Andrew Bartlett abartlet at
Tue Oct 8 20:56:24 MDT 2013

On Sun, 2013-10-06 at 14:16 +0100, Rowland Penny wrote:

> You then need to add the following ldif.
> dn: CN=<username>,CN=Users,DC=example,DC=com
> changetype: modify
> add: msSFU30NisDomain
> msSFU30NisDomain: <your domain>
> -
> add: msSFU30Name
> msSFU30Name: <username>
> -
> add: description
> description: A UNIX user
> Once the user is created, 'msSFU30MaxUidNumber' needs to be updated to 
> the next number.
> Now, having shown how it can be done at the moment, I think that 
> samba-tool should be altered to match the way that windows ADUC works 
> i.e. change '--uid-number=UID_NUMBER' to a switch 'with-uidNumber', this 
> switch would then get the required uidNumber from  'msSFU30MaxUidNumber' 
> and add this, along with the required Unix attributes to the user, then 
> update 'msSFU30MaxUidNumber'.
> Please do not suggest that I do this myself, because to me, python is a 
> type of snake ;-)

The issue is that msSFU30MaxUidNumber is not magic in any way in AD, and
so if two scripts or users operate at different ends of the company at
the same time, nothing will prevent allocation of duplicate UID values. 

ID mapping is hard. 

The best solution I've seen, but we still have not implemented is to use
trustPosixOffset on each trusted domain, which is allocated on the
naming master (in Windows AD, Samba doesn't know about it yet), and so
would be unique we combined with an enhanced idmap_rid.  

If we ever get that working, we could combine that with writing the
values so calculated into the uidNumber and gidNumber values, to assist
other clients. 

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team 
Samba Developer, Catalyst IT         

More information about the samba-technical mailing list