Enabling idmap_ldb:use rfc2307 = yes on 2 DCs

Tue Sep 25 03:18:29 MDT 2012

Hi Steve,
just to be sure I understood:

even if I provision with --use-rfc2307 I wont get it working without
using an external script to add users/groups which has to modify ldbs
adding the objectClass: posixAccount/posixGroup and the
uidNumber/gidNumber for every user/group added right?

Said this it wont work from a windows box using the Admin tools (they
will invoke the basic samba tools so not the changed scripts (I was
looking at the examples you pointed me)

samba-tool group add $1
strgid=$(wbinfo --group-info=$1)
gid=$(echo $strgid | cut -d ":" -f 3)
echo "dn: cn=$1,cn=Users,dc=hh3,dc=sit
changetype: modify
add:objectclass
objectclass: posixGroup
-
add: gidnumber
gidnumber: $gid" > /tmp/$1
ldapmodify -h 192.168.1.3 -D cn=Administrator,cn=Users,dc=hh3,dc=site
-f /tmp/$1 -Y GSSAPI

and

samba-tool user add $1
sleep 2
#get the uid
struid=$(wbinfo -i $1)
uid=$(echo $struid | cut -d ":" -f 3)
#get the gid
strgid=$(wbinfo --group-info=$2)
gid=$(echo $strgid | cut -d ":" -f 3)
#get the group from the sid
strsid=$(wbinfo --gid-to-sid=$gid)
primarygid=$(echo $strsid | cut -d "-" -f 8)
strwg=$(echo $struid | cut -d "\\" -f 1)
#add the posix attributes to the user
echo "dn: CN=$1,CN=Users,DC=hh3,DC=site
changetype: modify
add: objectclass
objectclass: posixaccount
-
add: uidnumber
uidnumber: $uid
-
add: gidnumber
gidnumber: $gid
-
add:unixhomedirectory
unixhomedirectory: /home/$strwg/$1
-
add: loginshell
loginshell: /bin/bash" > /tmp/$1
ldbmodify --url=/usr/local/samba/private/sam.ldb -b
dc=hh3,dc=site /tmp/$1
samba-tool group addmembers $2 $1
#set the user to the posix group
echo "dn: CN=$1,CN=Users,DC=hh3,DC=site
changetype: modify
replace: primarygroupid
primarygroupid: $primarygid" > /tmp/$1
echo "sleeping. . ."
sleep 5
ldbmodify --url=/usr/local/samba/private/sam.ldb -b
dc=hh3,dc=site /tmp/$1
mkdir /home/$strwg/$1
chown -R $1:$2 /home/$strwg/$1
rm /tmp/$1
hostname=$(hostname -s)
echo "dn: CN=$1,CN=Users,DC=hh3,DC=site
changetype: modify
add: profilePath
profilePath: \\\\$hostname\\profiles\\$1
-
add: homeDrive
homeDrive: Z:
-
add: homeDirectory
homeDirectory: \\\\$hostname\\home\\$1" > /tmp/$1
echo "sleeping. . ."
sleep 5
ldbmodify --url=/usr/local/samba/private/sam.ldb -b
dc=hh3,dc=site /tmp/$1

Thanks,
Daniele.

On Mon, 2012-09-24 at 18:07 +0200, steve wrote:
> On 24/09/12 17:00, Daniele Dario wrote:
>   I can see only the following objectClass statements:
> >
> > objectClass: top
> > objectClass: person
> > objectClass: organizationalPerson
> > objectClass: user
> >
> > Is it correct or am I missing something?
> 
> You are missing:
> objectClass: posixAccount
> uidNumber: abc
> gidNumber: xyz
> 
> >
> > If I join another DC to the domain and in it's smb.conf I add the
> > idmap_ldb:use rfc2307 = Yes statement would it pull the UID from the AD?
> No.
> 
> > Would the UIDs be the same on both DCs?
> No.
> 
> If uidNumber is not in AD to start with, then no amount of idmap_ldb:use 
> rfc2307 = Yes will pull it from there.
> 
> A script wrapping around samba-tool user add can add the class and 
> attributes easily.
> 
> Cheers,
> Steve
> 