Henry Jensen
2018-May-24 10:12 UTC
[Samba] Maintaining Unix Attributes in AD - best practice?
Hello, we are testing migration from a NT style Samba 3 domain to a Samba 4 AD domain. As we are keeping RFC2307 Unix Attributes in the AD we also want to add them to future accounts. Because the Unix Attributes tab is no lopnger available since Windows 10, I am looking for the best way to add Unix attibutes to users. I know that setting Unix attributes in Windows 10 ADUC tool is possible manually, but certainly not the best way. And keeping a Windows 7 station with RSAT tools online isn't the best solution either, especially when security support for Windows 7 runs out in 2020. So, what would be the best was to add Unix attributes to AD? I read on this list, that adding AD users with "samba-tool --uid-number" is discouraged. There are some specialized distros which are offering decent web interfaces to Samba AD (e.g. Univention UCS, Zentyal) and do so also create Unix attributes, but it seems that this web interfaces can not be used outside these "appliances". Such a web interface would be ideal. As second best solution I imagine a script which retrieves the necessary data interactively (with a TUI, GUI or web frontend), creates a LDIF file and adds the User via ldbadd. Are there any solutions for this in the works or what is the best way? Kind regards, Henry
Marco Gaiarin
2018-May-24 10:42 UTC
[Samba] Maintaining Unix Attributes in AD - best practice?
Mandi! Henry Jensen via samba In chel di` si favelave...> Are there any solutions for this in the works or what is the best way?For a web interface, give 'LAM' (LDAP Account manager) a try... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Rowland Penny
2018-May-24 18:45 UTC
[Samba] Maintaining Unix Attributes in AD - best practice?
On Thu, 24 May 2018 12:12:54 +0200 Henry Jensen via samba <samba at lists.samba.org> wrote:> Hello, > > we are testing migration from a NT style Samba 3 domain to a Samba 4 > AD domain. As we are keeping RFC2307 Unix Attributes in the AD we also > want to add them to future accounts. > > Because the Unix Attributes tab is no lopnger available since Windows > 10, I am looking for the best way to add Unix attibutes to users. > > I know that setting Unix attributes in Windows 10 ADUC tool is > possible manually, but certainly not the best way. And keeping a > Windows 7 station with RSAT tools online isn't the best solution > either, especially when security support for Windows 7 runs out in > 2020. > > So, what would be the best was to add Unix attributes to AD? > I read on this list, that adding AD users with "samba-tool > --uid-number" is discouraged.Where did you read that ?? Of course you can use samba-tool, there are just two problems: The first is that you cannot ADD posix attributes with 'samba-tool user', you have to create the user with the attributes in the first place. The second is, you have to track the uidNumber & gidNumber attributes yourself, there is no automatic way of doing this. You could always 'add' the two missing attributes and then write your own script around 'samba-tool user create' Rowland
Henry Jensen
2018-May-25 13:32 UTC
[Samba] Maintaining Unix Attributes in AD - best practice?
On Thu, 24 May 2018 19:45:46 +0100 Rowland Penny via samba <samba at lists.samba.org> wrote:> > So, what would be the best was to add Unix attributes to AD? > > I read on this list, that adding AD users with "samba-tool > > --uid-number" is discouraged. > > Where did you read that ??It was a message on the list. Something about messing up the internal AD uidNumber counter.> Of course you can use samba-tool, there are just two problems: > The first is that you cannot ADD posix attributes with 'samba-tool > user', you have to create the user with the attributes in the first > place. The second is, you have to track the uidNumber & gidNumber > attributes yourself, there is no automatic way of doing this. You could > always 'add' the two missing attributes and then write your own script > around 'samba-tool user create'Thanks for the clarification. Kind regards, Henry
Marcio Vogel Merlone dos Santos
2018-Aug-23 18:21 UTC
[Samba] Maintaining Unix Attributes in AD - best practice?
Em 24/05/2018 07:42, Marco Gaiarin via samba escreveu:> Mandi! Henry Jensen via samba >> Are there any solutions for this in the works or what is the best way? > For a web interface, give 'LAM' (LDAP Account manager) a try...Hi, I am in the exact same situation as the OP right now. I just took a look at LAM, but it seems that maintaining unix attributes is a PRO only feature, am I right? What else is available, what you guys are using? Best regards, -- *Marcio Merlone*