Today a topic popped up again, which I already wrote about in this thread a while ago: https://groups.google.com/forum/#!topic/linux.samba/w2B-0bRy9_0 Creating new users via ADUC under Windows10 still gives us users with missing attributes like uidNumber etc As far as I understand, this simply doesn't work with Win10, related to https://wiki.samba.org/index.php/Installing_RSAT#Missing_Unix_Attributes_tab_in_ADUC_on_Windows_10_and_Windows_Server_2016 ? What are my options here? So far we created users on the shell, via samba-tool. Now there is a junior admin on site and it would be nice to be able to use ADUC as well. Is it possible/reasonable to fiddle with the ID mapping? Swap the backend? We have 2 samba DCs and one samba DM there (4.9.x currently), about 50 users in AD (and in turn maybe 30-40 windows machines as well), if that is relevant in any way. Sorry for still not having fully understood these mapping issues ... regards, Stefan
Here are a couple links that you may find useful: https://serverfault.com/q/764185/55544 https://serverfault.com/q/484908/55544 Jonathon On Thu, Mar 21, 2019 at 2:31 PM Stefan G. Weichinger via samba <samba at lists.samba.org> wrote:> > > Today a topic popped up again, which I already wrote about in this > thread a while ago: > > https://groups.google.com/forum/#!topic/linux.samba/w2B-0bRy9_0 > > Creating new users via ADUC under Windows10 still gives us users with > missing attributes like uidNumber etc > > As far as I understand, this simply doesn't work with Win10, related to > > https://wiki.samba.org/index.php/Installing_RSAT#Missing_Unix_Attributes_tab_in_ADUC_on_Windows_10_and_Windows_Server_2016 > > ? > > What are my options here? > > So far we created users on the shell, via samba-tool. Now there is a > junior admin on site and it would be nice to be able to use ADUC as well. > > Is it possible/reasonable to fiddle with the ID mapping? Swap the backend? > > We have 2 samba DCs and one samba DM there (4.9.x currently), about 50 > users in AD (and in turn maybe 30-40 windows machines as well), if that > is relevant in any way. > > Sorry for still not having fully understood these mapping issues ... > > regards, Stefan > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On Thu, 21 Mar 2019 19:31:01 +0100 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> Today a topic popped up again, which I already wrote about in this > thread a while ago: > > https://groups.google.com/forum/#!topic/linux.samba/w2B-0bRy9_0 > > Creating new users via ADUC under Windows10 still gives us users with > missing attributes like uidNumber etc > > As far as I understand, this simply doesn't work with Win10, related > to > > https://wiki.samba.org/index.php/Installing_RSAT#Missing_Unix_Attributes_tab_in_ADUC_on_Windows_10_and_Windows_Server_2016 > > ? > > What are my options here? > > So far we created users on the shell, via samba-tool. Now there is a > junior admin on site and it would be nice to be able to use ADUC as > well. > > Is it possible/reasonable to fiddle with the ID mapping? Swap the > backend? > > We have 2 samba DCs and one samba DM there (4.9.x currently), about 50 > users in AD (and in turn maybe 30-40 windows machines as well), if > that is relevant in any way. > > Sorry for still not having fully understood these mapping issues ... >This is one of the decisions you have to make, do you want to have the same ID's everywhere, or just on Unix domain members ? Do you want to set different login shells and/or different home directories ? If you want the same ID's everywhere and the ability to set different login shells/homedirectories for your users, then you must use the 'ad' backend, this does involve adding uidNumber attributes to the user objects. This is what the Unix Attributes tab used to do. If none of the above applies, then you can use the 'rid' backend, this will give you the same ID's on all Unix domain members, but all users that connect to the computer will get the same login shell and homedirectory, you also will not have to add anything to AD. Rowland
Am 21.03.19 um 19:54 schrieb Rowland Penny via samba:> This is one of the decisions you have to make, do you want to have the > same ID's everywhere, or just on Unix domain members ?We only have one Unix domain member aside from the DCs and that is the samba file server.> Do you want to > set different login shells and/or different home directories ?nope the AD users don't do ssh or bash or so ... "only" file access and stuff like login/logout and GPOs etc (only I and the main admin there use ssh to the servers ...)> If you want the same ID's everywhere and the ability to set different > login shells/homedirectories for your users, then you must use the 'ad' > backend, this does involve adding uidNumber attributes to the user > objects. This is what the Unix Attributes tab used to do. > > If none of the above applies, then you can use the 'rid' backend, this > will give you the same ID's on all Unix domain members, but all users > that connect to the computer will get the same login shell and > homedirectory, you also will not have to add anything to AD.And is it possible to change the backend from ad to rid with reasonable effort? thanks, Stefan