[PATCH] Add Unix attributes to a user or group in AD
Michael Adam
obnox at samba.org
Mon Nov 16 14:34:55 UTC 2015
Rowland,
I lost track of the most up-to-date patches.
(Scattered over several mail threads, I think.)
Could you please re-send the latest, complete
patchset for this?
Thanks a lot!
Michael
On 2015-11-09 at 11:40 +0000, Rowland Penny wrote:
> On 09/11/15 11:17, Michael Adam wrote:
> >On 2015-11-09 at 09:50 +0000, Rowland Penny wrote:
> >>On 09/11/15 09:40, Michael Adam wrote:
> >>>On 2015-11-09 at 09:11 +0000, Rowland Penny wrote:
> >>>>On 27/10/15 16:01, Rowland Penny wrote:
> >>>>>Hi, the attached patches allow for the adding of Unix attributes to an
> >>>>>already created user or group, they work much in the same way as
> >>>>>'samba-tool user create' does except it requires a user or group that
> >>>>>already exists.
> >>>>>
> >>>>>The first patch allows to get an AD objects DN from its samaccountname
> >>>>>The second allows samba-tool to update a user
> >>>>>The third allows samba-tool to update a group
> >>>>>
> >>>>>I think this is going to be required now that ADUC on win10 doesn't come
> >>>>>with the UNIX Attributes tab.
> >>>>>
> >>>>>Rowland
> >>>>Any chance of a reply to this??? Even if it is 'Go Away' :-)
> >>>Oh, missed it before.
> >>>
> >>>Thanks for the patches!
> >>>That is indeed a must-have feature, imho!
> >>>
> >>>The patches look very good to me in general, just one question:
> >>>Why not allow for selectively setting some of the attributes
> >>>for a user but instead require specifying them all?
> >>Because this is the way it works if you add them when you create a user, it
> >>is also the way ADUC works.
> >Ok, understood when newly adding these attributes.
> >But this command could also be used to later
> >change individual of these attributes, right?
> >
> >But then, the commands should not be called '.. nisadd'
> >but '... setnis' instead, or so.
> >
> >But maybe for for the purposes above, we might want
> >individual command to set the individual attrs?
> >Just brainstorming aloud...
> >
> >>>And we need manpage updates.
> >>Well this could have been said when 'samba-tool user create' was altered to
> >>add the Unix attributes, but I will look into it after the patches are
> >>added.
> >Anyways, you add a new subcommand. Hence a patch to add a
> >description of this new command to the samba-tool manpage
> >would be appreciated.
> >
> >>>And ideally tests.
> >>Ah, never written tests, any pointers ??
> >e.g. python/samba/tests/samba_tool/user.py
> >
> >One cosmetic note:
> >
> >in the second patch, a newline is missing after the first
> >line of the commit message, so the signed-off-by is concatenated
> >with the subject line.
> >
> >
>
> OK, patch to replace the second patch, but this time with the newline.
>
> Rowland
>
>
> From 3897fff2e9cac43cb3d70d731aa30ffd9d660975 Mon Sep 17 00:00:00 2001
> From: Rowland Penny <repenny241155 at gmail.com>
> Date: Tue, 27 Oct 2015 15:44:16 +0000
> Subject: [PATCH 2/3] user.py: update user with nis attributes
> Signed-off-by: Rowland Penny <repenny241155 at gmail.com>
>
> ---
> python/samba/netcmd/user.py | 156 +++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 156 insertions(+)
>
> diff --git a/python/samba/netcmd/user.py b/python/samba/netcmd/user.py
> index 2bc5522..7d39818 100644
> --- a/python/samba/netcmd/user.py
> +++ b/python/samba/netcmd/user.py
> @@ -611,6 +611,161 @@ Example3 shows how an administrator would reset TestUser3 user's password to pas
> self.outf.write("Changed password OK\n")
>
>
> +class cmd_user_nis_add(Command):
> + """Add NIS attributes to a user.
> +
> +This command adds NIS info to a user account in the Active
> +Directory domain.
> +The username specified on the command is the sAMaccountName.
> +
> +Unix (RFC2307) attributes will be added to the user account.
> +Add 'idmap_ldb:use rfc2307 = Yes' to smb.conf to use these
> +attributes for UID/GID mapping.
> +
> +The command may be run from the root userid or another authorized userid.
> +The -H or --URL= option can be used to execute the command
> +against a remote server.
> +
> +Example:
> +samba-tool user nisadd User1 --nis-domain=samdom --uid-number=10005 \
> +--unix-home=/home/User1 --login-shell=/bin/false [--group-name=unixgroup]
> +
> +The example shows how to add RFC2307/NIS attributes to a domain
> +enabled user account.
> +The first four parameters are mandatory.
> +
> +if the parameter '--group-name' is given, then the groups 'gidNumber'
> +will be obtained and used for the users 'gidNumber' attribute, this
> +does of course mean that the group MUST have a 'gidNumber.
> +
> +If the last parameter, '--group-name' & is omitted, the users gidNumber
> +will be set to the gidNumber found in Domain Users.
> +This means that 'Domain Users' MUST have a gidNumber.
> +"""
> + synopsis = "%prog <username> [options]"
> +
> + takes_options = [
> + Option("-H", "--URL", help="LDB URL for database or target server",
> + type=str, metavar="URL", dest="H"),
> + Option("--nis-domain", help="User's Unix/RFC2307 NIS domain",
> + type=str),
> + Option("--unix-home", help="User's Unix/RFC2307 home directory",
> + type=str),
> + Option("--group-name", help="A Unix/RFC2307 enabled AD group",
> + type=str),
> + Option("--login-shell", help="User's Unix/RFC2307 login shell",
> + type=str),
> + Option("--uid-number", help="User's Unix/RFC2307 numeric UID",
> + type=str),
> + Option("--gid-number", help="User's Unix/RFC2307 numeric GID number",
> + type=str),
> +
> + ]
> +
> + takes_args = ["username"]
> +
> + takes_optiongroups = {
> + "sambaopts": options.SambaOptions,
> + "credopts": options.CredentialsOptions,
> + "versionopts": options.VersionOptions,
> + }
> +
> + def run(self, username, credopts=None, sambaopts=None, versionopts=None,
> + H=None, nis_domain=None, unix_home=None, uid_number=None,
> + gid_number=None, group_name=None, login_shell=None):
> +
> + lp = sambaopts.get_loadparm()
> + creds = credopts.get_credentials(lp)
> +
> + samdb = SamDB(url=H, session_info=system_session(), credentials=creds,
> + lp=lp)
> +
> + if None in (nis_domain, uid_number, login_shell, unix_home):
> + raise CommandError('Missing parameters. To enable NIS features, '
> + 'the following options have to be given: '
> + '--nis-domain=, --uid-number, --login-shell=,'
> + ' --unix-home=, Operation cancelled.')
> +
> + domain_dn = samdb.domain_dn()
> + search_filter = "(samaccountname=%s)" % username
> + user_dn = samdb.get_object_dn(search_filter)
> +
> + # what if user already is a NIS user??
> + res = samdb.search(user_dn,
> + scope=ldb.SCOPE_BASE,
> + attrs=["uidNumber"])
> + if "uidNumber" in res[0]:
> + raise CommandError("User %s already is a NIS user." % username)
> +
> + if group_name is not None:
> + # get users primary GID from group_name
> + search_filter = "samaccountname=%s" % group_name
> + group_dn = samdb.get_object_dn(search_filter)
> + try:
> + res = samdb.search(group_dn,
> + scope=ldb.SCOPE_SUBTREE,
> + attrs=["gidNumber"])
> + assert len(res) == 1
> + gid_number = res[0]["gidNumber"][0]
> + except:
> + raise CommandError("Group %s does not have a gidNumber" %
> + group_name)
> +
> + if group_name is None:
> + # set users primary GID to the one from Domain Users
> + du_dn = "CN=Domain Users,CN=Users," + domain_dn
> + try:
> + res = samdb.search(du_dn,
> + scope=ldb.SCOPE_SUBTREE,
> + attrs=["gidNumber"])
> + assert len(res) == 1
> + gid_number = res[0]["gidNumber"][0]
> + except:
> + raise CommandError("Domain Users Group does \
> +not have a gidNumber attribute")
> +
> + if not lp.get("idmap_ldb:use rfc2307"):
> + self.outf.write("You are setting a Unix/RFC2307 UID or GID. \
> +You may want to set 'idmap_ldb:use rfc2307 = Yes' in smb.conf to use those \
> +attributes for XID/SID-mapping.\n")
> +
> + update_user = """
> +dn: %s
> +changetype: modify
> +add: uid
> +uid: %s
> +-
> +add: msSFU30Name
> +msSFU30Name: %s
> +-
> +add: msSFU30NisDomain
> +msSFU30NisDomain: %s
> +-
> +add: uidNumber
> +uidNumber: %s
> +-
> +add: gidNumber
> +gidNumber: %s
> +-
> +add: loginShell
> +loginShell: %s
> +-
> +add: unixHomeDirectory
> +unixHomeDirectory: %s
> +-
> +add: unixUserPassword
> +unixUserPassword: ABCD!efgh12345$67890
> +""" % (user_dn, username, username, nis_domain, uid_number, gid_number,
> + login_shell, unix_home)
> +
> + try:
> + samdb.modify_ldif(update_user)
> + except Exception, e:
> + raise CommandError("Failed to update user '%s': " % username, e)
> +
> + self.outf.write("User '%s' updated successfully\n" % username)
> +
> +
> class cmd_user(SuperCommand):
> """User management."""
>
> @@ -624,3 +779,4 @@ class cmd_user(SuperCommand):
> subcommands["setexpiry"] = cmd_user_setexpiry()
> subcommands["password"] = cmd_user_password()
> subcommands["setpassword"] = cmd_user_setpassword()
> + subcommands["nisadd"] = cmd_user_nis_add()
> --
> 1.7.10.4
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20151116/6d920778/signature.sig>
More information about the samba-technical
mailing list