Andrey Repin
2015-Apr-09  18:41 UTC
[Samba] How can I have new users/groups to include posixAccount/posixGroup schema automatically?
Greetings, Rowland Penny!> well tough, the smbldap-tools were written to do a job, map windows > users to unix users and vice versa.No. smbldap-tools were doing exactly the same as AD do: kept all users in one database.> So what you need now is something to do the same, except you don't have > separate Unix users any more,I never had separate unix users ever (aside from one user - myself, but that was more of a requirement of OS installation process).> just users in AD who can also be Unix users.> If you want your Unix users to have the same IDs everywhere, you need to > use the RFC2307 attributes,Already.> at the moment, how the attributes get into AD is up to you, use ADUC,Time-consuming, requires available Win7 machine. In short - not an option.> samba-toolDoesn't work, as evidently demonstrated recently in the list.> or write your own scripts.The problem with any homemade script is that it isn't portable, and only go as far, as the script writer's understanding of the things at hand. My personal understanding of the AD schema is very limited. I could throw something together, but in reality, I'd rather not do anything like that myself. All that being said, I see the situation as very disturbing. The lack of the very basic, essential tools to manage user/group creation... I'm speechless. -- With best regards, Andrey Repin Thursday, April 9, 2015 21:34:27 Sorry for my terrible english...
Adam Tauno Williams
2015-Apr-09  19:08 UTC
[Samba] How can I have new users/groups to include posixAccount/posixGroup schema automatically?
> > samba-tool > Doesn't work, as evidently demonstrated recently in the list."Doesn't work" is a serious overstatement.> > or write your own scripts. > The problem with any homemade script is that it isn't portable, and only go as > far, as the script writer's understanding of the things at hand. > My personal understanding of the AD schema is very limited. I could throw > something together, but in reality, I'd rather not do anything like that > myself > All that being said, I see the situation as very disturbing. The lack of the > very basic, essential tools to manage user/group creation... I'm speechless.I do not understand why; your configuration is not standard - so the configuration required some wrenching. You had scripts and glue all over the place with a Samba3+LDAP configuration; I know, I came from one. Active Directory is LDAP, and no more baffling than OpenLDAP + custom schema. Creating an AD user via LDAP is pretty easy. AD_USER_ROOT_DN = 'OU=Users,dc=Example,dc=Com' AD_UAC_MASK_SCRIPT = 1 AD_UAC_MASK_ACCOUNTDISABLE = 2 AD_UAC_MASK_HOMEDIR_REQUIRED = 8 AD_UAC_MASK_PASSWD_NOTREQD = 32 AD_UAC_MASK_NORMAL_ACCOUNT = 512 AD_UAC_MASK_DONT_EXPIRE_PASSWORD = 65536 AD_UAC_MASK_TRUSTED_FOR_DELEGATION = 524288 AD_UAC_MASK_PASSWORD_EXPIRED = 8388608 ... pdc = ldap.initialize(uri) pdc.set_option(ldap.OPT_REFERRALS, 0) pdc.sasl_interactive_bind_s("", ldap.sasl.gssapi()) # The dn of our new entry/object dn = 'cn={0},{1}'.format(uid, AD_USER_ROOT_DN, ) attrs = { 'objectclass': ['top', 'person', 'organizationalPerson', 'user', 'posixAccount', ], 'cn': uid, 'sAMAccountname': uid, 'msSFU30Name': uid, 'userPassword': str(password), 'givenName': givenName', 'sn': sn, 'displayName': displayName, 'uidNumber': uidNumber, 'gidNumber': gidNumber', 'unixHomeDirectory': homeDirectory, 'pwdLastSet': '0', 'loginShell': '/bin/bash', 'pwdLastSet': '-1', 'userPrincipalName': '{0}@example.com'.format(uid, ), 'lockoutTime': '0', 'msSFU30NisDomain': 'backbone', 'homeDirectory': '\\\\FILESERVER\\homedir', 'homeDrive': 'F:', 'profilePath': '\\\\FILESERVER\\profiles\\{0}'.format(uid, ), } attrs['userAccountControl'] = \ str( AD_UAC_MASK_NORMAL_ACCOUNT + AD_UAC_MASK_ACCOUNTDISABLE + AD_UAC_MASK_DONT_EXPIRE_PASSWORD ) ldif = modlist.addModlist(attrs) pdc.add_s(dn, ldif) -- Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383 Systems Administrator, Python Developer, LPI / NCLA
Rowland Penny
2015-Apr-09  19:21 UTC
[Samba] How can I have new users/groups to include posixAccount/posixGroup schema automatically?
On 09/04/15 19:41, Andrey Repin wrote:> Greetings, Rowland Penny! > >> well tough, the smbldap-tools were written to do a job, map windows >> users to unix users and vice versa. > No. smbldap-tools were doing exactly the same as AD do: kept all users in one > database. >Similar, but not the same, with smbldap-tools you had Unix and ldap users, with Samba4 AD, just like windows AD, you just have AD users.>> So what you need now is something to do the same, except you don't have >> separate Unix users any more, > I never had separate unix users ever (aside from one user - myself, but that > was more of a requirement of OS installation process). > >> just users in AD who can also be Unix users. >> If you want your Unix users to have the same IDs everywhere, you need to >> use the RFC2307 attributes, > Already. > >> at the moment, how the attributes get into AD is up to you, use ADUC, > Time-consuming, requires available Win7 machine. In short - not an option. > >> samba-tool > Doesn't work, as evidently demonstrated recently in the list. > >> or write your own scripts. > The problem with any homemade script is that it isn't portable, and only go as > far, as the script writer's understanding of the things at hand. > My personal understanding of the AD schema is very limited. I could throw > something together, but in reality, I'd rather not do anything like that > myself. > > All that being said, I see the situation as very disturbing. The lack of the > very basic, essential tools to manage user/group creation... I'm speechless. > >The user tools are there, they are mostly on windows though. Rowland
Sketch
2015-Apr-09  19:51 UTC
[Samba] How can I have new users/groups to include posixAccount/posixGroup schema automatically?
On Thu, 9 Apr 2015, Andrey Repin wrote:>> If you want your Unix users to have the same IDs everywhere, you need to >> use the RFC2307 attributes,...>> samba-tool > > Doesn't work, as evidently demonstrated recently in the list.Pulled straight out of my old user creation script, which I used with no issues for some time with multiple verisons of samba 4.1.x: samba-tool user create $user --uid-number=$uid --gid-number=$gid --login-shell=/bin/bash --home-directory=/home/$user (Later replaced with a script i found on the internet that created a new user without rfc2307 attributes, then used ldbmodify to automatically generate the unix uid based on the SID, much like winbind would do.)
Andrey Repin
2015-Apr-09  20:17 UTC
[Samba] How can I have new users/groups to include posixAccount/posixGroup schema automatically?
Greetings, Rowland Penny!>>> well tough, the smbldap-tools were written to do a job, map windows >>> users to unix users and vice versa. >> No. smbldap-tools were doing exactly the same as AD do: kept all users in one >> database. >>> Similar, but not the same, with smbldap-tools you had Unix and ldap > users,If you want to put it that way...> with Samba4 AD,...I have Unix and AD users.> just like windows AD, you just have AD users.No.>>> So what you need now is something to do the same, except you don't have >>> separate Unix users any more, >> I never had separate unix users ever (aside from one user - myself, but that >> was more of a requirement of OS installation process). >> >>> just users in AD who can also be Unix users. >>> If you want your Unix users to have the same IDs everywhere, you need to >>> use the RFC2307 attributes, >> Already. >> >>> at the moment, how the attributes get into AD is up to you, use ADUC, >> Time-consuming, requires available Win7 machine. In short - not an option. >> >>> samba-tool >> Doesn't work, as evidently demonstrated recently in the list. >> >>> or write your own scripts. >> The problem with any homemade script is that it isn't portable, and only go as >> far, as the script writer's understanding of the things at hand. >> My personal understanding of the AD schema is very limited. I could throw >> something together, but in reality, I'd rather not do anything like that >> myself. >> >> All that being said, I see the situation as very disturbing. The lack of the >> very basic, essential tools to manage user/group creation... I'm speechless. >> >>> The user tools are there, they are mostly on windows though.Can you list some of them? RSAT is not an option - the only Win7 Pro system at work is a render farm that have its own work to do, than to let me twitch the checkboxes in some overloaded GUI. -- With best regards, Andrey Repin Thursday, April 9, 2015 22:48:25 Sorry for my terrible english...
Andrey Repin
2015-Apr-09  20:37 UTC
[Samba] How can I have new users/groups to include posixAccount/posixGroup schema automatically?
Greetings, Sketch!>>> If you want your Unix users to have the same IDs everywhere, you need to >>> use the RFC2307 attributes, > ... >>> samba-tool >> >> Doesn't work, as evidently demonstrated recently in the list.> Pulled straight out of my old user creation script, which I used with no > issues for some time with multiple verisons of samba 4.1.x:> samba-tool user create $user --uid-number=$uid --gid-number=$gid > --login-shell=/bin/bash --home-directory=/home/$userThat's exactly what I mean by "doesn't work". Did you read the list, or just jumped into a thread to demonstrate your ignorance? Your "solution" doesn't take in count already existing uid/gid's, neither modify the stored "next id" value.> (Later replaced with a script i found on the internet that created a new > user without rfc2307 attributes, then used ldbmodify to automatically > generate the unix uid based on the SID, much like winbind would do.)That's an option, that I could take myself. Thanks for a reminder. Now, if only I could tweak the RID selection... any suggestions? Current RID's already somewhat out of control. -- With best regards, Andrey Repin Thursday, April 9, 2015 23:34:33 Sorry for my terrible english...