Greetings, Rowland Penny!>>>>> Ok, good. >>>>> Now, how can I get RFC2307 attributes populated automatically upon >>>>> users or >>>>> groups creation? >>>> You can't :-( >>>> I'm experimenting with >>>> https://github.com/laotse/SambaPosix >>>> but it's quite buggy (at least regarding the features I'm trying, >>>> namely, trying to assign uids the same way as ADUC). >>>> >>>> >>>> Bye >>> OH yes you can, well I can :-) >> Can you share how? >> >> Bye> You are using python, which to me is a very big snake, so I bash it :-D> I just use these two functions in a bash script:> # Finds the next useable user uidNumber or group gidNumber > # Input : $1 > # $1 : msSFU30MaxUidNumber or msSFU30MaxGidNumber > # Output : the first free uidNumber or gidNumber > _findnext () { > ATTR="$1" > if [ -z "${ATTR}" ]; then > error "No Attribute supplied" > error "Cannot continue... Exiting." > exit 1 > fi > _NEXTID=$(ldbsearch -H ${LDBDB} -b > "CN=${domainNETBios},CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,${domainDN}" > -s sub '(objectClass=msSFU30DomainInfo)' ${ATTR} | grep "${ATTR}: " | > awk '{print $NF}') > if [ -z "$_NEXTID" ] || [ "$_NEXTID" -lt "10000" ]; then > _NEXTID="10000" > fi > }> # UPDATE msSFU30MaxUidNumber/msSFU30MaxGidNumber > # Input : $1 $2 > # $1: what to update (msSFU30MaxUidNumber or msSFU30MaxGidNumber) > # $2: Next Number > # > # Output : Nothing > _updatemax () { > ATTR="$1" > IDNUM="$2" > if [ -z "${ATTR}" ] || [ -z "${IDNUM}" ]; then > error "Incomplete data supplied." > error "Cannot continue... Exiting." > exit 1 > fi > echo "Updating ${ATTR}"> IDLDIF="dn: > CN=${domainNETBios},CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,${domainDN} > changetype: modify > replace: ${ATTR} > ${ATTR}: ${IDNUM}"> echo "${IDLDIF}" | ldbmodify -H ${LDBDB} > if [ $? != 0 ]; then > error "Error updating ${ATTR} in AD." > echo "${LDIF}" > /tmp/update.ldif > exit 1 # exits here if error > fi > unset IDLDIF > echo "Successfully updated ${ATTR} in AD" > }That will only work on a domain controller. I don't want to touch it at all, if I don't need to blow it apart. Not to mention, it will not add "objectClass: posixAccount" to the user, causing all sort of grief in a long run. -- With best regards, Andrey Repin Thursday, April 9, 2015 18:13:07 Sorry for my terrible english...
On 09/04/15 16:22, Andrey Repin wrote:> Greetings, Rowland Penny! > >>>>>> Ok, good. >>>>>> Now, how can I get RFC2307 attributes populated automatically upon >>>>>> users or >>>>>> groups creation? >>>>> You can't :-( >>>>> I'm experimenting with >>>>> https://github.com/laotse/SambaPosix >>>>> but it's quite buggy (at least regarding the features I'm trying, >>>>> namely, trying to assign uids the same way as ADUC). >>>>> >>>>> >>>>> Bye >>>> OH yes you can, well I can :-) >>> Can you share how? >>> >>> Bye >> You are using python, which to me is a very big snake, so I bash it :-D >> I just use these two functions in a bash script: >> # Finds the next useable user uidNumber or group gidNumber >> # Input : $1 >> # $1 : msSFU30MaxUidNumber or msSFU30MaxGidNumber >> # Output : the first free uidNumber or gidNumber >> _findnext () { >> ATTR="$1" >> if [ -z "${ATTR}" ]; then >> error "No Attribute supplied" >> error "Cannot continue... Exiting." >> exit 1 >> fi >> _NEXTID=$(ldbsearch -H ${LDBDB} -b >> "CN=${domainNETBios},CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,${domainDN}" >> -s sub '(objectClass=msSFU30DomainInfo)' ${ATTR} | grep "${ATTR}: " | >> awk '{print $NF}') >> if [ -z "$_NEXTID" ] || [ "$_NEXTID" -lt "10000" ]; then >> _NEXTID="10000" >> fi >> } >> # UPDATE msSFU30MaxUidNumber/msSFU30MaxGidNumber >> # Input : $1 $2 >> # $1: what to update (msSFU30MaxUidNumber or msSFU30MaxGidNumber) >> # $2: Next Number >> # >> # Output : Nothing >> _updatemax () { >> ATTR="$1" >> IDNUM="$2" >> if [ -z "${ATTR}" ] || [ -z "${IDNUM}" ]; then >> error "Incomplete data supplied." >> error "Cannot continue... Exiting." >> exit 1 >> fi >> echo "Updating ${ATTR}" >> IDLDIF="dn: >> CN=${domainNETBios},CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,${domainDN} >> changetype: modify >> replace: ${ATTR} >> ${ATTR}: ${IDNUM}" >> echo "${IDLDIF}" | ldbmodify -H ${LDBDB} >> if [ $? != 0 ]; then >> error "Error updating ${ATTR} in AD." >> echo "${LDIF}" > /tmp/update.ldif >> exit 1 # exits here if error >> fi >> unset IDLDIF >> echo "Successfully updated ${ATTR} in AD" >> } > That will only work on a domain controller.Well yes it will only work on a DC because that is where the AD records are stored, but it can be run from another Linux machine.> I don't want to touch it at all, > if I don't need to blow it apart.Well, seeing as it is only doing what ADUC does, I do not see it blowing up your AD DC.> Not to mention, it will not add "objectClass: posixAccount" to the user,How many times do I have to say this: DO NOT ADD POSIX OBJECTCLASSES TO AD, THEY ARE NOT REQUIRED. ADUC WILL NEVER ADD THEM.> causing all sort of grief in a long run.WHY ?? Rowland>
Greetings, Rowland Penny!>>> You are using python, which to me is a very big snake, so I bash it :-D >>> I just use these two functions in a bash script: >>> # Finds the next useable user uidNumber or group gidNumber >>> # Input : $1 >>> # $1 : msSFU30MaxUidNumber or msSFU30MaxGidNumber >>> # Output : the first free uidNumber or gidNumber >>> _findnext () { >>> ATTR="$1" >>> if [ -z "${ATTR}" ]; then >>> error "No Attribute supplied" >>> error "Cannot continue... Exiting." >>> exit 1 >>> fi >>> _NEXTID=$(ldbsearch -H ${LDBDB} -b >>> "CN=${domainNETBios},CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,${domainDN}" >>> -s sub '(objectClass=msSFU30DomainInfo)' ${ATTR} | grep "${ATTR}: " | >>> awk '{print $NF}') >>> if [ -z "$_NEXTID" ] || [ "$_NEXTID" -lt "10000" ]; then >>> _NEXTID="10000" >>> fi >>> } >>> # UPDATE msSFU30MaxUidNumber/msSFU30MaxGidNumber >>> # Input : $1 $2 >>> # $1: what to update (msSFU30MaxUidNumber or msSFU30MaxGidNumber) >>> # $2: Next Number >>> # >>> # Output : Nothing >>> _updatemax () { >>> ATTR="$1" >>> IDNUM="$2" >>> if [ -z "${ATTR}" ] || [ -z "${IDNUM}" ]; then >>> error "Incomplete data supplied." >>> error "Cannot continue... Exiting." >>> exit 1 >>> fi >>> echo "Updating ${ATTR}" >>> IDLDIF="dn: >>> CN=${domainNETBios},CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,${domainDN} >>> changetype: modify >>> replace: ${ATTR} >>> ${ATTR}: ${IDNUM}" >>> echo "${IDLDIF}" | ldbmodify -H ${LDBDB} >>> if [ $? != 0 ]; then >>> error "Error updating ${ATTR} in AD." >>> echo "${LDIF}" > /tmp/update.ldif >>> exit 1 # exits here if error >>> fi >>> unset IDLDIF >>> echo "Successfully updated ${ATTR} in AD" >>> } >> That will only work on a domain controller.> Well yes it will only work on a DC because that is where the AD records > are stored, but it can be run from another Linux machine.>> I don't want to touch it at all, >> if I don't need to blow it apart.> Well, seeing as it is only doing what ADUC does, I do not see it blowing > up your AD DC.>> Not to mention, it will not add "objectClass: posixAccount" to the user,> How many times do I have to say this:> DO NOT ADD POSIX OBJECTCLASSES TO AD, THEY ARE NOT REQUIRED. ADUC WILL > NEVER ADD THEM.They are not required for AD, but they are required for other tools, that work off AD LDAP. Don't scream like that, you may startle someone.>> causing all sort of grief in a long run. > WHY ??Because my auth tools, for instance, expect posixAccount class and check for it before processing further with authentication. -- With best regards, Andrey Repin Thursday, April 9, 2015 19:06:39 Sorry for my terrible english...