Greetings, Rowland Penny!>>> You are using python, which to me is a very big snake, so I bash it :-D >>> I just use these two functions in a bash script: >>> # Finds the next useable user uidNumber or group gidNumber >>> # Input : $1 >>> # $1 : msSFU30MaxUidNumber or msSFU30MaxGidNumber >>> # Output : the first free uidNumber or gidNumber >>> _findnext () { >>> ATTR="$1" >>> if [ -z "${ATTR}" ]; then >>> error "No Attribute supplied" >>> error "Cannot continue... Exiting." >>> exit 1 >>> fi >>> _NEXTID=$(ldbsearch -H ${LDBDB} -b >>> "CN=${domainNETBios},CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,${domainDN}" >>> -s sub '(objectClass=msSFU30DomainInfo)' ${ATTR} | grep "${ATTR}: " | >>> awk '{print $NF}') >>> if [ -z "$_NEXTID" ] || [ "$_NEXTID" -lt "10000" ]; then >>> _NEXTID="10000" >>> fi >>> } >>> # UPDATE msSFU30MaxUidNumber/msSFU30MaxGidNumber >>> # Input : $1 $2 >>> # $1: what to update (msSFU30MaxUidNumber or msSFU30MaxGidNumber) >>> # $2: Next Number >>> # >>> # Output : Nothing >>> _updatemax () { >>> ATTR="$1" >>> IDNUM="$2" >>> if [ -z "${ATTR}" ] || [ -z "${IDNUM}" ]; then >>> error "Incomplete data supplied." >>> error "Cannot continue... Exiting." >>> exit 1 >>> fi >>> echo "Updating ${ATTR}" >>> IDLDIF="dn: >>> CN=${domainNETBios},CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,${domainDN} >>> changetype: modify >>> replace: ${ATTR} >>> ${ATTR}: ${IDNUM}" >>> echo "${IDLDIF}" | ldbmodify -H ${LDBDB} >>> if [ $? != 0 ]; then >>> error "Error updating ${ATTR} in AD." >>> echo "${LDIF}" > /tmp/update.ldif >>> exit 1 # exits here if error >>> fi >>> unset IDLDIF >>> echo "Successfully updated ${ATTR} in AD" >>> } >> That will only work on a domain controller.> Well yes it will only work on a DC because that is where the AD records > are stored, but it can be run from another Linux machine.>> I don't want to touch it at all, >> if I don't need to blow it apart.> Well, seeing as it is only doing what ADUC does, I do not see it blowing > up your AD DC.>> Not to mention, it will not add "objectClass: posixAccount" to the user,> How many times do I have to say this:> DO NOT ADD POSIX OBJECTCLASSES TO AD, THEY ARE NOT REQUIRED. ADUC WILL > NEVER ADD THEM.They are not required for AD, but they are required for other tools, that work off AD LDAP. Don't scream like that, you may startle someone.>> causing all sort of grief in a long run. > WHY ??Because my auth tools, for instance, expect posixAccount class and check for it before processing further with authentication. -- With best regards, Andrey Repin Thursday, April 9, 2015 19:06:39 Sorry for my terrible english...
On 09/04/15 17:09, Andrey Repin wrote:> Greetings, Rowland Penny! > >>>> You are using python, which to me is a very big snake, so I bash it :-D >>>> I just use these two functions in a bash script: >>>> # Finds the next useable user uidNumber or group gidNumber >>>> # Input : $1 >>>> # $1 : msSFU30MaxUidNumber or msSFU30MaxGidNumber >>>> # Output : the first free uidNumber or gidNumber >>>> _findnext () { >>>> ATTR="$1" >>>> if [ -z "${ATTR}" ]; then >>>> error "No Attribute supplied" >>>> error "Cannot continue... Exiting." >>>> exit 1 >>>> fi >>>> _NEXTID=$(ldbsearch -H ${LDBDB} -b >>>> "CN=${domainNETBios},CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,${domainDN}" >>>> -s sub '(objectClass=msSFU30DomainInfo)' ${ATTR} | grep "${ATTR}: " | >>>> awk '{print $NF}') >>>> if [ -z "$_NEXTID" ] || [ "$_NEXTID" -lt "10000" ]; then >>>> _NEXTID="10000" >>>> fi >>>> } >>>> # UPDATE msSFU30MaxUidNumber/msSFU30MaxGidNumber >>>> # Input : $1 $2 >>>> # $1: what to update (msSFU30MaxUidNumber or msSFU30MaxGidNumber) >>>> # $2: Next Number >>>> # >>>> # Output : Nothing >>>> _updatemax () { >>>> ATTR="$1" >>>> IDNUM="$2" >>>> if [ -z "${ATTR}" ] || [ -z "${IDNUM}" ]; then >>>> error "Incomplete data supplied." >>>> error "Cannot continue... Exiting." >>>> exit 1 >>>> fi >>>> echo "Updating ${ATTR}" >>>> IDLDIF="dn: >>>> CN=${domainNETBios},CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,${domainDN} >>>> changetype: modify >>>> replace: ${ATTR} >>>> ${ATTR}: ${IDNUM}" >>>> echo "${IDLDIF}" | ldbmodify -H ${LDBDB} >>>> if [ $? != 0 ]; then >>>> error "Error updating ${ATTR} in AD." >>>> echo "${LDIF}" > /tmp/update.ldif >>>> exit 1 # exits here if error >>>> fi >>>> unset IDLDIF >>>> echo "Successfully updated ${ATTR} in AD" >>>> } >>> That will only work on a domain controller. >> Well yes it will only work on a DC because that is where the AD records >> are stored, but it can be run from another Linux machine. >>> I don't want to touch it at all, >>> if I don't need to blow it apart. >> Well, seeing as it is only doing what ADUC does, I do not see it blowing >> up your AD DC. >>> Not to mention, it will not add "objectClass: posixAccount" to the user, >> How many times do I have to say this: >> DO NOT ADD POSIX OBJECTCLASSES TO AD, THEY ARE NOT REQUIRED. ADUC WILL >> NEVER ADD THEM. > They are not required for AD, but they are required for other tools, that work > off AD LDAP. > Don't scream like that, you may startle someone.If your tools rely on the posix objectclasses being there, then they are broken. The posix objectclasses are auxiliaries of other AD objectclasses and as such, no windows tools will add them.> >>> causing all sort of grief in a long run. >> WHY ?? > Because my auth tools, for instance, expect posixAccount class and check for > it before processing further with authentication. >Your auth tools are broken or set up incorrectly. Rowland
Greetings, Rowland Penny!>>>> That will only work on a domain controller. >>> Well yes it will only work on a DC because that is where the AD records >>> are stored, but it can be run from another Linux machine. >>>> I don't want to touch it at all, >>>> if I don't need to blow it apart. >>> Well, seeing as it is only doing what ADUC does, I do not see it blowing >>> up your AD DC. >>>> Not to mention, it will not add "objectClass: posixAccount" to the user, >>> How many times do I have to say this: >>> DO NOT ADD POSIX OBJECTCLASSES TO AD, THEY ARE NOT REQUIRED. ADUC WILL >>> NEVER ADD THEM. >> They are not required for AD, but they are required for other tools, that work >> off AD LDAP. >> Don't scream like that, you may startle someone.> If your tools rely on the posix objectclasses being there, then they are > broken. The posix objectclasses are auxiliaries of other AD > objectclasses and as such, no windows tools will add them.Elaborate, please. A link would suffice.>>>> causing all sort of grief in a long run. >>> WHY ?? >> Because my auth tools, for instance, expect posixAccount class and check for >> it before processing further with authentication. >>> Your auth tools are broken or set up incorrectly.You're just making things up out of ignorance. They're set up correctly and work well for seven years already. -- With best regards, Andrey Repin Thursday, April 9, 2015 21:42:52 Sorry for my terrible english...
El 09/04/15 a les 18:31, Rowland Penny ha escrit:> > If your tools rely on the posix objectclasses being there, then they are > broken. The posix objectclasses are auxiliaries of other AD > objectclasses and as such, no windows tools will add them.but, e.g., samba-tool with --uid will: luca at ubutest:~$ sudo samba-tool user add tararo tarari --use-username-as-cn --given-name=Tararo --surname=QueTeVi --mail-address=tararo at wetron.es --uid=tararo --gid-number=513 User 'tararo' created successfully luca at ubutest:~$ ldapsearch -H ldap://localhost -x -D 'CN=luca,CN=Users,DC=samba,DC=wetron,DC=es' -W -b 'dc=samba,dc=wetron,dc=es' '(cn=tararo)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=samba,dc=wetron,dc=es> with scope subtree # filter: (cn=tararo) # requesting: ALL # # tararo, Users, samba.wetron.es dn: CN=tararo,CN=Users,DC=samba,DC=wetron,DC=es cn: tararo sn: QueTeVi givenName: Tararo instanceType: 4 whenCreated: 20150410075219.0Z whenChanged: 20150410075219.0Z displayName: Tararo QueTeVi uSNCreated: 9330 name: tararo objectGUID:: Fbd97R84oEqCI6vpoOXk2g=badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAHRf8UdaAOYEc27XqKxAAAA=accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: tararo sAMAccountType: 805306368 userPrincipalName: tararo at samba.wetron.es objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samba,DC=wetron,DC=es mail: tararo at wetron.es uid: tararo gidNumber: 513 objectClass: top objectClass: posixAccount objectClass: person objectClass: organizationalPerson objectClass: user pwdLastSet: 130731259390000000 userAccountControl: 512 uSNChanged: 9334 distinguishedName: CN=tararo,CN=Users,DC=samba,DC=wetron,DC=es # search reference ref: ldap://samba.wetron.es/CN=Configuration,DC=samba,DC=wetron,DC=es # search reference ref: ldap://samba.wetron.es/DC=DomainDnsZones,DC=samba,DC=wetron,DC=es # search reference ref: ldap://samba.wetron.es/DC=ForestDnsZones,DC=samba,DC=wetron,DC=es # search result search: 2 result: 0 Success # numResponses: 5 # numEntries: 1 # numReferences: 3 Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007