[Samba] Howto for manage unix data with ADUC

steve steve at steve-ss.com
Tue Dec 10 10:41:17 MST 2013 

On Tue, 2013-12-10 at 17:40 +0100, Stéphane PURNELLE wrote:
> Hi,
> 
> My tests on DC server and File/print server have some problem with
> account 
> management...
> 
> user access right on home share is very strange.
>  if we use ADUC and home share (not homes) for new user, it work.
> 
> All howto in samba's wiki ask administrator to use windows tools for 
> manage users and groups and share like home share

What Samba then does is translate the ntacl's into something the
filesystem on your Linux server can deal with. You already have the
command line tool to do this; samba-tool ntacl, but as you will no doubt
have found out, sddl to posix and xattr's is by no means trivial.
Understanding the former is an art in itself.
> 
> so... I know that is possible to add unix tab on aduc (already done).
> adding and view unix data is OK, but my question is what must file I
> must 
> add to samba for NIS server (for example) and where can I configure
> xID 
> range ?

The NIS server is just another way of keeping consistent uid's between
servers. It uses a centralised flat database which all other boxes must
refer to, There can exist NIS slave servers too. LDAP took over from NIS
as the preferred method to distribute uid's around a network, but the
principals are exactly the same. refer to a single or replicated
database so that everyone has the same uid. AD is just a variation on
LDAP. We can use it, in exactly the same way as NIS to distribute uid
consistently around the network. Again, you already have the tools you
need to put uid into an AD DC. You have already seen ADUC. If you don't
want to use that. let's say that the uid in NIS for user stephane is
1234567, so we simply use ldbmodify to add the attribute pair:
uidNumber: 1234567
to the DN for stephane in AD. It is then distributed in _exactly_ the
same way as it is in NIS. Of course, instead of having a NIS client
running we have winbind/sssd/nss-ldapd running on the client instead. 
> 
> I know that there are some peoples here who have this view with ADUC
> (if 
> aduc do like that... samba-tool must do in same way)  :-))
> 
Absolutely. We must retain a reference standard otherwise there would be
chaos. If a windows server doesn't do it, then we shouldn't include
it.Hi,

My tests on DC server and File/print server have some problem with
account 
management...

user access right on home share is very strange.
 if we use ADUC and home share (not homes) for new user, it work.

All howto in samba's wiki ask administrator to use windows tools for 
manage users and groups and share like home share

so... I know that is possible to add unix tab on aduc (already done).
adding and view unix data is OK, but my question is what must file I
must 
add to samba for NIS server (for example) and where can I configure xID 
range ?

You don't need to add any file. All NIS does exactly is the same as AD
does; it maintains a central database of rfc2307 information so that
users can e.g. log into any computer on the network and be sure to
obtain their own stuff. Always. Why? Because that information is always
being obtained from the same source. 

The only tool where you must specify xID ranges is winbind. YOu do tat
in smb.conf.

I know that there are some peoples here who have this view with ADUC
(if 
aduc do like that... samba-tool must do in same way)  :-))

>So anyone have a good howto ? 
If samba team want to have the same view for management, a howto about 
aduc, rsat, unix tab ans nis server become a good think for me...

anyone for write a howto ?
thx 

Of course, your idea of standard will differ from the standard standard.
You as I would include in the standard, rfc2307. So long as it behaves
as it does on a windows server then fine. What _we_ then do to our
individual domains is up to us. So long as our non standard standard
doesn't become the standard then the standard will remain a standard
lol.  

> So anyone have a good howto ? 
> If samba team want to have the same view for management, a howto
> about 
> aduc, rsat, unix tab ans nis server become a good think for me...
> 
> anyone for write a howto ?
> thx

I think that most of the howto's have already been written. ldbmodify,
winbind, sssd, nslcd, AD and rfc2307. . . Could you be a little more
specific as to what howto's you would like to see?
Cheers,
Steve

More information about the samba mailing list