s4: new classicupgrade and uids

[steve]

On 06/21/2012 02:43 PM, Sergey Urushkin wrote:
> Hi!
> I've just made a test upgrade from s3 with the new uid/gid migration
> feature and I have some questions:
>
> 1. Computer accounts have objectclass:posixAccount and uidNumber
> attributes. What is it for? As far as I know unix computer accounts are
> needed only for s3 dc, that we can join Linux clients to those attributes so am I right? If so, than computer accounts should
> be excluded somehow.
Hi
We use those attributes so that we can join Linux clients to the domain 
and users can login with them without having to use winbind.
>
> 2. 'Administrator' hasn't got an uidNumber (while it had it in
> openldap), so it makes me map it manually. Is it a bug or feature?
>
> 3. To have an ability to manage user's uid, gid, etc. through dsa.msc we
> need to add NIS domain to AD. And then add some attributes to
> accounts/groups. Why not to add NIS domain (it's a simple ldif) to
> config while provisioning (named as workgroup by default and also have
> an provision/classicupgrade option to change the name) and then
> additionally modify users like this:
> changetype: modify
> replace: msSFU30NisDomain
> msSFU30NisDomain: $NISDOMAIN
> -
> replace: msSFU30Name
> msSFU30Name: $USER
>
> and groups like this:
>
> changetype: modify
> replace: msSFU30NisDomain
> msSFU30NisDomain: $NISDOMAIN
> -
> replace: msSFU30Name
> msSFU30Name: $GROUP
>
> Thanks.
>
We made a simple script to do this without changing the schema. We 
manage most of the domain from the s4DC and rarely touch ADUC. The main 
reason we don't use winbind is because our unixHomeDrirectory attributes 
do not all point at the same directory.

The script is here. It has many similarities to your sfu example for the 
most part.
http://dl.dropbox.com/u/45150875/s4bind.tar.gz
Cheers,
Steve