samba - Apr 2017 - samba-tool create user

I'm working on a shell script to create new users on a AD DC. Currently we
use ADUC, but that is slow and error-prone. My (untested) command looks
like this:

samba-tool user create $USERNAME $PASSWORD \
--nis-domain=sta \
--unix-home=/home/${USERNAME} \
--uid-number=${NEXTID} \
--login-shell=/sbin/nologin \
--gid-number=513 \
--use-username-as-cn \
--home-drive=Z \
--home-directory=\\\\gecko\\${USERNAME} \
--profile-path=\\\\gecko\\profiles\\${USERNAME} \
--userou='OU=users,OU=tipping'

I'm not sure I am using the "--userou" correctly. We store our
active users
in a separate users OU within one named for our domain, so if I look at the
distinguishedName attribute for a current user in ADUC it looks like this:

CN=adrian,OU=users,OU=tipping,DC=tipping,DC=lan

The man page says this:

--userou=USEROU       DN of alternative location (without domainDN
counterpart) to default CN=Users in which new user object will be created.
E.g. 'OU=<OU name>'

If I get it wrong, will the command just fail or will it try to create some
incorrect OU that I will then have to figure out how to clean up? Do you
think I guessed correctly?

Also, did I get the (doubled) backslashes right in the windows paths?

And should the home-drive be 'Z' or 'Z:'?

I guess a working example would help a lot for the parameters that are not
in any examples in "samba-tool user create --help". Thanks,

On Wed, 19 Apr 2017 16:06:52 -0700
Mark Nienberg via samba <samba at lists.samba.org> wrote:
> I'm working on a shell script to create new users on a AD DC.
> Currently we use ADUC, but that is slow and error-prone. My
> (untested) command looks like this:
> 
> samba-tool user create $USERNAME $PASSWORD \
> --nis-domain=sta \
> --unix-home=/home/${USERNAME} \
> --uid-number=${NEXTID} \
> --login-shell=/sbin/nologin \
> --gid-number=513 \
> --use-username-as-cn \
> --home-drive=Z \
> --home-directory=\\\\gecko\\${USERNAME} \
> --profile-path=\\\\gecko\\profiles\\${USERNAME} \
> --userou='OU=users,OU=tipping'
> 
> I'm not sure I am using the "--userou" correctly. We store
our active
> users in a separate users OU within one named for our domain, so if I
> look at the distinguishedName attribute for a current user in ADUC it
> looks like this:
> 
> CN=adrian,OU=users,OU=tipping,DC=tipping,DC=lan
> 
> The man page says this:
> 
> --userou=USEROU       DN of alternative location (without domainDN
> counterpart) to default CN=Users in which new user object will be
> created. E.g. 'OU=<OU name>'
> 
> If I get it wrong, will the command just fail or will it try to
> create some incorrect OU that I will then have to figure out how to
> clean up? Do you think I guessed correctly?
The 'OU' must exist before you can create users in it, there is nothing
in samba-tool that will create the 'OU', so if the 'OU' is
wrong, the
create will fail and yes, you seem to have guessed correctly.
> 
> Also, did I get the (doubled) backslashes right in the windows paths?
Not sure, You may have one too many '\' at the start, try creating a
testuser and then examine the users object with ldbsearch.
> 
> And should the home-drive be 'Z' or 'Z:'?
Z:
> 
> I guess a working example would help a lot for the parameters that
> are not in any examples in "samba-tool user create --help".
Thanks,
If you are writing your own script, you could always by-pass samba-tool
and use an ldif and add this with ldbmodify.

Finally, are you really using '513' as the gidNumber for Domain Users ?
if so, can I just comment that this is a dumb idea in my opinion ;-)

Rowland

I see what you mean about using ldbmodify, but I thought samba-tool was
designed to allow me to administer my samba domain and it will protect me
from messing up the ldb files, like I might with ldbmodify. I realize it
has some shortcomings, but I'm hoping it is improving as time goes on. I am
using ldbmodify only when I can't get the job done with samba-tool.

Thanks very much for your help. I'll move into testing my script next.

On Thu, Apr 20, 2017 at 12:21 AM, Rowland Penny <rpenny at samba.org>
wrote:
> On Wed, 19 Apr 2017 16:06:52 -0700
> Mark Nienberg via samba <samba at lists.samba.org> wrote:
>
> > I'm working on a shell script to create new users on a AD DC.
> > Currently we use ADUC, but that is slow and error-prone. My
> > (untested) command looks like this:
> >
> > samba-tool user create $USERNAME $PASSWORD \
> > --nis-domain=sta \
> > --unix-home=/home/${USERNAME} \
> > --uid-number=${NEXTID} \
> > --login-shell=/sbin/nologin \
> > --gid-number=513 \
> > --use-username-as-cn \
> > --home-drive=Z \
> > --home-directory=\\\\gecko\\${USERNAME} \
> > --profile-path=\\\\gecko\\profiles\\${USERNAME} \
> > --userou='OU=users,OU=tipping'
> >
> > I'm not sure I am using the "--userou" correctly. We
store our active
> > users in a separate users OU within one named for our domain, so if I
> > look at the distinguishedName attribute for a current user in ADUC it
> > looks like this:
> >
> > CN=adrian,OU=users,OU=tipping,DC=tipping,DC=lan
> >
> > The man page says this:
> >
> > --userou=USEROU       DN of alternative location (without domainDN
> > counterpart) to default CN=Users in which new user object will be
> > created. E.g. 'OU=<OU name>'
> >
> > If I get it wrong, will the command just fail or will it try to
> > create some incorrect OU that I will then have to figure out how to
> > clean up? Do you think I guessed correctly?
>
> The 'OU' must exist before you can create users in it, there is
nothing
> in samba-tool that will create the 'OU', so if the 'OU' is
wrong, the
> create will fail and yes, you seem to have guessed correctly.
>
> >
> > Also, did I get the (doubled) backslashes right in the windows paths?
>
> Not sure, You may have one too many '\' at the start, try creating
a
> testuser and then examine the users object with ldbsearch.
>
> >
> > And should the home-drive be 'Z' or 'Z:'?
>
> Z:
>
> >
> > I guess a working example would help a lot for the parameters that
> > are not in any examples in "samba-tool user create --help".
Thanks,
>
> If you are writing your own script, you could always by-pass samba-tool
> and use an ldif and add this with ldbmodify.
>
> Finally, are you really using '513' as the gidNumber for Domain
Users ?
> if so, can I just comment that this is a dumb idea in my opinion ;-)
>
> Rowland
>