEZ, schrieb Hans-Kristian Bakke >> <hkbakke at gmail.com>: >>> >>> It is actually rather easy to set the attributes via powershell, and >>> that is probably the best way to add them in a Server 2012 R2 >>> environment. >>> >>> I wrote a powershell script to do this automatically for users and >>> groups in an entire domain that should be pretty generic to be reused. >>> It also mirrors the logic used in automatic winbind UID/GID generation >>> to be able to coexist in an environment where not all hosts are >>> migrated to rfc2307 yet. If you want it I can give it to you, but as >>> you proably would want to write your own powershell-script you would >>> set properties for users and groups using these two cmdlets and some >>> foreach-logic looping over your search bases, users and groups: >>> >>> Set-ADUser -Identity $username -Replace >>> >>> @{uidNumber=$uid;gidNumber=$primary_group_gid;unixHomeDirectory=$homedir;loginShell=$login_shell} >>> >>> Set-ADGroup -Identity $groupname -Replace @{gidNumber=$gid} >>> >>> On 29 January 2015 at 21:24, Lars Hanke <debian at lhanke.de> wrote: >>>> >>>> Am 29.01.2015 um 21:12 schrieb Tim: >>>>> >>>>> >>>>> But if they take it away how to set them in future? >>>> >>>> >>>> >>>> If you need NIS, you probably have POSIX systems attached. So you can >>>> always >>>> set RFC2307 attributes from POSIX systems. >>>> >>>> >>>>> Am 29. Januar 2015 19:50:22 MEZ, schrieb Andrew Bartlett >>>>> <abartlet at samba.org>: >>>>>> >>>>>> >>>>>> On Wed, 2015-01-28 at 17:22 +0100, Tim wrote: >>>>>>> >>>>>>> >>>>>>> I got the chance to test samba 4 with windows 2012 R2 domain >>>>>>> controller on its highest functional level. >>>>>>> >>>>>>> Possibly it's important to know that M$ says that the "server for NIS >>>>>>> Tools" which are needed to set rfc attributes are deprecated. >>>>>>> I could install them but I can't choose a NIS domain anymore in Unix >>>>>>> attributes. >>>>>>> >>>>>>> Will we run into problems with samba4? Is it time for thinking about >>>>>> >>>>>> >>>>>> a >>>>>>> >>>>>>> >>>>>>> new idmapping backend? I have an idea for this (based on rid module) >>>>>>> but I like to know your thoughts. >>>>>> >>>>>> >>>>>> >>>>>> Even if they take away the admin tools, the schema changes won't go >>>>>> away, so don't worry. >>>>>> >>>>>> -- >>>>>> Andrew Bartlett >>>>>> http://samba.org/~abartlet/ >>>>>> Authentication Developer, Samba Team http://samba.org >>>>>> Samba Developer, Catalyst IT >>>>>> http://catalyst.net.nz/services/samba >>>> >>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba
On 29/01/15 22:56, Hans-Kristian Bakke wrote:> Something went wrong and the message got sent before it was finished. > Here is the complete one: > > Ok, it's here: http://pastebin.com/JEnr5wUq > > The id_offset is that value because i initially didn't use rfc2307 > attributes, but instead had > > idmap config EXAMPLE : range = 300000-499999 > > in smb.conf. > > To get identical uid/gids have to start with the same offset. If you > have a fresh domain and just starting with AD-integration on your > linux-boxes you can just pull out the logic for generating winbind > compatible uids/gids. > > - > Regards, > > Hans-Kristian > > > On 29 January 2015 at 23:53, Hans-Kristian Bakke <hkbakke at gmail.com> wrote: >> Ok, it's here: http://pastebin.com/JEnr5wUq >> >> The id_offset is that value because i initially didn't use rfc2307 >> attributes, but instead >> >> >> On 29 January 2015 at 23:27, Tim <lists at kiuni.de> wrote: >>> @Hans-Kristian: >>> I'd like to see it. How did you automate this? >>> >>> @Andrew: >>> In another thread I suggested to set the rfc2307 info automatically when a >>> domain is provisioned with --use-rfc2307. Possibly by an additional >>> parameter. >>> This would make things easier in my eyes. >>> >>> Thanks >>> Tim >>> >>> Am 29. Januar 2015 22:02:14 MEZ, schrieb Hans-Kristian Bakke >>> <hkbakke at gmail.com>: >>>> It is actually rather easy to set the attributes via powershell, and >>>> that is probably the best way to add them in a Server 2012 R2 >>>> environment. >>>> >>>> I wrote a powershell script to do this automatically for users and >>>> groups in an entire domain that should be pretty generic to be reused. >>>> It also mirrors the logic used in automatic winbind UID/GID generation >>>> to be able to coexist in an environment where not all hosts are >>>> migrated to rfc2307 yet. If you want it I can give it to you, but as >>>> you proably would want to write your own powershell-script you would >>>> set properties for users and groups using these two cmdlets and some >>>> foreach-logic looping over your search bases, users and groups: >>>> >>>> Set-ADUser -Identity $username -Replace >>>> >>>> @{uidNumber=$uid;gidNumber=$primary_group_gid;unixHomeDirectory=$homedir;loginShell=$login_shell} >>>> >>>> Set-ADGroup -Identity $groupname -Replace @{gidNumber=$gid} >>>> >>>> On 29 January 2015 at 21:24, Lars Hanke <debian at lhanke.de> wrote: >>>>> Am 29.01.2015 um 21:12 schrieb Tim: >>>>>> >>>>>> But if they take it away how to set them in future? >>>>> >>>>> >>>>> If you need NIS, you probably have POSIX systems attached. So you can >>>>> always >>>>> set RFC2307 attributes from POSIX systems. >>>>> >>>>> >>>>>> Am 29. Januar 2015 19:50:22 MEZ, schrieb Andrew Bartlett >>>>>> <abartlet at samba.org>: >>>>>>> >>>>>>> On Wed, 2015-01-28 at 17:22 +0100, Tim wrote: >>>>>>>> >>>>>>>> I got the chance to test samba 4 with windows 2012 R2 domain >>>>>>>> controller on its highest functional level. >>>>>>>> >>>>>>>> Possibly it's important to know that M$ says that the "server for NIS >>>>>>>> Tools" which are needed to set rfc attributes are deprecated. >>>>>>>> I could install them but I can't choose a NIS domain anymore in Unix >>>>>>>> attributes. >>>>>>>> >>>>>>>> Will we run into problems with samba4? Is it time for thinking about >>>>>>> >>>>>>> a >>>>>>>> >>>>>>>> new idmapping backend? I have an idea for this (based on rid module) >>>>>>>> but I like to know your thoughts. >>>>>>> >>>>>>> >>>>>>> Even if they take away the admin tools, the schema changes won't go >>>>>>> away, so don't worry. >>>>>>> >>>>>>> -- >>>>>>> Andrew Bartlett >>>>>>> http://samba.org/~abartlet/ >>>>>>> Authentication Developer, Samba Team http://samba.org >>>>>>> Samba Developer, Catalyst IT >>>>>>> http://catalyst.net.nz/services/samba >>>>> >>>>> >>>>> -- >>>>> To unsubscribe from this list go to the following URL and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/sambaOK, had a quick look through your script and I cannot recommend it, it would seem to give Administrator (and everybody else) a 'uidNumber', Administrator's 'uidNumber' would be 300500, not a good idea. Rowland