s4 managing posixAccount and posixGroup with samba-tool?
Rowland Penny
repenny at f2s.com
Mon Nov 26 13:40:58 MST 2012
On 26/11/12 20:12, David Mansfield wrote:
>
>
> On 11/26/2012 10:04 AM, Rowland Penny wrote:
>> On 26/11/12 14:39, David Mansfield wrote:
>>> Hi all:
>>>
>>> Is it possible to add a user using samba-tool with an existing
>>> uidNumber and other posixAccount attributes and to add a group with a
>>> gidNumber? Or after adding with samba-tool, is there a utility other
>>> than ldbmodify to manage the attributes?
>>>
>>> I see a long discussion in bug#8635
>>> (https://bugzilla.samba.org/show_bug.cgi?id=8635) where "steve" has
>>> posted some homegrown scripts s4user and s4group which are the only
>>> way I can find where these attributes are being set.
>>>
>>> May there's an option other than the ones that are given in --help for
>>> samba-tool?
>>>
>>> In any case, is there a "best practice" for managing unix users using
>>> s4? I need the UID/GID to be stable across my enterprise, so I'm
>>> planning on using idmap_ad on the winbind clients, I assume this will
>>> work once I get the uidNumber and gidNumber properly set in s4...
>>>
>> There is another way, forget Unix UID& GID's, use 'idmap config
>> HOME:backend = rid' in smb.conf and get reliable unique UIDs and GIDs
>> based on the RID part of Windows SID's. You also get getent to see all
>> domain users and groups, i.e. you do not need special unix groups&
>> users.
>>
>>
> Ok. I've tried this and it does work well - for creating a new setup
> from scratch. My problem is that I have a legacy migration issue, I
> have a hundred or so (unix only) users across about 30 machines with a
> specific UID (and GID), and about 25 of them exist on a legacy samba3
> DC with existing SID (the SID there is the old 1000 + 2*UID thing).
>
> It doesn't sound like it's going to be doable to use idmap_rid unless
> I can control the RID in the SID for new users, and even then it will
> fail for the existing samba3 legacy users.
>
> Despite the clean and hands-off approach that idmap_rid gives me, it
> doesn't seem feasible unless I'm missing something.
>
> Thanks,
> David
>
>
>
How about exporting all the users somehow, then writing a script to
create them as new users in a S4 domain?
OK, they all get new UID's through RID but this shouldn't be a problem
really and once completed all your user details will be in one place,
your S4 AD.
Rowland
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the samba-technical
mailing list