s4 managing posixAccount and posixGroup with samba-tool?

Rowland Penny repenny at f2s.com
Mon Nov 26 13:40:58 MST 2012

On 26/11/12 20:12, David Mansfield wrote:
> On 11/26/2012 10:04 AM, Rowland Penny wrote:
>> On 26/11/12 14:39, David Mansfield wrote:
>>> Hi all:
>>> Is it possible to add a user using samba-tool with an existing
>>> uidNumber and other posixAccount attributes and to add a group with a
>>> gidNumber?  Or after adding with samba-tool, is there a utility other
>>> than ldbmodify to manage the attributes?
>>> I see a long discussion in bug#8635
>>> (https://bugzilla.samba.org/show_bug.cgi?id=8635) where "steve" has
>>> posted some homegrown scripts s4user and s4group which are the only
>>> way I can find where these attributes are being set.
>>> May there's an option other than the ones that are given in --help for
>>> samba-tool?
>>> In any case, is there a "best practice" for managing unix users using
>>> s4?  I need the UID/GID to be stable across my enterprise, so I'm
>>> planning on using idmap_ad on the winbind clients, I assume this will
>>> work once I get the uidNumber and gidNumber properly set in s4...
>> There is another way, forget Unix UID&  GID's, use 'idmap config
>> HOME:backend = rid' in smb.conf and get reliable unique UIDs and GIDs
>> based on the RID part of Windows SID's. You also get getent to see all
>> domain users and groups, i.e. you do not need special unix groups&  
>> users.
> Ok.  I've tried this and it does work well - for creating a new setup 
> from scratch.  My problem is that I have a legacy migration issue, I 
> have a hundred or so (unix only) users across about 30 machines with a 
> specific UID (and GID), and about 25 of them exist on a legacy samba3 
> DC with existing SID (the SID there is the old 1000 + 2*UID thing).
> It doesn't sound like it's going to be doable to use idmap_rid unless 
> I can control the RID in the SID for new users, and even then it will 
> fail for the existing samba3 legacy users.
> Despite the clean and hands-off approach that idmap_rid gives me, it 
> doesn't seem feasible unless I'm missing something.
> Thanks,
> David
How about exporting all the users somehow, then writing a script to 
create them as new users in a S4 domain?
OK, they all get new UID's through RID but this shouldn't be a problem 
really and once completed all your user details will be in one place, 
your S4 AD.


This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the samba-technical mailing list