s4 managing posixAccount and posixGroup with samba-tool?

Bernd Markgraf bernd.markgraf at med.ovgu.de
Mon Nov 26 17:04:25 MST 2012

> Problem is, I don't know how to "manually assign posix UID/GID" numbers 
> using s4.  Using samba-tool there is no way (that I can find), using the 
> windows "Active Directory Users & Computers" console, there is no way 
> because apparently s4 doesn't implement "Identity Management for Unix" 
> and so the tabs for managing the UNIX properties don't show up there.
that seems not quite true. I just checked the AD Users & Computer
console on my windows box and the tabs are there and I can modify the
attributes. Honestly I don't know what I did to get this to work. I
never intentionally worked on that. I always intended this to be a
script job including creating of home dirs etc on the appropriate

> I'm left with some script (called s4user) tucked away in some bug report 
> around comment#50 by "steve" which uses ldbmodify with some horrible 
> looking shell scripting to get it working (no offense to "steve" 
> intended BTW, in fact thanks!).  And my question is: is this the 
> recommended approach or am I missing some useful tool that will let me 
> get a specific UID/GID mapping applied that will be shared to all 
> clients using winbind?
It's been an awful long time since I made this work on our site. So
things might have changed. steve's script is a variation of my scripts.
Difference being that I read a pseudo passwd file to get the missing
bits and create an ldif using a template and a simple sed.
Also my setup is so old, that it doesn't have a samba-tool yet.
Initially I create (windows) users with the old net command and add the
posix attributes after that. 
The script is in turn a variation/adaption of a script I used for years
on another site with a different LDAP server. Using ldifs to setup
attributes is certainly the most portable way. (Unlike steve I don't use
ldbmodify but rather use 'standard' (at least from a solaris point) ldap
tools to connect to the server and deliver the ldif.
After all attributes are set as needed I explicitly set the
UID-SID-mapping on all appropriate fileservers to ensure the mapping is
consistent across S4 and S3 servers.

> I'm thinking:
> samba-tool posixaccount david --gecos "David Mansfield"  --loginShell 
> "/bin/bash" --uidNumber 123 --gidNumber 123 --homeDirectory
that looks certainly charming.

> Finally, if I were to write such an extension to samba-tool would this 
> be considered for inclusion BTW, or is the API of samba-tool restricted 
> to only some set of functions based on compatibility with some foreign 
> standard.
You sure would get my vote (if that counts ;-))

> Looks fairly simple (some code is already there in upgrade.py to a 
> certain extent).
Can't be too difficult. I'd guess if you replicate the behaviour of the
windows tools when adding posix attributes chances for inclusion should
be quite good.


More information about the samba-technical mailing list