samba-tool

[Rowland Penny]

On 04/10/13 09:47, Stéphane PURNELLE wrote:
> 1) You says : " if you use samba-tool,
> > you have to supply the uidNumber, ADUC also adds the following 
> attributes:
> > uid, msSFU30Name, msSFU30NisDomain, uidNumber, gidNumber,
> > unixHomeDirectory, loginShell, unixUserPassword"
>
> But is not correct, if you use samba-tool, you CAN supply some 
> supplemental information like :
> uidNumber, gidNumber, unixHomeDirectory, loginShell, ...
>
> if you do:
> $ samba-tool user create rowland
> Samba will do same thing that ADUC.
>
> All  parameter in samba-tool are optional.
>
> 2) Let administrator to have possibility to manage uidNumber and 
> gidNumber outside AD part.
> My story is a upgrade from samba3
> My samba3 config is samba + ldap.
> I use samba-ldap-tools for adding user and group.
>
> All user and group xidNumber is supplyed by config in ldap tree and 
> actullay start from 1000 -> xxxx
> samba4 start at 3000000, I don't know why... I cannot change this.
>
> My solution : create counter file for uidNumber and gidNumber and I 
> supply xidNumber when I create a user or a group by samba-tool.
> And I will not use ADUC for creation (just for manage member of group).
>
> 3) The only thing that I can suggest to samba team is adding some 
> parameters ("add user script and add group scrit) to smb.conf
> And if user or group is created by ADUC, samba call theses scripts for 
> adding data on user or group like posixAccount and posixGroup or other 
> think.
>
> And add some function to samba-tool for permit to set data for user or 
> group
> Example: $ samba-tool user setParameter stephane --uidNumber=8963
>
>
>
>
>
>
>
> -----------------------------------
> Stéphane PURNELLE         Admin. Systèmes et Réseaux
> Service Informatique       Corman S.A.     Tel : 00 32 (0)87/342467
>
> samba-technical-bounces at lists.samba.org wrote on 03/10/2013 21:59:29:
>
> > De : Rowland Penny <repenny241155 at gmail.com>
> > A : Lukasz Zalewski <lukas at eecs.qmul.ac.uk>,
> > Cc : Jelmer Vernooij <jelmer at samba.org>, samba-technical <samba-
> > technical at lists.samba.org>
> > Date : 03/10/2013 21:59
> > Objet : Re: samba-tool
> > Envoyé par : samba-technical-bounces at lists.samba.org
> >
> > On 03/10/13 20:36, Lukasz Zalewski wrote:
> > > On 03/10/2013 18:15, Rowland Penny wrote:
> > >> On 03/10/13 18:05, Jelmer Vernooij wrote:
> > >>> On Thu, Oct 03, 2013 at 04:04:25PM +0100, Rowland Penny wrote:
> > >>>> just a quick question, if samba-tool does something differently to
> > >>>> the way that windows works, would this be regarded as a bug?
> > >>> Different in what way, can you give a specific example? There is no
> > >>> command-line tool on Windows called 'samba-tool', and
> > >>> we long seem to have given up on trying to make it match
> > >>> the behaviour of the 'net' tool on Windows.
> > >>>
> > >>> Cheers,
> > >>>
> > >>> Jelmer
> > >> Hi Jelmer, If you create a user in ADUC and add the Unix attributes,
> > >> this is done totally differently to the way that samba-tool does 
> it. For
> > >> instance,  '--uid-number' requires that you give a 'uidNumber' 
> but ADUC
> > >> (provided AD is setup correctly) supplies it automatically, 
> samba-tool
> > >> also doesn't add all the attributes that ADUC does.
> > >>
> > >> Rowland
> > >
> > > Hi Rowland,
> > > Indeed only portion of the attributes are configurable via samba-tool.
> > > Are there particular attributes you are interested in?
> > >
> > > L
> > Hi, what I am trying to get across is, for adding a unix user,
> > samba-tool does not work in the same way as ADUC does.
> >
> > If you have the attribute 'msSFU30MaxUidNumber' in
> > 
> 'CN=example,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=example,DC=com'
> > then ADUC will get the uidNumber automatically, if you use samba-tool,
> > you have to supply the uidNumber, ADUC also adds the following 
> attributes:
> > uid, msSFU30Name, msSFU30NisDomain, uidNumber, gidNumber,
> > unixHomeDirectory, loginShell, unixUserPassword
> >
> > I know that I can do what ADUC does with a bash script and ldif's, 
> but I
> > do not know anything about python to alter samba-tool, but I do believe
> > that samba-tool should, when it comes to creating a unix user, work the
> > same as ADUC
> >
> > Rowland
Hi Stephane, have you tried creating a user in ADUC and adding unix 
attributes? if, as I said, you add 'msSFU30MaxUidNumber' windows will 
get the uidNumber automatically.

I know how to script round this using samba-tool, but I feel that when 
creating a unix user, samba-tool should work in just the same way as ADUC.

This is a user created by ADUC:

dn: CN=Test User,CN=Users,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Test User
sn: User
givenName: Test
instanceType: 4
whenCreated: 20131003143825.0Z
displayName: Test User
uSNCreated: 3899
name: Test User
objectGUID:: hWsXjePINUupa6KtGBtMsQ==
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA5aGURJHhLId0AF+HVwQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: testuser1
sAMAccountType: 805306368
userPrincipalName: testuser1 at example.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
pwdLastSet: 130252847060000000
userAccountControl: 512
msSFU30NisDomain: example
uidNumber: 10002
loginShell: /bin/sh
unixexampleDirectory: /example/testuser1
gidNumber: 20513
msSFU30Name: testuser1
unixUserPassword: ABCD!efgh12345$67890
uid: testuser1
whenChanged: 20131003143924.0Z
uSNChanged: 3904
distinguishedName: CN=Test User,CN=Users,DC=example,DC=com

All I had to enter was the user name and password etc and then when I 
moved to the Unix tab, I selected the nisdomain and everything but the 
gid was entered automatically.

samba-tool creates the users SID automatically but not the uidNumber.

Rowland