samba-tool

[Rowland Penny]

On 04/10/13 09:47, Stéphane PURNELLE wrote:
> 1) You says : " if you use samba-tool,
> > you have to supply the uidNumber, ADUC also adds the following 
> attributes:
> > uid, msSFU30Name, msSFU30NisDomain, uidNumber, gidNumber,
> > unixHomeDirectory, loginShell, unixUserPassword"
>
> But is not correct, if you use samba-tool, you CAN supply some 
> supplemental information like :
> uidNumber, gidNumber, unixHomeDirectory, loginShell, ...
>
> if you do:
> $ samba-tool user create rowland
> Samba will do same thing that ADUC.
>
> All  parameter in samba-tool are optional.
>
> 2) Let administrator to have possibility to manage uidNumber and 
> gidNumber outside AD part.
> My story is a upgrade from samba3
> My samba3 config is samba + ldap.
> I use samba-ldap-tools for adding user and group.
>
> All user and group xidNumber is supplyed by config in ldap tree and 
> actullay start from 1000 -> xxxx
> samba4 start at 3000000, I don't know why... I cannot change this.
>
> My solution : create counter file for uidNumber and gidNumber and I 
> supply xidNumber when I create a user or a group by samba-tool.
> And I will not use ADUC for creation (just for manage member of group).
>
> 3) The only thing that I can suggest to samba team is adding some 
> parameters ("add user script and add group scrit) to smb.conf
> And if user or group is created by ADUC, samba call theses scripts for 
> adding data on user or group like posixAccount and posixGroup or other 
> think.
>
> And add some function to samba-tool for permit to set data for user or 
> group
> Example: $ samba-tool user setParameter stephane --uidNumber=8963
>
>
>
>
>
>
>
> -----------------------------------
> Stéphane PURNELLE         Admin. Systèmes et Réseaux
> Service Informatique       Corman S.A.     Tel : 00 32 (0)87/342467
>
> samba-technical-bounces at lists.samba.org wrote on 03/10/2013 21:59:29:
>
> > De : Rowland Penny <repenny241155 at gmail.com>
> > A : Lukasz Zalewski <lukas at eecs.qmul.ac.uk>,
> > Cc : Jelmer Vernooij <jelmer at samba.org>, samba-technical <samba-
> > technical at lists.samba.org>
> > Date : 03/10/2013 21:59
> > Objet : Re: samba-tool
> > Envoyé par : samba-technical-bounces at lists.samba.org
> >
> > On 03/10/13 20:36, Lukasz Zalewski wrote:
> > > On 03/10/2013 18:15, Rowland Penny wrote:
> > >> On 03/10/13 18:05, Jelmer Vernooij wrote:
> > >>> On Thu, Oct 03, 2013 at 04:04:25PM +0100, Rowland Penny wrote:
> > >>>> just a quick question, if samba-tool does something differently to
> > >>>> the way that windows works, would this be regarded as a bug?
> > >>> Different in what way, can you give a specific example? There is no
> > >>> command-line tool on Windows called 'samba-tool', and
> > >>> we long seem to have given up on trying to make it match
> > >>> the behaviour of the 'net' tool on Windows.
> > >>>
> > >>> Cheers,
> > >>>
> > >>> Jelmer
> > >> Hi Jelmer, If you create a user in ADUC and add the Unix attributes,
> > >> this is done totally differently to the way that samba-tool does 
> it. For
> > >> instance,  '--uid-number' requires that you give a 'uidNumber' 
> but ADUC
> > >> (provided AD is setup correctly) supplies it automatically, 
> samba-tool
> > >> also doesn't add all the attributes that ADUC does.
> > >>
> > >> Rowland
> > >
> > > Hi Rowland,
> > > Indeed only portion of the attributes are configurable via samba-tool.
> > > Are there particular attributes you are interested in?
> > >
> > > L
> > Hi, what I am trying to get across is, for adding a unix user,
> > samba-tool does not work in the same way as ADUC does.
> >
> > If you have the attribute 'msSFU30MaxUidNumber' in
> > 
> 'CN=example,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=example,DC=com'
> > then ADUC will get the uidNumber automatically, if you use samba-tool,
> > you have to supply the uidNumber, ADUC also adds the following 
> attributes:
> > uid, msSFU30Name, msSFU30NisDomain, uidNumber, gidNumber,
> > unixHomeDirectory, loginShell, unixUserPassword
> >
> > I know that I can do what ADUC does with a bash script and ldif's, 
> but I
> > do not know anything about python to alter samba-tool, but I do believe
> > that samba-tool should, when it comes to creating a unix user, work the
> > same as ADUC
> >
> > Rowland
Ok, to get the windows ADUC Unix tab to work correctly, I needed to add 
'msSFU30MaxUidNumber: 10000' and 'msSFU30MaxGidNumber: 10000' to 
'CN=example,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=example,DC=com', 
I suspect that the numbers could be set to whatever you want, but 10000 
seems to be the value windows expects.

If, with the attributes added, you go to a users Unix tab in ADUC and 
select your domain in the drop down box, everything then gets filled in 
automatically, apart from the group, which you have to select from a 
list (provided you have any unix groups). After adding the Unix 
attributes to the user and creating the user, the attribute 
'msSFU30MaxUidNumber' is updated by adding 1 to it.

To do this on the Samba 4 AD server, you have to script around 
samba-tool. First get the value in 'msSFU30MaxUidNumber' then create a 
user with 'samba-tool user add' passing the value you got from 
'msSFU30MaxUidNumber' to '--uid-number=' along with '--uid=<username> 
--unix-home-directory=UNIX_HOME_DIRECTORY' and whatever else you require 
(profile-path etc).

You then need to add the following ldif.

dn: CN=<username>,CN=Users,DC=example,DC=com
changetype: modify
add: msSFU30NisDomain
msSFU30NisDomain: <your domain>
-
add: msSFU30Name
msSFU30Name: <username>
-
add: description
description: A UNIX user

Once the user is created, 'msSFU30MaxUidNumber' needs to be updated to 
the next number.

Now, having shown how it can be done at the moment, I think that 
samba-tool should be altered to match the way that windows ADUC works 
i.e. change '--uid-number=UID_NUMBER' to a switch 'with-uidNumber', this 
switch would then get the required uidNumber from  'msSFU30MaxUidNumber' 
and add this, along with the required Unix attributes to the user, then 
update 'msSFU30MaxUidNumber'.

Please do not suggest that I do this myself, because to me, python is a 
type of snake ;-)

Rowland