samba - Aug 2017 - Bulk add users and rfc2307 attributes questions

Hi,

I am currently testing a self compiled 4.7.0rc3 AD DC and a samba member server
acting as a file server. I have them configured to use rfc2307 attributes
so that the samba users can access the shares on the member server. Everything
seems to be working as expected.

The problem I am facing is I need to add about 150 users. Once the initial
load of users is added I want to use the rsat tools to manage the users and
shares.

I found an article @
https://wiki.samba.org/index.php/Adding_users_with_samba_tool
that says to add users using samba-tool. I think I want to  write a script that
does something like the following substituting variables where appropriate:

# samba-tool user create --nis-domain SAMDOM --uid-number 10007 \
--gid-number 10000 --login-shell=/sbin/nologin --unix-home \
/home/samba/users/test_user3 --home-drive H: --home-directory \
'\\fs1\users\test_user3' test_user3

Testing shows that if I use samba-tool to add users, when I switch back
to using ADUC to manage users the default UID in the Unix attributes tab
of ADUC does not show the correct uid to use to configure the next user. It
would
appear that if I set the correct uid in the unix attributes tab when I configure
a user in ADUC, that it would then move on from there with the correct uid.

So my questions are:

1. Are my assumptions above correct?

2. Is there a better way to do this? This just seems kludgy to me.

3. Is there an automatic way to have samba-tool assign the correct rfc-2307 uid?

Regards,

-- 
Tom			me at tdiehl.org		Spamtrap address	 		me123 at tdiehl.org

On Tue, 1 Aug 2017 23:23:25 -0400 (EDT)
Tom Diehl via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> I am currently testing a self compiled 4.7.0rc3 AD DC and a samba
> member server acting as a file server. I have them configured to use
> rfc2307 attributes so that the samba users can access the shares on
> the member server. Everything seems to be working as expected.
> 
> The problem I am facing is I need to add about 150 users. Once the
> initial load of users is added I want to use the rsat tools to manage
> the users and shares.
> 
> I found an article @
> https://wiki.samba.org/index.php/Adding_users_with_samba_tool that
> says to add users using samba-tool. I think I want to  write a script
> that does something like the following substituting variables where
> appropriate:
> 
> # samba-tool user create --nis-domain SAMDOM --uid-number 10007 \
> --gid-number 10000 --login-shell=/sbin/nologin --unix-home \
> /home/samba/users/test_user3 --home-drive H: --home-directory \
> '\\fs1\users\test_user3' test_user3
> 
> Testing shows that if I use samba-tool to add users, when I switch
> back to using ADUC to manage users the default UID in the Unix
> attributes tab of ADUC does not show the correct uid to use to
> configure the next user. It would appear that if I set the correct
> uid in the unix attributes tab when I configure a user in ADUC, that
> it would then move on from there with the correct uid.
> 
> So my questions are:
> 
> 1. Are my assumptions above correct?
Unfortunately, yes
> 
> 2. Is there a better way to do this? This just seems kludgy to me.
not really, when you are doing this on an individual, it does seem
kludgy, but, if you feed your script all the info, it will work as
expected.
  
> 
> 3. Is there an automatic way to have samba-tool assign the correct
> rfc-2307 uid?
Probably only sat on my HD and this got rejected.

What you are missing, is a couple of attributes 'msSFU30MaxUidNumber'
&
'msSFU30MaxGidNumber' (note 'Max' is microsoft for
'next'). These
should be in 'CN=<your lowercase domain
name>,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=YOUR,DC=DNS,DC=DOMAIN'

Rowland

Hi Rowland,

On Wed, 2 Aug 2017, Rowland Penny via samba wrote:
> On Tue, 1 Aug 2017 23:23:25 -0400 (EDT)
> Tom Diehl via samba <samba at lists.samba.org> wrote:
>
>> Hi,
>>
>> I am currently testing a self compiled 4.7.0rc3 AD DC and a samba
>> member server acting as a file server. I have them configured to use
>> rfc2307 attributes so that the samba users can access the shares on
>> the member server. Everything seems to be working as expected.
>>
>> The problem I am facing is I need to add about 150 users. Once the
>> initial load of users is added I want to use the rsat tools to manage
>> the users and shares.
>>
>> I found an article @
>> https://wiki.samba.org/index.php/Adding_users_with_samba_tool that
>> says to add users using samba-tool. I think I want to  write a script
>> that does something like the following substituting variables where
>> appropriate:
>>
>> # samba-tool user create --nis-domain SAMDOM --uid-number 10007 \
>> --gid-number 10000 --login-shell=/sbin/nologin --unix-home \
>> /home/samba/users/test_user3 --home-drive H: --home-directory \
>> '\\fs1\users\test_user3' test_user3
>>
>> Testing shows that if I use samba-tool to add users, when I switch
>> back to using ADUC to manage users the default UID in the Unix
>> attributes tab of ADUC does not show the correct uid to use to
>> configure the next user. It would appear that if I set the correct
>> uid in the unix attributes tab when I configure a user in ADUC, that
>> it would then move on from there with the correct uid.
>>
>> So my questions are:
>>
>> 1. Are my assumptions above correct?
>
> Unfortunately, yes
>
>>
>> 2. Is there a better way to do this? This just seems kludgy to me.
>
> not really, when you are doing this on an individual, it does seem
> kludgy, but, if you feed your script all the info, it will work as
> expected.
>
>>
>> 3. Is there an automatic way to have samba-tool assign the correct
>> rfc-2307 uid?
>
> Probably only sat on my HD and this got rejected.
Sorry, I do not understand the above statement.
>
> What you are missing, is a couple of attributes
'msSFU30MaxUidNumber' &
> 'msSFU30MaxGidNumber' (note 'Max' is microsoft for
'next'). These
> should be in 'CN=<your lowercase domain
>
name>,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=YOUR,DC=DNS,DC=DOMAIN'
So if I understand you, I would do something like:
ldbsearch -H /usr/local/samba/private/sam.ldb -b
CN=samdom,CN=ypservers,CN=ypServ30,\
CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com | grep msSFU30MaxUidNumber
to get the next uid to use in the script. Is this correct?

What is the best/safest way to update msSFU30MaxUidNumber after I add a user?
I am thinking about Creating an ldif tmp file and then read that in with
ldbmodify.

Does this sound sane? Is there a better way?

Thanks for your help.

Regards,

-- 
Tom			me at tdiehl.org		Spamtrap address	 		me123 at tdiehl.org